[Alsaplayer-devel] cddb issues
hubert at uhoreg.ca
Wed Jul 4 16:24:02 BST 2007
On 2007-07-03 19:59:32 -0400 John Kelleher <johnkelleheriii at yahoo.com>
> a. The current AlsaPlayer fetch routine only 'sort of' works, and I do
> not know whether it has been as thoroughly checked for security issues
> as has, for example, the routine in xine-libs.
There was a security issue discovered last year in AlsaPlayer's cddb
code. After looking at the code, I wouldn't be surprised if there
were more. The good news, though, is that exploiting a vulnerability
would require connecting to a compromised cddb server, which should be
rare. But it should still be fixed if possible.
I'm not sure if it would be easier to do a proper security audit, or
to rewrite the code, or to adapt xine's code.
(At the very least, switching from C-style strings to C++-style
strings as much as possible should help eliminate buffer overflows.)
Oh, I just found this library: http://libcddb.sourceforge.net/ It may
be worth using that instead.
Hubert Chan - email & Jabber: hubert at uhoreg.ca - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA (Key available at wwwkeys.pgp.net)
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
More information about the alsaplayer-devel