Bugtraq mailing list archives

Re: Local/remote mpg123 exploit

From: Daniel Kobras <kobras () tat physik uni-tuebingen de>
Date: Wed, 15 Jan 2003 22:19:12 +0100

Hi!

I'd like to stress that the mpg123 exploit posted recently does not
affect versions up to 0.59r.  The vulnerable code was added as part of
a rewrite of mpg123's prefetch.  CVS checkouts after Oct. 25th, 2000
will be affected, as is the pre0.59s development snapshot.  There has
been no stable release in that timeframe.

The exploitable code is accompanied by the following entry to CHANGES, by
the way:

- major change in the stream reader: support for free format
  streams and better 'resync-on-error'. May still contain some bugs, so
  please TEST and TEST and TEST ;)

Anyway, if you're running 0.59r, you're not vulnerable.  (Well, not to
this exploit, at least.)

Regards,

Daniel.

Attachment: _bin
Description:

Current thread:

Re: Local/remote mpg123 exploit Benjamin Tober (Jan 16)
- Re[2]: Local/remote mpg123 exploit 3APA3A (Jan 17)
- Re: Local/remote mpg123 exploit Gabucino (Jan 21)
- <Possible follow-ups>
- Local/remote mpg123 exploit gobbles (Jan 21)
  - Re: Local/remote mpg123 exploit 3APA3A (Jan 16)
  - Re: Local/remote mpg123 exploit Daniel Kobras (Jan 17)