Re: mpg321

[Joe Drew <hoserhead () woot net>]

On Tue, 2002-02-12 at 18:05, -l0rt- wrote:
> I know that there have been older similar bugs, here is a new one that I
> could find nothing about in the lists.

Older similar bugs in mpg321? Why does nobody tell me about this?
 
> mpg123 accepts url's and may be used by other suid binaries or services.
> A buffer condition exists in mpg321 that could allow for
> remote/unwarrented command execution by means of a specailly formatted
> URL or other input. mpg321 is not setuid or setgid.

Other suid binaries should have no trouble, since mpg321 is a
stand-alone binary.

> fact:
> mpg123 cores when it is passed the following string:
>
> mpg123 `perl -e'print "A" x 10000'`

This should not have been remotely exploitable, but I no longer trust
myself, given how wrong my code was proven with this. This bug is now
fixed in CVS.

-- 
Joe Drew <hoserhead () woot net> <drew () debian org>

Please encrypt email sent to me.