Hello,
* On Fri, Feb 06, 2004 at 11:49:07AM -0800 Gregory A. Gilliss wrote:
> On or about 2004.02.06 10:14:39 +0000,
> [EMAIL PROTECTED]
> ([EMAIL PROTECTED]) said:
>
> > A vulnerability was discovered in mpg123, a command-line mp3 player,
^^^^^^
> > whereby a response from a remote HTTP server could overflow a buffer
> > allocated on the heap, potentially permitting execution of arbitrary
> > code with the privileges of the user invoking mpg123. In order for
> > this vulnerability to be exploited, mpg321 would need to request an
^^^^^^
> > mp3 stream from a malicious remote server via HTTP.
> WHich is it - mpg123 or mpg321?
Looking at the bug reports for both
mp321: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg321
mp123: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mpg123
it seems that is is really mpg123 that is affected:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212584
- if I don't misunderstand the bug reports.
Anyway, the original advisory would have to be more precise on the
package name.
Spiro.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
