[linux-audio-user] mpg321 insecure?
Stefano Cavallari
stefano at cavallari.cjb.net
Sat Dec 6 18:45:53 EST 2003
Juhana Sadeharju wrote:
> Hello. I got following when I used mpg321 (/usr/bin/mpg123) on
> file "www.modular2003.com/sounds/DirectHammond.mp3":
>
> Title : Lazy (excerpt) Artist: Deep Purple
> Album : Year : 2001
> Comment: 100No such file or directoryade with Csoun softsynth
> Genre : Hard Rock
>
> What is that "100No such file or directory"??!! The end of mp3 file
> looks following:
> TAGLazy (excerpt)
> Deep Purple
> 2001100% made with Csoun softsynthO
>
> For what that feature can be used?
maybe to execute arbitrary code every time you play a specially crafted
mp3 file :-/
> Are my own files in danger?
Yes, in theory... but I doubt anyone ever exploited this.
>
> mpg123 gives following version numbers:
> mpg321 version 0.2.9. Copyright (C) 2001, 2002 Joe Drew.
> Version 0.59q (2002/03/23). Written and copyrights by Joe Drew.
>
> Regards,
> Juhana
it seems the string is passed to printf without being checked first.
I sent this to mpg321 author, too... AFAIK it's a common security bug,
and easy to fix.
--
Stefano Cavallari <stefano at cavallari.cjb.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata
Url : http://lists.linuxaudio.org/pipermail/linux-audio-user/attachments/20031207/c11feea1/attachment.pgp
More information about the Linux-audio-user
mailing list