[Alsaplayer-devel] cddb issues

Hubert Chan hubert at uhoreg.ca
Wed Jul 4 16:24:02 BST 2007


On 2007-07-03 19:59:32 -0400 John Kelleher <johnkelleheriii at yahoo.com> 
wrote:

[...]

> a. The current AlsaPlayer fetch routine only 'sort of' works, and I do
> not know whether it has been as thoroughly checked for security issues
> as has, for example, the routine in xine-libs.

There was a security issue discovered last year in AlsaPlayer's cddb 
code.  After looking at the code, I wouldn't be surprised if there 
were more.  The good news, though, is that exploiting a vulnerability 
would require connecting to a compromised cddb server, which should be 
rare.  But it should still be fixed if possible.

I'm not sure if it would be easier to do a proper security audit, or 
to rewrite the code, or to adapt xine's code.

(At the very least, switching from C-style strings to C++-style 
strings as much as possible should help eliminate buffer overflows.)

Oh, I just found this library: http://libcddb.sourceforge.net/  It may 
be worth using that instead.

-- 
Hubert Chan - email & Jabber: hubert at uhoreg.ca - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA   (Key available at wwwkeys.pgp.net)
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA



More information about the alsaplayer-devel mailing list