|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] [ GLSA 200501-14 ] mpg123: Buffer overflow
From: Dan Margolis (krispykringle
gentoo.org)
Date: Mon Jan 10 2005 - 18:08:37 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Linux Security Advisory GLSA 200501-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: mpg123: Buffer overflow
Date: January 10, 2005
Bugs: #76862
ID: 200501-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
An attacker may be able to execute arbitrary code by way of specially
crafted MP2 or MP3 files.
Background
==========
mpg123 is a real-time MPEG audio player.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-sound/mpg123 < 0.59s-r9 >= 0.59s-r9
Description
===========
mpg123 improperly parses frame headers in input streams.
Impact
======
By inducing a user to play a malicious file, an attacker may be able to
exploit a buffer overflow to execute arbitrary code with the
permissions of the user running mpg123.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All mpg123 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-sound/mpg123-0.59s-r9"
References
==========
[ 1 ] CAN-2004-0991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0991
[ 2 ] Bugtraq Announcement
http://www.securityfocus.com/archive/1/374433
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200501-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iQEVAwUBQeMZBbDO2aFJ9pv2AQJ98AgAsYYQ5ROYgk8Mc/Wn7MaVuGPlW0oROjgp
5XNTMxNtwXrxNVtDka2F7z1AxbL+nY1XOKEOamdWsHW/2nO1YW44bFev4nWr8yit
NTTO6lX/QmpgXZRTQ53sUiI8Hv/o+9RWFBIgNVOlN3TZ1+QDL4647rvo+cN6ue03
isWdfN5/+jo6eOlD4xSGYxR92jLM9MaljwIOYdkF8dwPtO/h0Kalh3raZm7b9zFi
wNZ8dpIyw45BwBv+3VHx5qNf48l8LkdjoOx7VqVZLM5JKRxus2Ce1gTzliwI6eMF
MXjUYkHqBxheFd79Jur+wv5dEvEobjUaqcJG+RhcNm/NdtPPfk31rA==
=Wd1Z
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]