Re: [Full-Disclosure] [SECURITY] [DSA 435-1] New mpg123 packages fix heap overflow

From: Matt Zimmerman (mdz_at_debian.org)
Date: 02/07/04

  • Next message: Richard M. Smith: "[Full-Disclosure] Why are postmasters distributing the MyDoom virus?" 
    To: full-disclosure@lists.netsys.com
Date: Sat, 7 Feb 2004 10:45:39 -0800

    On Sat, Feb 07, 2004 at 12:00:43PM +0100, Spiro Trikaliotis wrote:

    > * On Fri, Feb 06, 2004 at 11:49:07AM -0800 Gregory A. Gilliss wrote:
    >
    > > On or about 2004.02.06 10:14:39 +0000,
    > > debian-security-announce@lists.debian.org
    > > (debian-security-announce@lists.debian.org) said:
    > >
    > > > A vulnerability was discovered in mpg123, a command-line mp3 player,
    > ^^^^^^
    > > > whereby a response from a remote HTTP server could overflow a buffer
    > > > allocated on the heap, potentially permitting execution of arbitrary
    > > > code with the privileges of the user invoking mpg123. In order for
    > > > this vulnerability to be exploited, mpg321 would need to request an
    > ^^^^^^
    > > > mp3 stream from a malicious remote server via HTTP.
    >
    > > WHich is it - mpg123 or mpg321?
    >
    > Looking at the bug reports for both
    > mp321: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg321
    > mp123: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg123
    >
    > it seems that is is really mpg123 that is affected:
    >
    > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212584
    >
    > - if I don't misunderstand the bug reports.
    >
    > Anyway, the original advisory would have to be more precise on the
    > package name.

    As I thought was clear from the Subject, the Package heading, the names of
    the updated packages, etc., the updated package is mpg123. The one
    occurrence of the string "mpg321" in the text of the advisory was a data
    entry error. 

    -- 
 - mdz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Richard M. Smith: "[Full-Disclosure] Why are postmasters distributing the MyDoom virus?"

    Relevant Pages

    • Re: ar928x and ath9k/ would like to receive mentoring if you know where to direct me
      ... helping track down the source of bugs in the implementation of the ath9k ... helping make it more user friendly.  (I have no idea how to package ... ideas on how to contribute to the Ubuntu community. ...
      (Ubuntu)
    • Re: Debian-installer hangs at ide-floppy detect on Dell laptop
      ... > I just downloaded beta 2 of the debian-installer from ... Bug reports against that package go to the ... installation-reports" at the very top of your message body.) ...
      (Debian-User)
    • Re: How unstable is Unstable?
      ... I am not sure if its a package I downloaded or a feature of aptitude but downloads the bug reports for all packages going to be installed and warns me if there are any serious bugs filed against them. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
      (Debian-User)
    • Re: [opensuse] Ultrasol
      ... Yes, but in future, please direct such bug reports to the place where you ... got the package. ... The solution is to add a coding line to the python source file, ... BTW, the fix worked fine. ...
      (SuSE)
    • Re: vsFTP on RH 7.2
      ... Ken Loomis wrote: ... Then make a package for it, ... Did I misunderstand? ... Peter ...
      (linux.redhat.misc)
    Loading