mailing list archives
Napster, Inc. response to Colten Edwards
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Thu, 30 Mar 2000 11:51:49 -0800
----- Forwarded message from Jordan Ritter <jpr5 () napster com> -----
Date: Wed, 29 Mar 2000 13:50:05 -0800
From: Jordan Ritter <jpr5 () napster com>
To: aleph1 () securityfocus com
Subject: Napster, Inc. response to Colten Edwards
Message-ID: <20000329135005.A17554 () napster com>
I'm waiting for listserv to come through on my napster.com
subscription to bugtraq, but it's lagging. Please push this
This email is in response to the recent post by Colten Edwards
regarding a potential buffer overflow in the Napster client
The Napster Win32 client software does contain an overflow in its
messaging functionality, which includes public (chat) and private
(IM) messaging. The overflow only affects users of the Win32
Napster client, and could only be exploited through the use of a
rogue Napster client in conjunction with a Napster server.
Napster, Inc. reports NO indication that this vulnerability is
being exploited, and further would like to assure the general
public that the vulnerability is NOT an issue any longer.
Approximately one hour after receiving the post from BugTraq,
Napster's servers were patched to prevent this from occurring.
Users of the Napster Win32 client software are NOT vulnerable.
We would like to point out the unfortunate fact that we first
learned of this issue through BugTraq. The discovery of the
problem was apparently relayed briefly to the #napster channel on
EFnet IRC by Colten Edwards, before being posted to this list
approximately one hour later. Napster, Inc. was never notified of
this issue via phone, email, or across any other effective channel
This situation is particularly disturbing to us, as Mr. Edwards'
malicious intent becomes painfully obvious from the tone and
candor of his post. To the best of our knowledge, the general
policy on BugTraq is that vendors should be notified of issues and
given a reasonable amount of time to address the problem, so as to
avoid unnecessary risk to the vendor's customers. A meaningful
notification from Mr. Edwards and a small amount of patience would
have resulted in a fix before the potential vulnerability put our
users at risk. Of course, understanding the time frame involved
and the intent of the post, we can only voice our dismay and
disapproval of Mr. Edwards' actions.
Thank you, and good day.
Napster -- Music at Internet Speed
----- End forwarded message -----