From djb@cr.yp.to Wed Dec 15 14:22:46 2004
Date: 15 Dec 2004 08:28:39 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, bratislav@users.sourceforge.net
Subject: [remote] [control] YAMT 0.5 id3tag_sort does not check for nasty
    characters

Manigandan Radhakrishnan, a student in my Fall 2004 UNIX Security Holes
course, has discovered a remotely exploitable security hole in YAMT, an
MP3-organization tool. I'm publishing this notice, but all the discovery
credits should be assigned to Radhakrishnan.

YAMT is no longer maintained, according to its developers, but it is
still included in (for example) FreeBSD ports.

You are at risk if you take an MP3 file from a web page (or any other
source that could be controlled by an attacker) and feed it to the YAMT
Sort option. Whoever provides that MP3 file then has complete control
over your account: he can read and modify your files, watch the programs
you're running, etc.

Here's the bug: id3tag_sort(), in id3tag.c, runs the command

   mv "%s/%s" "%s%s/%s/%s"

with various %s strings replaced by, e.g., the MP3 Artist tag. YAMT does
not check for nasty characters---in particular, double quotes---inside
the Artist tag.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago