Lucene search

Gentoo FoundationGLSA-200503-34

HistoryMar 28, 2005 - 12:00 a.m.

mpg321: Format string vulnerability

2005-03-2800:00:00

Gentoo Foundation

security.gentoo.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.034

Percentile

91.5%

JSON

Background

mpg321 is a GPL replacement for mpg123, a command line audio player with support for ID3. ID3 is a tagging system that allows metadata to be embedded within media files.

Description

A routine security audit of the mpg321 package revealed a known security issue remained unpatched. The vulnerability is a result of mpg321 printing embedded ID3 data to the console in an unsafe manner.

Impact

Successful exploitation would require a victim to play a specially crafted audio file using mpg321, potentially resulting in the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All mpg321 users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-sound/mpg321-0.2.10-r2"

OSVersionArchitecturePackageVersionFilename
Gentooanyallmedia-sound/mpg321< 0.2.10-r2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	media-sound/mpg321	< 0.2.10-r2	UNKNOWN

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.034

Percentile

91.5%

JSON

Related for GLSA-200503-34