[37532] in bugtraq
RE: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
daemon@ATHENA.MIT.EDU (alex cottle)
Fri Nov 26 13:15:14 2004
Message-ID: <BAY101-F277D543B4547323CCB31D8A9BA0@phx.gbl>
From: "alex cottle" <eddie5659@hotmail.com>
To: brett.moore@security-assessment.com, bugtraq@securityfocus.com
Date: Fri, 26 Nov 2004 10:49:40 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Dear Brett
I've noticed that you say this is for version 5.05. Just looked at Winamp's
site, and they have a 5.06 version out. Is this one vunerable as well?
Kind Regards
Alex Cottle
>From: "Brett Moore" <brett.moore@security-assessment.com>
>Reply-To: <brett.moore@security-assessment.com>
>To: "Bugtraq@Securityfocus. Com" <bugtraq@securityfocus.com>
>Subject: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]
>Date: Wed, 24 Nov 2004 16:05:46 +1300
>
>========================================================================
>= Winamp - Buffer Overflow In IN_CDDA.dll
>=
>= Affected Software:
>= Winamp 5.05, 5.06
>=
>= Public disclosure on November 24, 2004
>========================================================================
>
>== Overview ==
>
>Hate to be the bearer of bad news.
>
>It appears that the 'patched' version 5.05 does NOT fix the buffer overflow
>issue that we notified Nullsoft about. This is obviously not good.
>
>As we wrote in our advisory we were notified by email that the issue had
>been fixed and an update posted to the website.
>
>We have sent Nullsoft a copy of this email, and hope that they can remedy
>this problem quickly. Unfortunately, this may not be the case as was
>pointed out to me by somebody.
>
>== Solutions ==
>
>- Disassociate .cda and .m3u extensions from winamp
>- Wait for an update
>
>Brett Moore
>Network Intrusion Specialist, CTO
>Security-Assessment.com
>
>
>######################################################################
>CONFIDENTIALITY NOTICE:
>
>This message and any attachment(s) are confidential and proprietary.
>They may also be privileged or otherwise protected from disclosure. If
>you are not the intended recipient, advise the sender and delete this
>message and any attachment from your system. If you are not the
>intended recipient, you are not authorised to use or copy this message
>or attachment or disclose the contents to any other person. Views
>expressed are not necessarily endorsed by Security-Assessment.com
>Limited. Please note that this communication does not designate an
>information system for the purposes of the New Zealand Electronic
>Transactions Act 2003.
>######################################################################
