Secunia reported two of the security issues to Nullsoft, a division of AOL, back in November. Now that fixes are available Secunia have disclosed the nature of the bugs.
According to Secunia’s security advisory they discovered two vulnerabilities in Winamp, which can be exploited by malicious people to compromise a user’s system.
- An integer overflow error in the in_avi.dll plugin when allocating memory using the number of streams header value can be exploited to cause a heap-based buffer overflow via a specially crafted AVI file.
- An integer overflow error in the in_avi.dll plugin when allocating memory using the RIFF INFO chunk’s size value can be exploited to cause a heap-based buffer overflow via a specially crafted AVI file.
The list of fixes in 5.623 also note a “bounds check for comments parsing” bug that was fixed. Such out-of-bounds bugs are often exploitable.
The full list of fixes and changes are:
- Fixed: mp3 decoding errors at end of file (should fix reported CD burning errors)
- Fixed: [aacdec] Detection of parametric stereo for AAC files made with older encoders
- Fixed: [enc_fhgaac] MP4 encoder not always closing on errors or aborted transfers
- Fixed: [in_avi] Crashing with certain malformed AVI files
- Fixed: [in_flac & in_mp4] Memory leaks
- Fixed: [in_mod] Bounds check for comments parsing
- Fixed: [pmp] Multithreaded race condition (now supports thread-safe transfers)
- Fixed: [pmp_android] Embedded album art being deleted on transfers
- Misc: More general tweaks, improvements, fixes and optimizations
- Updated: [enc_fhgaac] Fraunhofer AAC Encoder v3.2.4
- Updated: [gen_jumpex] JTFE v1.2.5
Winamp 5.623 can be downloaded as follows:
Winamp 5.623 Full (US English version)
Winamp 5.623 Full (Multi-national installer)
Winamp 5.623 Pro (Multi-national version, asks for key during install)
Winamp 5.623 Lite (basic 2.x-style mp3/cd player)