In association with heise online

11 May 2007, 14:04

Update closes security hole in Darwin Streaming Server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apple has published an update for the Darwin Streaming Server (an open-source package used to distribute multi-media data streams) to fix security holes which might be exploited by attackers to infiltrate and execute arbitrary code on affected servers.

This bug affects the integrated Streaming Proxy, which grants clients remote access to the RTSP data streams. An attacker may use manipulated RTSP packets to trigger a buffer overflow. The function is_command does not validate the length of entries prior to a copying operation. A buffer overflow may occur during a setup request, if the trackID field contains more than 32 values.

While iDefense has confirmed that this bug exists for version 5.5.4 of the Darwin Streaming Server, they only reported this vulnerability for a self-compiled version with default options. According to their advisory, Apple’s binary package was not vulnerable. It is suspected that older versions are also affected. In any case, users are advised to install the current package of the software.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit