[24273] in bugtraq
Re: mpg321
daemon@ATHENA.MIT.EDU (Joe Drew)
Thu Feb 14 01:53:26 2002
From: Joe Drew <hoserhead@woot.net>
To: -l0rt- <simon@snosoft.com>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20020212180242.C68000-100000@micron.snosoft.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: 12 Feb 2002 21:00:29 -0500
Message-Id: <1013565629.825.14.camel@pisces>
Mime-Version: 1.0
On Tue, 2002-02-12 at 18:05, -l0rt- wrote:
> I know that there have been older similar bugs, here is a new one that I
> could find nothing about in the lists.
Older similar bugs in mpg321? Why does nobody tell me about this?
> mpg123 accepts url's and may be used by other suid binaries or services.
> A buffer condition exists in mpg321 that could allow for
> remote/unwarrented command execution by means of a specailly formatted
> URL or other input. mpg321 is not setuid or setgid.
Other suid binaries should have no trouble, since mpg321 is a
stand-alone binary.
> fact:
> mpg123 cores when it is passed the following string:
>
> mpg123 `perl -e'print "A" x 10000'`
>
This should not have been remotely exploitable, but I no longer trust
myself, given how wrong my code was proven with this. This bug is now
fixed in CVS.
--
Joe Drew <hoserhead@woot.net> <drew@debian.org>
Please encrypt email sent to me.
