[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow
- From: "Gregory A. Gilliss" <ggilliss@netpublishing.com>
- Date: Fri, 6 Feb 2004 11:49:07 -0800
WHich is it - mpg123 or mpg321?
G
On or about 2004.02.06 10:14:39 +0000,
debian-security-announce@lists.debian.org
(debian-security-announce@lists.debian.org) said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Package : mpg123
> Vulnerability : heap overflow
> Problem-Type : remote
> Debian-specific: no
> CVE Ids : CAN-2003-0865
>
> A vulnerability was discovered in mpg123, a command-line mp3 player,
> whereby a response from a remote HTTP server could overflow a buffer
> allocated on the heap, potentially permitting execution of arbitrary
> code with the privileges of the user invoking mpg123. In order for
> this vulnerability to be exploited, mpg321 would need to request an
> mp3 stream from a malicious remote server via HTTP.
<<SNIP>>
> -----END PGP SIGNATURE-----
--
Gregory A. Gilliss, CISSP E-mail: greg@gilliss.com
Computer Security WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html