AlsaPlayer http.c reconnect() Function Location HTTP Header Overflow

2006-08-09T08:05:02
ID OSVDB:27883
Type osvdb
Reporter Luigi Auriemma(aluigi@autistici.org)
Modified 2006-08-09T08:05:02

Description

Vulnerability Description

A remote overflow exists in AlsaPlayer. AlsaPlayer fails to handle long values (over 1024 bytes) in HTTP Response Header 'Location' when redirected by a web server resulting in a stack based overflow. With a specially crafted HTTP response, an attacker can cause deny of service or even execute arbitrary code resulting in a loss of integrity, and/or availability.

Solution Description

Upgrade to version 0.99.77 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A remote overflow exists in AlsaPlayer. AlsaPlayer fails to handle long values (over 1024 bytes) in HTTP Response Header 'Location' when redirected by a web server resulting in a stack based overflow. With a specially crafted HTTP response, an attacker can cause deny of service or even execute arbitrary code resulting in a loss of integrity, and/or availability.

References:

Vendor URL: http://www.alsaplayer.org/ Vendor Specific News/Changelog Entry: http://www.alsaplayer.org/changelog.php3 Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:21422 Secunia Advisory ID:21749 Secunia Advisory ID:21639 Secunia Advisory ID:22018 Related OSVDB ID: 27885 Related OSVDB ID: 27884 Other Advisory URL: http://aluigi.altervista.org/adv/alsapbof-adv.txt Other Advisory URL: http://lists.suse.com/archive/suse-security-announce/2006-Sep/0001.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-08/0249.html ISS X-Force ID: 28306 CVE-2006-4089 Bugtraq ID: 19450