A vulnerability found in open-source MPEG audio player mpg123 received a "highly critical" rating Tuesday from security information provider Secunia.
The software vulnerability may lead to an exploit in which a specially crafted MP2 or MP3 file could cause a memory problem called a "buffer overflow" that could allow an attacker to run malicious code.
"Mpg123 allows users to listen to music and receive data streams from a server. But if they listen to music from a malicious server, then it could compromise their own system," said Thomas Kristensen, Secunia chief technology officer. "The owner of the malicious server would be able to do actions like the user on their own system."
Those actions could include taking control of a user's applications to send e-mail--perhaps aiding in identity theft or the spread of viruses--or alter files. However, Kristensen said the vulnerability may be difficult to exploit.
A buffer overrun attack injects more data into a particular memory location than a program can accommodate, and by carefully crafting the data that overflows into other parts of memory, attackers can run programs to take over the computer. However, it can be difficult to craft that attack data.
Nonetheless, Secunia has given the vulnerability a "highly critical" rating because of the relative ease in enticing users to receive free streaming media.
Secunia advises people to use another product until a patch is available for mpg123's latest vulnerability.
If you look at the license, there are restrictions on distribution, modification, and inclusion in other projects that make it incompatible with open source licensing. You must also purchase a license for commercial use.
Probably C|Net must start filtering security PRs...
Highly critical vulnerability of very very rarely used player, even *not* installed on most systems.
All Linux distros I know do not install mpg123, unless user chooses so. There are bunch of other command line players, more powerful and not limited to mpegs only. (e.g. mpg321)
Secunia is too loud generally for no reason. And C|Net, as mainstream inet newspaper, quitely might skip advisory which touches about 1% of installed Linux desktops (which are still rare by themselves).
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
The question you have raised: is it qualifies as Free Software?
Open Source Software != Free Software.
All Linux distros I know do not install mpg123, unless user chooses so. There are bunch of other command line players, more powerful and not limited to mpegs only. (e.g. mpg321)
Secunia is too loud generally for no reason. And C|Net, as mainstream inet newspaper, quitely might skip advisory which touches about 1% of installed Linux desktops (which are still rare by themselves).