Full Disclosure mailing list archives
Re: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow
From: Spiro Trikaliotis <trik-news () gmx de>
Date: Sat, 7 Feb 2004 12:00:43 +0100
Hello, * On Fri, Feb 06, 2004 at 11:49:07AM -0800 Gregory A. Gilliss wrote:
On or about 2004.02.06 10:14:39 +0000, debian-security-announce () lists debian org (debian-security-announce () lists debian org) said:A vulnerability was discovered in mpg123, a command-line mp3 player,
^^^^^^
whereby a response from a remote HTTP server could overflow a buffer allocated on the heap, potentially permitting execution of arbitrary code with the privileges of the user invoking mpg123. In order for this vulnerability to be exploited, mpg321 would need to request an
^^^^^^
mp3 stream from a malicious remote server via HTTP.
WHich is it - mpg123 or mpg321?
Looking at the bug reports for both mp321: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg321 mp123: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg123 it seems that is is really mpg123 that is affected: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212584 - if I don't misunderstand the bug reports. Anyway, the original advisory would have to be more precise on the package name. Spiro. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow debian-security-announce (Feb 06)
- Re: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow Gregory A. Gilliss (Feb 06)
- Re: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow Spiro Trikaliotis (Feb 07)
- Re: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow Matt Zimmerman (Feb 07)
- Re: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow Spiro Trikaliotis (Feb 07)
- Re: [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow Gregory A. Gilliss (Feb 06)
