Package: mp3info
Version: 0.8.4-9
Severity: normal
Tags: security patch
CVE-2006-2465: "Buffer overflow in MP3Info 0.8.4 allows attackers to
execute arbitrary code via a long command line argument. NOTE: if
mp3info is not installed setuid or setgid in any reasonable context,
then this issue might not be a vulnerability."
I've confirmed this issue appears in 0.8.4-9 and attached a patch that
fixes it. There are other sprintf()s around the source, but since it's
reading the fixed-length ID3 tags I'm not sure there are any
vulnerabilities there.
Please mention the CVE in your changelog.
Thanks,
Alec
--- mp3info.c.orig 2006-05-20 14:39:24.000000000 +0100
+++ mp3info.c 2006-05-20 14:40:02.000000000 +0100
@@ -183,7 +183,7 @@
file_open=0;
if (view_only == 1) {
if ( !( fp=fopen(argv[i],"r") ) ) {
- sprintf(error_msg,"Error opening MP3: %s",argv[i]);
+ snprintf(error_msg,sizeof(error_msg),"Error opening MP3:
%s",argv[i]);
perror(error_msg);
retcode |= 1;
} else {
@@ -191,7 +191,7 @@
}
} else {
if ( !( fp=fopen(argv[i],"rb+") ) ) {
- sprintf(error_msg,"Error opening MP3: %s",argv[i]);
+ snprintf(error_msg,sizeof(error_msg),"Error opening MP3:
%s",argv[i]);
perror(error_msg);
retcode |= 1;
} else {
