[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040207110043.GA26414@mail>
From: trik-news at gmx.de (Spiro Trikaliotis)
Subject: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow
Hello,
* On Fri, Feb 06, 2004 at 11:49:07AM -0800 Gregory A. Gilliss wrote:
> On or about 2004.02.06 10:14:39 +0000,
> debian-security-announce@...ts.debian.org
> (debian-security-announce@...ts.debian.org) said:
>
> > A vulnerability was discovered in mpg123, a command-line mp3 player,
^^^^^^
> > whereby a response from a remote HTTP server could overflow a buffer
> > allocated on the heap, potentially permitting execution of arbitrary
> > code with the privileges of the user invoking mpg123. In order for
> > this vulnerability to be exploited, mpg321 would need to request an
^^^^^^
> > mp3 stream from a malicious remote server via HTTP.
> WHich is it - mpg123 or mpg321?
Looking at the bug reports for both
mp321: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg321
mp123: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg123
it seems that is is really mpg123 that is affected:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212584
- if I don't misunderstand the bug reports.
Anyway, the original advisory would have to be more precise on the
package name.
Spiro.
Powered by blists - more mailing lists