mixplayd Format String Arbitrary Command Execution

2004-10-28T00:00:00
ID OSVDB:11229
Type osvdb
Reporter Khan Shirani(shirani@zone-h.org)
Modified 2004-10-28T00:00:00

Description

Vulnerability Description

mixplayd has been reported to contain a flaw that may allow a malicious user to execute arbitrary code. The issue is due to a format string vulnerability in main.c. As reported, it is possible that the flaw may allow privileges escalation resulting in a loss of integrity. Upon further examination, the input passed to to main.c comes from the 'statmsg' variable which is not user-supplied. As a result, this can not be leveraged for additional or unauthorized privileges. This is a non-issue.

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

mixplayd has been reported to contain a flaw that may allow a malicious user to execute arbitrary code. The issue is due to a format string vulnerability in main.c. As reported, it is possible that the flaw may allow privileges escalation resulting in a loss of integrity. Upon further examination, the input passed to to main.c comes from the 'statmsg' variable which is not user-supplied. As a result, this can not be leveraged for additional or unauthorized privileges. This is a non-issue.

References:

Vendor URL: http://mixplayd.sourceforge.net/ Security Tracker: 1012000 Other Advisory URL: http://www.zone-h.org/advisories/read/id=6088 ISS X-Force ID: 17921