Vulnerability Note VU#377368
Apple iTunes fails to properly handle overly long URLs in playlists
A buffer overflow vulnerability in iTunes could allow a remote attacker to execute arbitrary code.
Apple iTunes is a digital media player available for the Microsoft Windows and Mac OS X operating systems. It supports a variety of playlist formats including .m3u and .pls. A playlist allows a user to organize the order in which media files are played. In addition to media files, URLs to digital streams can be included in a playlist. There is a buffer overflow vulnerability in the way iTunes parses URL entries in .m3u and .pls playlist files. If a remote attacker creates a specially crafted playlist containing an overly long URL, a buffer overflow will occur and could lead to arbitrary code execution.
By convincing a user to load a specially crafted .m3u or .pls playlist file into iTunes, an attacker could execute arbitrary code with the privileges of the user.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||-||14 Jan 2005|
CVSS Metrics (Learn More)
iDEFENSE credits Sean de Regge for reporting this vulnerability
This document was written by Damon Morda.
- CVE IDs: CAN-2005-0043
- Date Public: 11 Jan 2005
- Date First Published: 14 Jan 2005
- Date Last Updated: 14 Jan 2005
- Severity Metric: 30.37
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.