Announcement

Collapse
No announcement yet.

Winamp 5.x security vulnerability

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Winamp 5.x security vulnerability

    Hi,

    There is a high-risk security vulnerability in Winamp 5.x. I've reported that vulnerability to [email protected], but the only response that I've got is:

    > Dear ljuranic,
    > Hi, My name is Cristal and I will be able to assist you with your Winamp.
    > Thanks for the information!
    > I have sent your concerns to the appropriate staff members for immediate attention and consideration.
    > Thank you for writing to Winamp.
    ...
    I don't want to discuss that vulnerability in this public forum, but can anyone tell me what is going on with that vulnerability report?
    Tags: None
  • #2
    Why not discuss the vulnerability here? Tag and Benski are forums members and developers for Winamp that do in fact read many of the posts here and will respond and act on some of them.

    Other users may wish to know if and how they may be exploited, and how to close up any holes with a potential workaround for now.

    What OS is this experienced on?

    What core components or Winamp-distro plugins are affected?

    How may one reproduce the exploit from their home system, if possible?

    Do you see any potential ways to remedy the problem until a fix is applied?

    This information may be more helpful than you think.

    Egg, JM, Tag, Benski, what are your thoughts?

    jmat
    The Winamp.INI File for Dummies
    Tips and Tricks for MSVCRT.dll Errors

    Comment

    • #3
      Benski's said he'll try to get in touch with Leon Juranic privately.

      LJ is right. It's not wise to discuss potential security vulnerabilities in public.

      Playlist | Twitter | Albums

      Comment

      • #4
        Oops ... I didn't know that was a bad idea [I always see security vulnerability reports rolling around on the internet, for example, Secunia].

        Good though that Benski is aware and working to fix the vulnerability, whatever it might be
        The Winamp.INI File for Dummies
        Tips and Tricks for MSVCRT.dll Errors

        Comment

        • #5
          Fixed... Maybe a small release will be forthcoming

          =)

          thanks, Leon

          Comment

          • #6
            No problem at all

            Comment

            • #7
              BTW: We will release vulnerability details probably in monday.

              Comment

              • #8
                We have released an advisory regarding this vulnerability, so it would be good time to publish patched version.

                404 Not Found
                http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-07-14


                Regards,

                Comment

                • #9
                  Hello, I'm wondering (along with everyone else who got a security advisory from various mailing lists) if there is a patch or a safe version to download yet or is 5.093 the corrected version? Many Thanks,
                  -Tim

                  Comment

                  • #10
                    The patched 5.094 is due for release very shortly.
                    Thanks.

                    Playlist | Twitter | Albums

                    Comment

                    • #11
                      Patched 5.094 is now available
                      Winamp 5.094 Released - Winamp & Shoutcast Forums
                      http://forums.winamp.com/showthread.php?threadid=221801
                      What is Winamp? Why is Winamp? How is Winamp? All these burning questions and issues discussed within.


                      Should go live on winamp.com sometime on Thursday evening.

                      Playlist | Twitter | Albums

                      Comment

                      • #12
                        I reported this vuln 7 months ago and nothing was done about it.

                        see
                        Crash vuln in ID3v2 tagging and .nsv .nsa tagging. - Winamp & Shoutcast Forums
                        http://forums.winamp.com/showthread.php?threadid=202594
                        Did you find a bug in Winamp? Can you reproduce it? Let us know, we'll try to fix it as soon as possible!


                        you should have listened then full advisory was never released and it can be exploited remotly just by visiting a web page

                        Comment

                        • #13
                          There was no active developers 7 months ago.

                          Leon was invited into our private irc channel, he provided a sample file and exact steps to reproduce the vulnerability, and it was fixed by benski in realtime within a matter of minutes.

                          I remember your post well, but I seem to remember closing it instantly after reading the last paragraph... though at the time there was no-one to report it to anyway :/

                          Playlist | Twitter | Albums

                          Comment

                          Previous template Next
                          Working...
                          X