Hi! I'd like to stress that the mpg123 exploit posted recently does not affect versions up to 0.59r. The vulnerable code was added as part of a rewrite of mpg123's prefetch. CVS checkouts after Oct. 25th, 2000 will be affected, as is the pre0.59s development snapshot. There has been no stable release in that timeframe. The exploitable code is accompanied by the following entry to CHANGES, by the way: - major change in the stream reader: support for free format streams and better 'resync-on-error'. May still contain some bugs, so please TEST and TEST and TEST ;) Anyway, if you're running 0.59r, you're not vulnerable. (Well, not to this exploit, at least.) Regards, Daniel.
Attachment:
pgp00268.pgp
Description: PGP signature
