ID3v2
Problem Description:
A vulnerability has been found and corrected in mpg123:
Integer signedness error in the store_id3_text function in the
ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a
denial of service (out-of-bounds memory access) and possibly execute
arbitrary code via an ID3 tag with a negative encoding value. NOTE:
some of these details are obtained from third party information
(CVE-2009-1301).
Problem Description:
A vulnerability has been found and corrected in mpg123:
Integer signedness error in the store_id3_text function in the
ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a
denial of service (out-of-bounds memory access) and possibly execute
arbitrary code via an ID3 tag with a negative encoding value. NOTE:
some of these details are obtained from third party information
(CVE-2009-1301).
files. If a user or automated system were tricked into opening a specially
crafted AAC file, an attacker could could cause xine-lib to crash, creating a
denial of service. This issue only applied to Ubuntu 7.10, and 8.04 LTS.
(CVE-2008-5244)
It was discovered that the id3 tag handler in xine-lib did not correctly handle
malformed tags, resulting in heap-based buffer overflows. If a user or automated
system were tricked into opening a media file containing a specially crafted id3
tag, an attacker could execute arbitrary code as the user invoking the program.
This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5246)
=======
Summary
=======
Name: Heap overflow in RealPlayer ID3 tag parsing code
Release Date: 29 October 2007
Reference: NGS00432
Discover: John Heasman <john@ngssoftware.com>
Vendor: RealNetworks
Systems Affected: Several builds of RealPlayer 10.5,
All builds of RealPlayer 10.
site: http://retrogod.altervista.org/
software site: http://www.jetaudio.com/
Tested against JetAudio pack v.7.5.2
---------------------------------------------------------------------------------
Passing an overlong string as id3 tag we have:
(370.7a8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000394 ecx=41414141 edx=00160608 esi=010c1a00 edi=0302fbc8
1 media-sound/mpg123 < 1.7.2 >= 1.7.2
Description
===========
The vendor reported a signedness error in the store_id3_text() function
in id3.c, allowing for out-of-bounds memory access.
Impact
======
Debian Security Advisory DSA 1365-2 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
September 9th, 2007 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : id3lib3.8.3
Vulnerability : programming error
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2007-4460
Debian Bug : 438540
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: libid3tag: Denial of Service
Date: May 14, 2008
Bugs: #210564
ID: 200805-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Debian Security Advisory DSA 1365-3 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff, Dann Frazier
October 2nd, 2007 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : id3lib3.8.3
Vulnerability : programming error
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2007-4460
Debian Bug : 438540
Debian Security Advisory DSA 1365-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
September 1st, 2007 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : id3lib3.8.3
Vulnerability : programming error
Problem-Type : local
Debian-specific: no
CVE ID : CVE-2007-4460
Debian Bug : 438540
#######################################################################
Luigi Auriemma
Application: id3lib
http://id3lib.sourceforge.net
Versions: only devel (CVS)
stable (3.8.3) is NOT affected
Platforms: Windows, *nix and Mac
Bug: array overflow
v9@fakehalo.us wrote:
> I may be rusty with knowledge about mirc (say almost 10 years out of date)...but, in what situation would the pipe ('|') ever be processed from a variable, even if it was read from a mp3 ID3?
This is probably a bigger concern for *nix scripts, especially of the
homebrew variety where the owner hacks something out in 20 minutes and
never looks at it again. While the attacker might not have access to the
source code, they shouldn't have any problems defeating simple
substitution onto a command line.
-- m. tharp
The xine free multimedia player suffers from a number of vulnerabilities
ranging in severity. The worst of these vulnerabilities results in
arbitrary code execution and the least, in unexpected process
termination.
Five heap buffer overflows exist in parsing of real audio files, id3
tags, qt mov files, and matroska headers which all can result in
arbitrary code execution.
Three additional heap buffer overflows occur in mng, mod, and real
handling which are potentially exploitable.
by a condition of video frame preallocation before ascertaining the
required length in V4L video input plugin (CVE-2008-5245).
Heap-based overflow allows remote attackers to execute arbitrary
code by using crafted media files. This vulnerability is in the
manipulation of ID3 audio file data tagging mainly used in MP3 file
formats (CVE-2008-5246).
Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
I may be rusty with knowledge about mirc (say almost 10 years out of date)...but, in what situation would the pipe ('|') ever be processed from a variable, even if it was read from a mp3 ID3?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: id3lib: Insecure temporary file creation
Date: September 15, 2007
Bugs: #189610
ID: 200709-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
by a condition of video frame preallocation before ascertaining the
required length in V4L video input plugin (CVE-2008-5245).
Heap-based overflow allows remote attackers to execute arbitrary
code by using crafted media files. This vulnerability is in the
manipulation of ID3 audio file data tagging mainly used in MP3 file
formats (CVE-2008-5246).
This update provides the fix for all these security issues found in
xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities: CVE-2008-5234,
CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240,
On Wednesday 15 August 2007 18:27, v9@fakehalo.us wrote:
> I may be rusty with knowledge about mirc (say almost 10 years out of
> date)...but, in what situation would the pipe ('|') ever be processed from
> a variable, even if it was read from a mp3 ID3?
It gets processed before it ends up in an mirc variable. The plugin to link
your media player to mirc sends something like:
"/set %songname <insert song name here>"
And it's when executing that command that it goes wrong already, not in the
command that's using the variable. That's why it's easier to exploit: the
|
