Info

Disclosure

Jan 06, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

A remote overflow exists in mpg321. The package fails to validate some striugs within an MP3 file resulting in a printf() overflow. With a specially crafted MP3 file, an attacker can cause execution of arbitrary code resulting in a loss of integrity and/or availability.

Classification

Location: Remote / Network Access

Solution

For the current stable Debian distribution (woody) upgrade to mpg321 version 0.2.10.2. For the unstable distribution (sid) upgrade to mpg321 version 0.2.10.3. An upgrade is required as there are no known workarounds.

Products

Debian

mpg321

0.2.10

References

Secunia Advisory ID: 10544 10545 14765
CVE ID: 2003-0969 (see also: NVD)
Bugtraq ID: 9364
Other Advisory URL: http://security.gentoo.org/glsa/glsa-200503-34.xml
http://www.debian.org/security/2004/dsa-411
http://www.securitytracker.com/alerts/2004/Jan/1008613.html
Other Solution URL: http://www.auscert.org.au/render.html?it=3720&cid=55

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/3331