Vulnerability Note VU#377368

Apple iTunes fails to properly handle overly long URLs in playlists

Original Release date: 14 Jan 2005 | Last revised: 14 Jan 2005


A buffer overflow vulnerability in iTunes could allow a remote attacker to execute arbitrary code.


Apple iTunes is a digital media player available for the Microsoft Windows and Mac OS X operating systems. It supports a variety of playlist formats including .m3u and .pls. A playlist allows a user to organize the order in which media files are played. In addition to media files, URLs to digital streams can be included in a playlist. There is a buffer overflow vulnerability in the way iTunes parses URL entries in .m3u and .pls playlist files. If a remote attacker creates a specially crafted playlist containing an overly long URL, a buffer overflow will occur and could lead to arbitrary code execution.


By convincing a user to load a specially crafted .m3u or .pls playlist file into iTunes, an attacker could execute arbitrary code with the privileges of the user.


Install Update

Apple has addressed this issue in iTunes version 4.7.1. For further details, please refer to the iTunes 4.7.1 section in the Apple Security Advisory.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected-14 Jan 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



iDEFENSE credits Sean de Regge for reporting this vulnerability

This document was written by Damon Morda.

Other Information

  • CVE IDs: CAN-2005-0043
  • Date Public: 11 Jan 2005
  • Date First Published: 14 Jan 2005
  • Date Last Updated: 14 Jan 2005
  • Severity Metric: 30.37
  • Document Revision: 12


If you have feedback, comments, or additional information about this vulnerability, please send us email.