Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Napster, Inc. response to Colten Edwards
From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Thu, 30 Mar 2000 18:48:40 -0600

Jordan Ritter <jpr5 () napster com> wrote:
    Approximately one hour after receiving the post from BugTraq,
    Napster's servers were patched to prevent this from occurring.
    Users of the Napster Win32 client software are NOT vulnerable.

As long as the client has a buffer overflow, it is vulnerable.  OpenNAP
servers ( http://opennap.sourceforge.net/ ), for example, are an unknown
because has checked to see if they do sanity checking on the messages they
pass for clients.  Any one using Win32 Napter on any non-Napster server is
potentially vulnerable.

Additionally, it could be possible for the other client to overflow another
part of the client.  Has the code been audited?  It doesn't seem it has
been, so this claim is unfounded.

Please audit your code, and then inform the public of a truly safe build.

    This situation is particularly disturbing to us, as Mr. Edwards'
    malicious intent becomes painfully obvious from the tone and
    candor of his post.  To the best of our knowledge, the general
    policy on BugTraq is that vendors should be notified of issues and
    given a reasonable amount of time to address the problem, so as to
    avoid unnecessary risk to the vendor's customers.  A meaningful

To the best of my knowledge, Elias Levy moderates into the list any mails
pertaining to a security issue in a product, such as an overflow in as
Napster, which is in fairly wide-spread usage.  There are no guarantees of
service for companies who want a "breather" period.  If you wish to stay
abreast of these security issues, subscribe to Bugtraq like everyone else.
I'd also suggest, as you work with the Win32 platform, that you subscribe to
NTBugtraq as well, as they tend to carry the more esoteric Win32 security

Hi! I'm a .signature virus! Copy me into your ~/.signature to help me

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]