Denial of service in libid3tag
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2004-2779 |
| CWE-ID | CWE-789 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
libid3tag Universal components / Libraries / Libraries used by multiple products |
| Vendor | Underbit Technologies |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Uncontrolled memory allocation
EUVDB-ID: #VU11276
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2004-2779
CWE-ID:
CWE-789 - Uncontrolled Memory Allocation
Exploit availability: No
DescriptionThe vulnerability allows a local unauthenticated attacker to cause DoS condition on the target system.
The weakness exists in the id3_utf16_deserialize() function due to the improper parsing of ID3v2 tags. A local attacker can submit a specially crafted ID3v2 tag with an odd number of bytes, trigger improper memory allocation and cause the service to crash.
Install update from vendor's website.
Vulnerable software versionslibid3tag: 0.15.0b - 0.15.1b
CPE2.3- cpe:2.3:a:underbit_technologies:libid3tag:0.15.0b:*:*:*:*:*:*:*
- cpe:2.3:a:underbit_technologies:libid3tag:0.15.1b:*:*:*:*:*:*:*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=304913
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
