lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040207110043.GA26414@mail>
From: trik-news at gmx.de (Spiro Trikaliotis)
Subject: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow

Hello,

* On Fri, Feb 06, 2004 at 11:49:07AM -0800 Gregory A. Gilliss wrote:

> On or about 2004.02.06 10:14:39 +0000,
> debian-security-announce@...ts.debian.org
> (debian-security-announce@...ts.debian.org) said:
> 
> > A vulnerability was discovered in mpg123, a command-line mp3 player,
                                      ^^^^^^
> > whereby a response from a remote HTTP server could overflow a buffer
> > allocated on the heap, potentially permitting execution of arbitrary
> > code with the privileges of the user invoking mpg123.  In order for
> > this vulnerability to be exploited, mpg321 would need to request an
                                        ^^^^^^
> > mp3 stream from a malicious remote server via HTTP.

> WHich is it - mpg123 or mpg321?

Looking at the bug reports for both 
mp321: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg321
mp123: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg123

it seems that is is really mpg123 that is affected:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212584

- if I don't misunderstand the bug reports.

Anyway, the original advisory would have to be more precise on the
package name.

Spiro.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ