Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: mpg321
From: Joe Drew <hoserhead () woot net>
Date: 12 Feb 2002 21:00:29 -0500

On Tue, 2002-02-12 at 18:05, -l0rt- wrote:
I know that there have been older similar bugs, here is a new one that I
could find nothing about in the lists.

Older similar bugs in mpg321? Why does nobody tell me about this?
 
mpg123 accepts url's and may be used by other suid binaries or services.
A buffer condition exists in mpg321 that could allow for
remote/unwarrented command execution by means of a specailly formatted
URL or other input. mpg321 is not setuid or setgid.

Other suid binaries should have no trouble, since mpg321 is a
stand-alone binary.

fact:
mpg123 cores when it is passed the following string:

mpg123 `perl -e'print "A" x 10000'`


This should not have been remotely exploitable, but I no longer trust
myself, given how wrong my code was proven with this. This bug is now
fixed in CVS.

-- 
Joe Drew <hoserhead () woot net> <drew () debian org>

Please encrypt email sent to me.


  By Date           By Thread  

Current thread:
  • Re: mpg321 Joe Drew (Feb 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault