Source: mpd Version: 0.24.8-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for mpd. CVE-2026-49127[0]: | Music Player Daemon (MPD) before version 0.24.11 contains a stack | buffer overflow vulnerability in the pcm_unpack_24be function in | src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt | stack memory by triggering an off-by-one write in the PCM decoder | plugin. Attackers can issue two MPD commands referencing a malicious | HTTP audio source to cause the unpack loop to write 1366 entries | into a 1365-entry buffer, overwriting four bytes past the array | boundary with three attacker-controlled bytes from an HTTP response | body, resulting in daemon termination or potential code execution. CVE-2026-49128[1]: | Music Player Daemon (MPD) before version 0.24.11 contains a path | traversal vulnerability in LocalStorage::MapFSOrThrow and | LocalStorage::MapUTF8 within the local storage plugin, where the on- | disk path is constructed by joining the storage root with a user- | supplied URI as plain strings without canonicalization, allowing | '..' segments to survive into the resolved path and be flattened by | the kernel at openat() time. An unauthenticated attacker can exploit | this flaw using the listfiles command to enumerate names, sizes, and | modification times of arbitrary directories readable by the MPD | process, and the albumart command to read image files in any | attacker-chosen directory outside the configured music_directory. CVE-2026-49129[2]: | Music Player Daemon (MPD) before version 0.24.11 contains a server- | side request forgery vulnerability in CurlInputPlugin where | CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, | allowing unauthenticated attackers to bypass the http/https scheme | restriction by causing a malicious HTTP server to redirect to non- | HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp. | Attackers can trigger this vulnerability via MPD commands that | initiate URL fetches, including add, readcomments, albumart, | readpicture, or load, to interact with internal or restricted | network services on systems running libcurl versions prior to | 7.85.0. CVE-2026-49130[3]: | Music Player Daemon (MPD) before version 0.24.11 contains a CRLF | injection vulnerability in the xspf_char_data function within the | XSPF playlist plugin that allows attackers to embed literal CR/LF | bytes in URI fields by supplying a malicious XSPF playlist with XML | numeric character references. Attackers can inject forged key-value | lines through the location field into MPD protocol responses | including playlistinfo, currentsong, and listplaylist outputs, as | well as the state file writer, by exploiting Expat's decoding of | numeric character references prior to the character data callback. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-49127 https://www.cve.org/CVERecord?id=CVE-2026-49127 [1] https://security-tracker.debian.org/tracker/CVE-2026-49128 https://www.cve.org/CVERecord?id=CVE-2026-49128 [2] https://security-tracker.debian.org/tracker/CVE-2026-49129 https://www.cve.org/CVERecord?id=CVE-2026-49129 [3] https://security-tracker.debian.org/tracker/CVE-2026-49130 https://www.cve.org/CVERecord?id=CVE-2026-49130 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
