Vulnerability Bulletins

int(1115)

Vulnerability Bulletins

Desbordamiento de búfer en mpg123
Vulnerability classification
Property	Value
Confidence level	Oficial
Impact	Obtener acceso
Dificulty	Avanzado
Required attacker level	Acceso remoto sin cuenta a un servicio estandar
System information
Property	Value
Affected manufacturer	GNU/Linux
Affected software	mpg123-pre0.59s mpg123-0.59r
Description
Se ha descubierto una vulnerabilidad de desbordamiento de búfer en las versiones pre0.59s y 0.59r del reproductor de audio mpg123. La vulnerabilidad reside en la rutina de autenticación HTTP. La explotación de esta vulnerabilidad podría permitir a un atacante remoto ejecutar código arbitrario mediante la utilización de una URL especialmente diseñada (por ejemplo incluida en una "playlist") que la víctima debe intentar reproducir. El código se ejecutará con los privilegios del usuario que intente reproducir con mpg123 el contenido de la URL maliciosa.
Solution
Actualización de software Debian Linux Debian Linux 3.0 Source http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4.dsc http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4.diff.gz http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r.orig.tar.gz Alpha http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_alpha.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_alpha.deb ARM http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_arm.deb Intel IA-32 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-nas_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-i486_0.59r-13woody4_i386.deb HP Precision http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_m68k.deb PowerPC http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_powerpc.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_powerpc.deb Sun Sparc architecture http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_sparc.deb Mandrake Linux Mandrakelinux 10.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/mpg123-0.59r-22.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/mpg123-0.59r-22.1.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/mpg123-0.59r-22.1.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/mpg123-0.59r-22.1.100mdk.src.rpm Mandrakelinux 10.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/mpg123-0.59r-22.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/mpg123-0.59r-22.1.101mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/mpg123-0.59r-22.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/mpg123-0.59r-22.1.101mdk.src.rpm Mandrake Corporate Server 2.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/mpg123-0.59r-21.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/mpg123-0.59r-21.2.C21mdk.src.rpm x86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/mpg123-0.59r-21.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/mpg123-0.59r-21.2.C21mdk.src.rpm SuSE Linux Distribuciones basadas en SuSE Linux - Actualizar mediante YaST Online Update
Standar resources
Property	Value
CVE	CAN-2004-0982
BID
Other resources
Carlos Barros Security Advisory #01, 2004 http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt Debian Security Advisory DSA 578-1 http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00187.html Mandrakesoft Security Advisory MDKSA-2004:120 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:120 SUSE Security Summary Report SUSE-SR:2005:002 http://www.novell.com/linux/security/advisories/2005_02_sr.html

Version history
Version	Comments	Date
1.0	Aviso emitido	2004-11-02
1.1	Aviso emitido por SuSE (SUSE-SR:2005:002)	2005-01-28

Vulnerability Bulletins

Desbordamiento de búfer en mpg123

Vulnerability classification

System information

Description

Solution

Standar resources

Other resources

Version history