BugTraq
Back to list
|
Post reply
Re: Local/remote mpg123 exploit
Jan 15 2003 08:16AM
Benjamin Tober (btober0 hotmail com)
(2 replies)
In-Reply-To: <200301131823.h0DINJbE014752 (at) mailserver3.hushmail (dot) com [email concealed]>
I'm not going to address the veracity of the narrative
text of this posting, however the exploit is real. I
believe that the patch to mpg123 given below closes
this particular hole. I have no affiliation with the
authors of mpg123 and haven't contacted them, but am
providing this patch now because an exploit is
publically available.
I can, if necessary, provide further explanation of the
exploit and the rationale behind the patch but will not
do so at this late hour. This patch is with respect to
mpg123-pre0.59s and is to the file common.c:
--- common.c.orig Wed Jan 15 02:16:08 2003
+++ common.c Wed Jan 15 02:18:52 2003
@@ -579,6 +579,11 @@
fprintf(stderr,"Sorry, unknown layer
type.\n");
return (0);
}
+ if (fr->framesize>MAX_INPUT_FRAMESIZE) {
+ fprintf(stderr,"Frame size too big.\n");
+ fr->framesize = MAX_INPUT_FRAMESIZE;
+ return 0;
+ }
if(!fr->bitrate_index) {
/* fprintf(stderr,"Warning, Free format not
heavily tested: (head %08lx)\n",newhead); */
Sincerely,
Benjamin Tober
[ reply ]
Re: Local/remote mpg123 exploit
Jan 18 2003 06:06PM
Gabucino (gabucino mplayerhq hu)
Re[2]: Local/remote mpg123 exploit
Jan 16 2003 08:43AM
3APA3A (3APA3A SECURITY NNOV RU)
Privacy Statement
Copyright 2010, SecurityFocus
I'm not going to address the veracity of the narrative
text of this posting, however the exploit is real. I
believe that the patch to mpg123 given below closes
this particular hole. I have no affiliation with the
authors of mpg123 and haven't contacted them, but am
providing this patch now because an exploit is
publically available.
I can, if necessary, provide further explanation of the
exploit and the rationale behind the patch but will not
do so at this late hour. This patch is with respect to
mpg123-pre0.59s and is to the file common.c:
--- common.c.orig Wed Jan 15 02:16:08 2003
+++ common.c Wed Jan 15 02:18:52 2003
@@ -579,6 +579,11 @@
fprintf(stderr,"Sorry, unknown layer
type.\n");
return (0);
}
+ if (fr->framesize>MAX_INPUT_FRAMESIZE) {
+ fprintf(stderr,"Frame size too big.\n");
+ fr->framesize = MAX_INPUT_FRAMESIZE;
+ return 0;
+ }
if(!fr->bitrate_index) {
/* fprintf(stderr,"Warning, Free format not
heavily tested: (head %08lx)\n",newhead); */
Sincerely,
Benjamin Tober
[ reply ]