Title: YAMT ID3 Tag Sort Command Execution Vulnerability
Severity: HIGH
Description:
YAMT (Yet Another MP3 Tool) is a MP3 organizer utility that is available for UNIX/Linux variants.
YAMT is prone to a vulnerability that may allow attackers to execute arbitrary commands. This issue is exposed when the program attempts to sort ID3 tags. As this data may originate from an external or untrusted source, this issue is considered remote in nature.
The specific issue exists in the id3tag_sort() function in 'id3tag.c'. The cause of the vulnerability is insufficient validation of ID3 tag data. This data will be used when moving MP3 files around during the sort operation. Files are moved around using the system() function. The vulnerability will permit an attacker to influence the arguments to system by inserting double-quotes and other meta-characters in the ID3 tag fields such as the 'Artist Name'.
Successful exploitation will allow an attacker to execute arbitrary commands when the software processes an MP3 that contains malicious ID3 tag data. This will occur in the context of the user running the application.
Affected Products:
- YAMT YAMT 0.5.0
References:
- "D. J. Bernstein" <djb@cr.yp.to>: [remote] [control] YAMT 0.5 id3tag_sort does not check for nasty characters
- YAMT: YAMT Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
