drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Pufferüberläufe in mpg123
Name: |
Pufferüberläufe in mpg123
|
|
ID: |
CSSA-2004-002.0 |
|
Distribution: |
SCO OpenLinux |
|
Plattformen: |
SCO OpenLinux 3.1.1 Server, SCO OpenLinux 3.1.1 Workstation |
|
Datum: |
Fr, 20. Februar 2004, 12:00 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0865 |
|
Applikationen: |
mpg123 |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: OpenLinux: mpg123 remote denial of service and heap-based buffer overflow Advisory number: CSSA-2004-002.0 Issue date: 2004 February 19 Cross reference: sr882700 fz528149 erg712383 CAN-2003-0577 CAN-2003-0865 ______________________________________________________________________________
1. Problem Description
mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0577 to this issue.
Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r and 0.59s allows remote attackers to execute arbitrary code via a long request.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0865 to this issue.
2. Vulnerable Supported Versions
System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to mpg123-0.59r-7MR.i386.rpm OpenLinux 3.1.1 Workstation prior to mpg123-0.59r-7MR.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-002.0/RPMS
4.2 Packages
cb8a81f231da3c943dfaa366df68045a mpg123-0.59r-7MR.i386.rpm
4.3 Installation
rpm -Fvh mpg123-0.59r-7MR.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2004-002.0/SRPMS
4.5 Source Packages
810ef880b6ad68ea7aea631241552dad mpg123-0.59r-7MR.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2004-002.0/RPMS
5.2 Packages
13165b654404e73fe934cc13347c81b3 mpg123-0.59r-7MR.i386.rpm
5.3 Installation
rpm -Fvh mpg123-0.59r-7MR.i386.rpm
5.4 Source Package Location
SRPMS
5.5 Source Packages
98203970951e6c87d715170324a8ca2c mpg123-0.59r-7MR.src.rpm
6. References
Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0577 http://www.securityfocus.com/archive/1/306903 http://www.securityfocus.com/bid/6629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0865 http://www.securityfocus.com/archive/1/338641 http://marc.theaimsgroup.com/?l=bugtraq&m=106493686331198&w=2 http://www.securityfocus.com/bid/8680
SCO security resources: http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr882700 fz528149 erg712383.
7. Disclaimer
SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products.
8. Acknowledgements
SCO would like to thank 3APA3A and Vade79. ______________________________________________________________________________
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)
iD8DBQFANR6BbluZssSXDTERAkUSAKD5UpVu/XHZCLZAusCskfOW8Kc+WwCeOHzc EdlXB2iI6iZBGoW2jFnhUFs= =ftql -----END PGP SIGNATURE-----
|
|
|
|