OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1996: XMCD v2.1 released (was: Security Problems in XMCD)

XMCD v2.1 released (was: Security Problems in XMCD)

Xmcd Admin (xmcdbazooka.amb.org)
Mon, 25 Nov 1996 23:08:30 -0800

This is to announce that XMCD 2.1 patchlevel 0 has been released
which fixes all of the issues previously raised by David Meltzer.
It also contains a number of other minor feature and functionality
enhancements.  The new version may be obtained via the xmcd web page at:

        http://sunsite.unc.edu/~cddb/xmcd/

Users of xmcd with older versions are encouraged to upgrade.

-Ti
--
\\ // XMCD - Motif CD player / CDA - Command line CD player
 \\/  Ti Kan / AMB Research Laboratories
 //\  E-mail: xmcdamb.org
// \\ URL:    http://sunsite.unc.edu/~cddb/xmcd/

David J. Meltzer <davemiss.net> wrote:
>    There are security holes in XMCD 2.0pl2 (and presumably all previous
> versions), a popular audio cd player for numerous unix platforms, which
> allow a user defined environment variable to overflow a fixed size buffer
> resulting in a complete compromise of system security on machines with XMCD
> installed suid root.
> [ ... description deleted ]