> > No, you don't need to set up a rogue CDDB server, as CDDB servers > > let anyone add or modify information about records. > > But according to the freedb.org FAQs every submission is reviewed before being > applied to the database. So it seems quite unlikely submissions of > crafted entries > to exploit this vulnerability would pass this stage.
I can't find any place in the FAQ or the web site where it says that. On the contrary: "Many users submit, and we are (automatically) trying to sort the bad entries out but we cannot guarantee that all submitted data is correct." http://www.freedb.org/modules.php?name=Sections&sop=viewarticle&artid=4 "We update our master server as well as the mirrors with new submissions several times a day." http://www.freedb.org/modules.php?name=Sections&sop=viewarticle&artid=26 They had about 19600 submissions last week: http://www.freedb.org/freedb_stats.php?type=weekly&topic=submits I think that's pretty conclusive evidence that they don't review the submitted entries. It should also be noted that if you don't patch xine-lib, you have to trust the freedb.org people 100%, which I'm not willing to do. (I trust debian.org and ftp.sunet.se where I download .debs from, but they both have a reputation and a history.) // Ulf -- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 8 at http://www.opera.com Powered by Outblaze
