[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow
- From: Spiro Trikaliotis <trik-news@gmx.de>
- Date: Sat, 7 Feb 2004 12:00:43 +0100
Hello,
* On Fri, Feb 06, 2004 at 11:49:07AM -0800 Gregory A. Gilliss wrote:
> On or about 2004.02.06 10:14:39 +0000,
> debian-security-announce@lists.debian.org
> (debian-security-announce@lists.debian.org) said:
>
> > A vulnerability was discovered in mpg123, a command-line mp3 player,
^^^^^^
> > whereby a response from a remote HTTP server could overflow a buffer
> > allocated on the heap, potentially permitting execution of arbitrary
> > code with the privileges of the user invoking mpg123. In order for
> > this vulnerability to be exploited, mpg321 would need to request an
^^^^^^
> > mp3 stream from a malicious remote server via HTTP.
> WHich is it - mpg123 or mpg321?
Looking at the bug reports for both
mp321: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg321
mp123: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg123
it seems that is is really mpg123 that is affected:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212584
- if I don't misunderstand the bug reports.
Anyway, the original advisory would have to be more precise on the
package name.
Spiro.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html