Luigi Auriemma reports three vulnerabilities within
alsaplayer:
- The function which handles the HTTP connections is
vulnerable to a buffer-overflow that happens when it uses
sscanf for copying the URL in the Location's field
received from the server into the redirect buffer of only
1024 bytes declared in http_open.
- A buffer-overflow exists in the functions which add items
to the playlist when the GTK interface is used (so the other
interfaces are not affected by this problem): new_list_item
and CbUpdated in interface/gtk/PlaylistWindow.cpp.
- AlsaPlayer automatically queries the CDDB server
specified in its configuration (by default
freedb.freedb.org) when the user choices the CDDA function
for playing audio CDs. The function which queries the
server uses a buffer of 20 bytes and one of 9 for storing
the category and ID strings received from the server while
the buffer which contains this server's response is 32768
bytes long. Naturally for exploiting this bug the attacker
must have control of the freedb server specified in the
AlsaPlayer's configuration.
These vulnerabilities could allow a remote attacker to
execute arbitrary code, possibly gaining access to the
system.