In association with heise online

30 October 2007, 11:48

Sony's SonicStage CP allows code injection

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Sony uses SonicStage CP software for loading its MP3 players. However, the application processes crafted playlists incorrectly, so that attackers can inject and execute external code.

According to a security advisory from Secunia, the security vulnerability was discovered by Parvez Anwar. If a .m3u playlist contains an entry with more than 1000 characters, a buffer overflow can occur. A sample program which is meant to demonstrate the vulnerability has now appeared on milw0rm.

The bug apparently affects the current version 4.3 of SonicStage CP and possibly previous versions. No update is yet available, so users of this software should not open .m3u playlists for the time being.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit