Login
Newsletter
Werbung

Sicherheit: Pufferüberläufe in mpg123
Aktuelle Meldungen Distributionen
Name: Pufferüberläufe in mpg123
ID: CSSA-2004-002.0
Distribution: SCO OpenLinux
Plattformen: SCO OpenLinux 3.1.1 Server, SCO OpenLinux 3.1.1 Workstation
Datum: Fr, 20. Februar 2004, 12:00
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0865
Applikationen: mpg123

Originalnachricht

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

SCO Security Advisory

Subject: OpenLinux: mpg123 remote denial of service and heap-based buffer
overflow
Advisory number: CSSA-2004-002.0
Issue date: 2004 February 19
Cross reference: sr882700 fz528149 erg712383 CAN-2003-0577 CAN-2003-0865
______________________________________________________________________________


1. Problem Description

mpg123 0.59r allows remote attackers to cause a denial of
service and possibly execute arbitrary code via an MP3 file
with a zero bitrate, which creates a negative frame size.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0577 to this issue.

Heap-based buffer overflow in readstring of httpget.c for mpg123
0.59r and 0.59s allows remote attackers to execute arbitrary code
via a long request.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2003-0865 to this issue.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to mpg123-0.59r-7MR.i386.rpm
OpenLinux 3.1.1 Workstation prior to mpg123-0.59r-7MR.i386.rpm


3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-002.0/RPMS

4.2 Packages

cb8a81f231da3c943dfaa366df68045a mpg123-0.59r-7MR.i386.rpm

4.3 Installation

rpm -Fvh mpg123-0.59r-7MR.i386.rpm

4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-002.0/SRPMS

4.5 Source Packages

810ef880b6ad68ea7aea631241552dad mpg123-0.59r-7MR.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-002.0/RPMS

5.2 Packages

13165b654404e73fe934cc13347c81b3 mpg123-0.59r-7MR.i386.rpm

5.3 Installation

rpm -Fvh mpg123-0.59r-7MR.i386.rpm

5.4 Source Package Location

SRPMS

5.5 Source Packages

98203970951e6c87d715170324a8ca2c mpg123-0.59r-7MR.src.rpm


6. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0577
http://www.securityfocus.com/archive/1/306903
http://www.securityfocus.com/bid/6629
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0865
http://www.securityfocus.com/archive/1/338641
http://marc.theaimsgroup.com/?l=bugtraq&m=106493686331198&w=2
http://www.securityfocus.com/bid/8680

SCO security resources:
http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr882700 fz528149
erg712383.


7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.


8. Acknowledgements

SCO would like to thank 3APA3A and Vade79.
______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFANR6BbluZssSXDTERAkUSAKD5UpVu/XHZCLZAusCskfOW8Kc+WwCeOHzc
EdlXB2iI6iZBGoW2jFnhUFs=
=ftql
-----END PGP SIGNATURE-----
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung