Old 30th June 2005, 14:49   #1
Leon Juranic
Junior Member
 
Join Date: Jun 2005
Posts: 4
Winamp 5.x security vulnerability

Hi,

There is a high-risk security vulnerability in Winamp 5.x. I've reported that vulnerability to support@winamp.com, but the only response that I've got is:

Quote:
> Dear ljuranic,
> Hi, My name is Cristal and I will be able to assist you with your Winamp.
> Thanks for the information!
> I have sent your concerns to the appropriate staff members for immediate attention and consideration.
> Thank you for writing to Winamp.
...
I don't want to discuss that vulnerability in this public forum, but can anyone tell me what is going on with that vulnerability report?
Leon Juranic is offline   Reply With Quote
Old 30th June 2005, 18:17   #2
jmatthews112
Major Dude
 
Join Date: Jun 2003
Posts: 1,661
Send a message via AIM to jmatthews112 Send a message via Yahoo to jmatthews112
Why not discuss the vulnerability here? Tag and Benski are forums members and developers for Winamp that do in fact read many of the posts here and will respond and act on some of them.

Other users may wish to know if and how they may be exploited, and how to close up any holes with a potential workaround for now.

What OS is this experienced on?

What core components or Winamp-distro plugins are affected?

How may one reproduce the exploit from their home system, if possible?

Do you see any potential ways to remedy the problem until a fix is applied?

This information may be more helpful than you think.

Egg, JM, Tag, Benski, what are your thoughts?

jmat
jmatthews112 is offline   Reply With Quote
Old 30th June 2005, 19:08   #3
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,822
Benski's said he'll try to get in touch with Leon Juranic privately.

LJ is right. It's not wise to discuss potential security vulnerabilities in public.
DJ Egg is offline   Reply With Quote
Old 30th June 2005, 19:30   #4
jmatthews112
Major Dude
 
Join Date: Jun 2003
Posts: 1,661
Send a message via AIM to jmatthews112 Send a message via Yahoo to jmatthews112
Oops ... I didn't know that was a bad idea [I always see security vulnerability reports rolling around on the internet, for example, Secunia].

Good though that Benski is aware and working to fix the vulnerability, whatever it might be
jmatthews112 is offline   Reply With Quote
Old 1st July 2005, 01:36   #5
Benski
Ben Allison
Former Winamp Developer
 
Benski's Avatar
 
Join Date: Jan 2005
Location: Brooklyn, NY
Posts: 1,057
Fixed... Maybe a small release will be forthcoming

=)

thanks, Leon
Benski is offline   Reply With Quote
Old 2nd July 2005, 13:29   #6
Leon Juranic
Junior Member
 
Join Date: Jun 2005
Posts: 4
No problem at all
Leon Juranic is offline   Reply With Quote
Old 2nd July 2005, 13:32   #7
Leon Juranic
Junior Member
 
Join Date: Jun 2005
Posts: 4
BTW: We will release vulnerability details probably in monday.
Leon Juranic is offline   Reply With Quote
Old 16th July 2005, 13:39   #8
Leon Juranic
Junior Member
 
Join Date: Jun 2005
Posts: 4
We have released an advisory regarding this vulnerability, so it would be good time to publish patched version.

http://security.lss.hr/en/index.php?...LSS-2005-07-14

Regards,
Leon Juranic is offline   Reply With Quote
Old 18th July 2005, 16:32   #9
timcough
Junior Member
 
Join Date: Jul 2005
Location: Outside Philly
Posts: 1
Send a message via AIM to timcough
Hello, I'm wondering (along with everyone else who got a security advisory from various mailing lists) if there is a patch or a safe version to download yet or is 5.093 the corrected version? Many Thanks,
-Tim
timcough is offline   Reply With Quote
Old 18th July 2005, 16:48   #10
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,822
The patched 5.094 is due for release very shortly.
Thanks.
DJ Egg is offline   Reply With Quote
Old 18th July 2005, 21:23   #11
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,822
Patched 5.094 is now available
http://forums.winamp.com/showthread.php?threadid=221801

Should go live on winamp.com sometime on Thursday evening.
DJ Egg is offline   Reply With Quote
Old 24th July 2005, 21:21   #12
b0f
Junior Member
 
Join Date: Dec 2004
Posts: 4
I reported this vuln 7 months ago and nothing was done about it.

see
http://forums.winamp.com/showthread.php?threadid=202594

you should have listened then full advisory was never released and it can be exploited remotly just by visiting a web page
b0f is offline   Reply With Quote
Old 24th July 2005, 21:48   #13
DJ Egg
Techorator
Winamp & Shoutcast Team
 
Join Date: Jun 2000
Posts: 35,822
There was no active developers 7 months ago.

Leon was invited into our private irc channel, he provided a sample file and exact steps to reproduce the vulnerability, and it was fixed by benski in realtime within a matter of minutes.

I remember your post well, but I seem to remember closing it instantly after reading the last paragraph... though at the time there was no-one to report it to anyway :/
DJ Egg is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Winamp > Winamp Bug Reports

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump