Get Smart about Business Spending
- Related Stories
-
Firefox flaw raises phishing fears
January 7, 2005 -
Linux groups patch image flaw
December 8, 2004
The software vulnerability may lead to an exploit in which a specially crafted MP2 or MP3 file could cause a memory problem called a "buffer overflow" that could allow an attacker to run malicious code.
"Mpg123 allows users to listen to music and receive data streams from a server. But if they listen to music from a malicious server, then it could compromise their own system," said Thomas Kristensen, Secunia chief technology officer. "The owner of the malicious server would be able to do actions like the user on their own system."
Those actions could include taking control of a user's applications to send e-mail--perhaps aiding in identity theft or the spread of viruses--or alter files. However, Kristensen said the vulnerability may be difficult to exploit.
A buffer overrun attack injects more data into a particular memory location than a program can accommodate, and by carefully crafting the data that overflows into other parts of memory, attackers can run programs to take over the computer. However, it can be difficult to craft that attack data.
Nonetheless, Secunia has given the vulnerability a "highly critical" rating because of the relative ease in enticing users to receive free streaming media.
Secunia advises people to use another product until a patch is available for mpg123's latest vulnerability.
Other vulnerabilities have been found in the open-source media player in the past two years, which is used by Linux and Unix systems.
The most recent vulnerability was published Monday by the Gentoo Foundation, a Linux programming and development project.
See more CNET content tagged:
vulnerability, MPEG, open source, Linux, server
The question you have raised: is it qualifies as Free Software?
Open Source Software != Free Software.
- Probably C|Net must start filtering security PRs...
- by Philips January 12, 2005 9:59 AM PST
- Highly critical vulnerability of very very rarely used player, even *not* installed on most systems.
- Like this Reply to this comment
-
(3 Comments)All Linux distros I know do not install mpg123, unless user chooses so. There are bunch of other command line players, more powerful and not limited to mpegs only. (e.g. mpg321)
Secunia is too loud generally for no reason. And C|Net, as mainstream inet newspaper, quitely might skip advisory which touches about 1% of installed Linux desktops (which are still rare by themselves).