- The version of
tinysvcmdnsbundled in Shairport Sync has a buffer overflow bug: "An exploitable heap overflow vulnerability exists in the tinysvcmdns library version 2016-07-18. A specially crafted packet can make the library overwrite an arbitrary amount of data on the heap with attacker controlled values. An attacker needs send a dns packet to trigger this vulnerability." The vulnerability is addressed by additional checking on packet sizes. See also CVE-2017-12087 and Vulnerability in tinysvcmdns.
Thanks and Chris Boot for fixing this bug.
Continuing experiments with D-Bus and
MPRIS support. As before, please note that the implementation is likely to change greatly or be removed at any time.