Debian: mpg321 Malformed format string vulnerability

    Date06 Jan 2004
    CategoryDebian
    2233
    Posted ByLinuxSecurity Advisories
    A vulnerability was discovered in mpg321, a command-line mp3 player,whereby user-supplied strings were passed to printf(3) unsafely. Thisvulnerability could be exploited by a remote attacker to overwritememory, and possibly execute arbitrary code.
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 411-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Matt Zimmerman
    January 5th, 2004                        http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : mpg321
    Vulnerability  : format string
    Problem-Type   : remote
    Debian-specific: no
    CVE Ids        : CAN-2003-0969
    
    A vulnerability was discovered in mpg321, a command-line mp3 player,
    whereby user-supplied strings were passed to printf(3) unsafely.  This
    vulnerability could be exploited by a remote attacker to overwrite
    memory, and possibly execute arbitrary code.  In order for this
    vulnerability to be exploited, mpg321 would need to play a malicious
    mp3 file (including via HTTP streaming).
    
    For the current stable distribution (woody) this problem has been
    fixed in version 0.2.10.2.
    
    For the unstable distribution (sid) this problem has been fixed in
    version 0.2.10.3.
    
    We recommend that you update your mpg321 package.
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2.dsc
          Size/MD5 checksum:      550 0e042888db6da3811c034b528127b73d
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2.tar.gz
          Size/MD5 checksum:   113935 201849972c6465da61f279c2225377f7
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_alpha.deb
          Size/MD5 checksum:    39008 93a81b94171bd2c5a7c3cef85f110205
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_arm.deb
          Size/MD5 checksum:    35074 d1b94bcd86f68e66ad7e6c2e008560e0
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_i386.deb
          Size/MD5 checksum:    34118 a798d7036f087d79bf3b4702dccc8e63
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_ia64.deb
          Size/MD5 checksum:    45810 ab85b5c5f50f60007582ce7964db56ed
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_hppa.deb
          Size/MD5 checksum:    37354 e2f6d8ed0f24b64969eb1588876b145b
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_m68k.deb
          Size/MD5 checksum:    33324 34e91b68511a9a4123970bb8956879c8
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_mips.deb
          Size/MD5 checksum:    36836 b463575ae9e297f8ad9acb7bffd98aa9
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_mipsel.deb
          Size/MD5 checksum:    36776 2686af3b9923cf0d963caf6d0b16c1ac
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_powerpc.deb
          Size/MD5 checksum:    35986 fba1682b26e884a23a96b69aa5191080
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_s390.deb
          Size/MD5 checksum:    35330 debb74234e2e5449aea85f240b81a0f6
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/m/mpg321/mpg321_0.2.10.2_sparc.deb
          Size/MD5 checksum:    35996 c77e160810d06749eddad6b0aad7bb33
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":54.17,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16.67,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"7","type":"x","order":"3","pct":29.17,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.