[linux-audio-user] mpg321 insecure?

[Stefano Cavallari]

Juhana Sadeharju wrote:
> Hello. I got following when I used mpg321 (/usr/bin/mpg123) on
> file "www.modular2003.com/sounds/DirectHammond.mp3":
> 
>   Title  : Lazy (excerpt)                  Artist: Deep Purple
>   Album  :                                 Year  : 2001
>   Comment: 100No such file or directoryade with Csoun softsynth
>   Genre : Hard Rock
> 
> What is that "100No such file or directory"??!! The end of mp3 file
> looks following:
>   TAGLazy (excerpt)
>   Deep Purple
>   2001100% made with Csoun softsynthO
> 
> For what that feature can be used? 
maybe to execute arbitrary code every time you play a specially crafted
mp3 file :-/
> Are my own files in danger?
Yes, in theory... but I doubt anyone ever exploited this. 
> 
> mpg123 gives following version numbers:
> mpg321 version 0.2.9. Copyright (C) 2001, 2002 Joe Drew.
> Version 0.59q (2002/03/23). Written and copyrights by Joe Drew.
> 
> Regards,
> Juhana
it seems the string is passed to printf without being checked first.

I sent this to mpg321 author, too... AFAIK it's a common security bug,
and easy to fix.





-- 
Stefano Cavallari <stefano at cavallari.cjb.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata
Url : http://lists.linuxaudio.org/pipermail/linux-audio-user/attachments/20031207/c11feea1/attachment.pgp