CVE-2009-1301 - Vulnerability Details - OpenCVE

Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mpg123	Mpg123

Configuration 1 [-]

OR	cpe:2.3:a:mpg123:mpg123::::::::
	cpe:2.3:a:mpg123:mpg123:0.59m:::::::*
	cpe:2.3:a:mpg123:mpg123:0.59n:::::::*
	cpe:2.3:a:mpg123:mpg123:0.59o:::::::*
	cpe:2.3:a:mpg123:mpg123:0.59p:::::::*
	cpe:2.3:a:mpg123:mpg123:0.59q:::::::*
	cpe:2.3:a:mpg123:mpg123:0.59r:::::::*
	cpe:2.3:a:mpg123:mpg123:0.59s:::::::*
	cpe:2.3:a:mpg123:mpg123:0.62:::::::*
	cpe:2.3:a:mpg123:mpg123:1.6.3:::::::*
	cpe:2.3:a:mpg123:mpg123:1.6.4:::::::*
	cpe:2.3:a:mpg123:mpg123:1.7.0:::::::*
	cpe:2.3:a:mpg123:mpg123:pre0.59s:::::::*
	cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:::::::*

No data.

References

Link	Providers
http://bugs.gentoo.org/show_bug.cgi?id=265342
http://secunia.com/advisories/34587
http://secunia.com/advisories/34748
http://sourceforge.net/mailarchive/message.php?msg_name=20090405211856.41696433%40sunscreen.local
http://sourceforge.net/project/shownotes.php?release_id=673696
http://www.gentoo.org/security/en/glsa/glsa-200904-15.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2009:093
http://www.securityfocus.com/bid/34381
http://www.vupen.com/english/advisories/2009/0936

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-04-16T15:00:00

Updated: 2024-08-07T05:04:49.529Z

Reserved: 2009-04-16T00:00:00

Link: CVE-2009-1301

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-04-16T15:12:57.483

Modified: 2024-11-21T01:02:08.403

Link: CVE-2009-1301

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-04-06T00:00:00", "descriptions": [{"lang": "en", "value": "Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-04-28T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.gentoo.org/show_bug.cgi?id=265342"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://sourceforge.net/project/shownotes.php?release_id=673696"}, {"name": "MDVSA-2009:093", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:093"}, {"name": "34748", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34748"}, {"name": "34587", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/34587"}, {"name": "34381", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/34381"}, {"name": "ADV-2009-0936", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/0936"}, {"name": "GLSA-200904-15", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "http://www.gentoo.org/security/en/glsa/glsa-200904-15.xml"}, {"name": "[mpg123-devel] 20090405 mpg123 1.7.2 is out -- important security fix!", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://sourceforge.net/mailarchive/message.php?msg_name=20090405211856.41696433%40sunscreen.local"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-1301", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://bugs.gentoo.org/show_bug.cgi?id=265342", "refsource": "CONFIRM", "url": "http://bugs.gentoo.org/show_bug.cgi?id=265342"}, {"name": "http://sourceforge.net/project/shownotes.php?release_id=673696", "refsource": "CONFIRM", "url": "http://sourceforge.net/project/shownotes.php?release_id=673696"}, {"name": "MDVSA-2009:093", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:093"}, {"name": "34748", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34748"}, {"name": "34587", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/34587"}, {"name": "34381", "refsource": "BID", "url": "http://www.securityfocus.com/bid/34381"}, {"name": "ADV-2009-0936", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/0936"}, {"name": "GLSA-200904-15", "refsource": "GENTOO", "url": "http://www.gentoo.org/security/en/glsa/glsa-200904-15.xml"}, {"name": "[mpg123-devel] 20090405 mpg123 1.7.2 is out -- important security fix!", "refsource": "MLIST", "url": "http://sourceforge.net/mailarchive/message.php?msg_name=20090405211856.41696433%40sunscreen.local"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T05:04:49.529Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://bugs.gentoo.org/show_bug.cgi?id=265342"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://sourceforge.net/project/shownotes.php?release_id=673696"}, {"name": "MDVSA-2009:093", "tags": ["vendor-advisory", "x_refsource_MANDRIVA", "x_transferred"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:093"}, {"name": "34748", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34748"}, {"name": "34587", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/34587"}, {"name": "34381", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/34381"}, {"name": "ADV-2009-0936", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/0936"}, {"name": "GLSA-200904-15", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "http://www.gentoo.org/security/en/glsa/glsa-200904-15.xml"}, {"name": "[mpg123-devel] 20090405 mpg123 1.7.2 is out -- important security fix!", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://sourceforge.net/mailarchive/message.php?msg_name=20090405211856.41696433%40sunscreen.local"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-1301", "datePublished": "2009-04-16T15:00:00", "dateReserved": "2009-04-16T00:00:00", "dateUpdated": "2024-08-07T05:04:49.529Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mpg123:mpg123:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE444055-2ECC-4E90-BAEB-1D7F8A1C7045", "versionEndIncluding": "1.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.59m:*:*:*:*:*:*:*", "matchCriteriaId": "A46F3026-9958-460C-AB14-593C216E12D9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.59n:*:*:*:*:*:*:*", "matchCriteriaId": "4D782ECC-6223-4055-A812-36625B50517D", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.59o:*:*:*:*:*:*:*", "matchCriteriaId": "74027FB8-195D-432C-A4AB-83829C81FFBB", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.59p:*:*:*:*:*:*:*", "matchCriteriaId": "2330232E-59BF-4885-84DC-879BAB98BA81", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.59q:*:*:*:*:*:*:*", "matchCriteriaId": "124B56BC-EF2F-42D8-81B5-AD4E854CA9BC", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.59r:*:*:*:*:*:*:*", "matchCriteriaId": "1F8EEF7E-C6BB-4669-81D2-68AABF8A7686", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.59s:*:*:*:*:*:*:*", "matchCriteriaId": "1144518D-4069-4903-9B45-56C0E97BC992", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:0.62:*:*:*:*:*:*:*", "matchCriteriaId": "F101A71C-6467-4008-9CCB-E2B9F69513FE", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:1.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "D5C11F12-01A2-48A7-9A4D-4D07E6C2D8D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:1.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "93106E19-1059-4040-A5FA-569A1B7EF8C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "F7123CC8-1F0C-4069-A2DA-0A25418E551E", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s:*:*:*:*:*:*:*", "matchCriteriaId": "9AE94FDE-EC0C-48A1-A1E9-B4112CA4B0D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*", "matchCriteriaId": "9765C6AD-E1F0-421C-B7B1-C09AD83A3DB7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Integer signedness error in the store_id3_text function in the ID3v2 code in mpg123 before 1.7.2 allows remote attackers to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via an ID3 tag with a negative encoding value. NOTE: some of these details are obtained from third party information."}, {"lang": "es", "value": "Error de presencia de signo entero en la funci\u00f3n store_id3_text en el c\u00f3digo ID3v2 en mpg123 antes de 1.7.2 permite a atacantes remotos provocar una denegaci\u00f3n de servicio (acceso a memoria fuera de rango) y posiblemente ejecutar c\u00f3digo de su elecci\u00f3n mediante una etiqueta ID3 con un valor de codificaci\u00f3n negativo. NOTA: algunos de estos detalles se han obtenido de informaci\u00f3n de terceros."}], "id": "CVE-2009-1301", "lastModified": "2024-11-21T01:02:08.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-04-16T15:12:57.483", "references": [{"source": "cve@mitre.org", "url": "http://bugs.gentoo.org/show_bug.cgi?id=265342"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/34587"}, {"source": "cve@mitre.org", "url": "http://secunia.com/advisories/34748"}, {"source": "cve@mitre.org", "url": "http://sourceforge.net/mailarchive/message.php?msg_name=20090405211856.41696433%40sunscreen.local"}, {"source": "cve@mitre.org", "url": "http://sourceforge.net/project/shownotes.php?release_id=673696"}, {"source": "cve@mitre.org", "url": "http://www.gentoo.org/security/en/glsa/glsa-200904-15.xml"}, {"source": "cve@mitre.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:093"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/34381"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/0936"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://bugs.gentoo.org/show_bug.cgi?id=265342"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/34587"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/34748"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://sourceforge.net/mailarchive/message.php?msg_name=20090405211856.41696433%40sunscreen.local"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://sourceforge.net/project/shownotes.php?release_id=673696"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.gentoo.org/security/en/glsa/glsa-200904-15.xml"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:093"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/34381"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/0936"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-189"}], "source": "nvd@nist.gov", "type": "Primary"}]}