lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20040207184539.GJ24474@alcor.net>
From: mdz at debian.org (Matt Zimmerman)
Subject: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow

On Sat, Feb 07, 2004 at 12:00:43PM +0100, Spiro Trikaliotis wrote:

> * On Fri, Feb 06, 2004 at 11:49:07AM -0800 Gregory A. Gilliss wrote:
> 
> > On or about 2004.02.06 10:14:39 +0000,
> > debian-security-announce@...ts.debian.org
> > (debian-security-announce@...ts.debian.org) said:
> > 
> > > A vulnerability was discovered in mpg123, a command-line mp3 player,
>                                       ^^^^^^
> > > whereby a response from a remote HTTP server could overflow a buffer
> > > allocated on the heap, potentially permitting execution of arbitrary
> > > code with the privileges of the user invoking mpg123.  In order for
> > > this vulnerability to be exploited, mpg321 would need to request an
>                                         ^^^^^^
> > > mp3 stream from a malicious remote server via HTTP.
> 
> > WHich is it - mpg123 or mpg321?
> 
> Looking at the bug reports for both 
> mp321: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg321
> mp123: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg123
> 
> it seems that is is really mpg123 that is affected:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212584
> 
> - if I don't misunderstand the bug reports.
> 
> Anyway, the original advisory would have to be more precise on the
> package name.

As I thought was clear from the Subject, the Package heading, the names of
the updated packages, etc., the updated package is mpg123.  The one
occurrence of the string "mpg321" in the text of the advisory was a data
entry error.

-- 
 - mdz


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ