Vulnerability Bulletins |
Desbordamiento de búfer en mpg123 |
|
Vulnerability classification |
|
Property | Value |
Confidence level | Oficial |
Impact | Obtener acceso |
Dificulty | Avanzado |
Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
Property | Value |
Affected manufacturer | GNU/Linux |
Affected software |
mpg123-pre0.59s mpg123-0.59r |
Description |
|
Se ha descubierto una vulnerabilidad de desbordamiento de búfer en las versiones pre0.59s y 0.59r del reproductor de audio mpg123. La vulnerabilidad reside en la rutina de autenticación HTTP. La explotación de esta vulnerabilidad podría permitir a un atacante remoto ejecutar código arbitrario mediante la utilización de una URL especialmente diseñada (por ejemplo incluida en una "playlist") que la víctima debe intentar reproducir. El código se ejecutará con los privilegios del usuario que intente reproducir con mpg123 el contenido de la URL maliciosa. |
|
Solution |
|
Actualización de software Debian Linux Debian Linux 3.0 Source http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4.dsc http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4.diff.gz http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r.orig.tar.gz Alpha http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_alpha.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_alpha.deb ARM http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_arm.deb Intel IA-32 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-nas_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-3dnow_0.59r-13woody4_i386.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-oss-i486_0.59r-13woody4_i386.deb HP Precision http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_hppa.deb Motorola 680x0 http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_m68k.deb PowerPC http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_powerpc.deb http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123-esd_0.59r-13woody4_powerpc.deb Sun Sparc architecture http://security.debian.org/pool/updates/non-free/m/mpg123/mpg123_0.59r-13woody4_sparc.deb Mandrake Linux Mandrakelinux 10.0 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/RPMS/mpg123-0.59r-22.1.100mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.0/SRPMS/mpg123-0.59r-22.1.100mdk.src.rpm AMD64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/RPMS/mpg123-0.59r-22.1.100mdk.amd64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/amd64/10.0/SRPMS/mpg123-0.59r-22.1.100mdk.src.rpm Mandrakelinux 10.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/RPMS/mpg123-0.59r-22.1.101mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/10.1/SRPMS/mpg123-0.59r-22.1.101mdk.src.rpm X86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/RPMS/mpg123-0.59r-22.1.101mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/10.1/SRPMS/mpg123-0.59r-22.1.101mdk.src.rpm Mandrake Corporate Server 2.1 x86 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/RPMS/mpg123-0.59r-21.2.C21mdk.i586.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/corporate/2.1/SRPMS/mpg123-0.59r-21.2.C21mdk.src.rpm x86_64 ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/RPMS/mpg123-0.59r-21.2.C21mdk.x86_64.rpm ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/corporate/2.1/SRPMS/mpg123-0.59r-21.2.C21mdk.src.rpm SuSE Linux Distribuciones basadas en SuSE Linux - Actualizar mediante YaST Online Update |
|
Standar resources |
|
Property | Value |
CVE | CAN-2004-0982 |
BID | |
Other resources |
|
Carlos Barros Security Advisory #01, 2004 http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt Debian Security Advisory DSA 578-1 http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00187.html Mandrakesoft Security Advisory MDKSA-2004:120 http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:120 SUSE Security Summary Report SUSE-SR:2005:002 http://www.novell.com/linux/security/advisories/2005_02_sr.html |
Version history |
||
Version | Comments | Date |
1.0 | Aviso emitido | 2004-11-02 |
1.1 | Aviso emitido por SuSE (SUSE-SR:2005:002) | 2005-01-28 |