This is really not Red Hat's problem at all. The author(s) of mpg123 probably need to embed a fingerprint on all that's produced by mpg123 and make the info on how to find the fingerprints available to auditors. Then if stuff gets found in commercial domain with the fingerprints, maybe something can be done about the violations.