Subject: Re: [linux-audio-user] mpg321 insecure?
From: Stefano Cavallari (stefano_AT_cavallari.cjb.net)
Date: Sun Dec 07 2003 - 01:45:53 EET
Juhana Sadeharju wrote:
> Hello. I got following when I used mpg321 (/usr/bin/mpg123) on
> file "www.modular2003.com/sounds/DirectHammond.mp3":
>
> Title : Lazy (excerpt) Artist: Deep Purple
> Album : Year : 2001
> Comment: 100No such file or directoryade with Csoun softsynth
> Genre : Hard Rock
>
> What is that "100No such file or directory"??!! The end of mp3 file
> looks following:
> TAGLazy (excerpt)
> Deep Purple
> 2001100% made with Csoun softsynthO
>
> For what that feature can be used?
maybe to execute arbitrary code every time you play a specially crafted
mp3 file :-/
> Are my own files in danger?
Yes, in theory... but I doubt anyone ever exploited this.
>
> mpg123 gives following version numbers:
> mpg321 version 0.2.9. Copyright (C) 2001, 2002 Joe Drew.
> Version 0.59q (2002/03/23). Written and copyrights by Joe Drew.
>
> Regards,
> Juhana
it seems the string is passed to printf without being checked first.
I sent this to mpg321 author, too... AFAIK it's a common security bug,
and easy to fix.
-- Stefano Cavallari <stefano_AT_cavallari.cjb.net>
This archive was generated by hypermail 2b28 : Sun Dec 07 2003 - 01:47:37 EET