[MPlayer-announce] MPlayer 1.0rc1try3 released

Roberto Togni rxt at rtogni.it
Tue Jun 5 23:25:18 CEST 2007 

MPlayer 1.0rc1try3 was released because of a security fix. There is no
new tarball available, just a patch to be applied over existing rc1.

SVN commit to fix the issue:
http://svn.mplayerhq.hu/mplayer/trunk/stream/stream_cddb.c?r1=23287&r2=23470

Patch to 1.0rc1:
http://www.mplayerhq.hu/MPlayer/patches/cddb_fix_20070605.diff

Other older security fixes to be applied to 1.0rc1:
http://www.mplayerhq.hu/MPlayer/patches/asmrules_fix_20061231.diff



Stack overflow in stream_cddb.c


Summary

A stack overflow was found and reported by Stefan Cornelius of Secunia Researchin in the code used to handle cddb queries. Two other similar issues were found by Reimar Döffinger while fixing the issue. The vulnerability is identified with CVE-2007-2948 and SAID 24302.

When copying the album title and category, no checking was performed on the size of the strings before storing them in a fixed-size array. A malicious entry in the database could trigger a stack overflow in the program, leading to arbitrary code execution with the uid of the user running MPlayer.
Severity

High (arbitrary remote code execution under the user ID running the player) when getting disk information from a malicious cddb entry, null if you do not use this feature. Please note that is possible to overwrite entries in the cddb database, so an attack can be performed also via a non-compromised server. At the time the buffer overflow was fixed there was no known exploit in the wild.
Solution

A fix for this problem was committed to SVN on Tue Jun 5 11:13:32 2007 UTC as r23470. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc1 or update to the latest version if they're using SVN.

If case you can't upgrade or apply the suggested patch, these are some possible workarounds:

    * Don't use cddb:// urls (be careful also with playlists)
    * Redirect freedb.freedb.org to 127.0.0.1 (e.g. via hosts file)
    * Recompile with --disable-cddb

Please note that we are not releasing an updated tarball with this fix at this moment.
If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball, apply the patch with the fix and recompile MPlayer; else upgrade to SVN.
If you decide to stay with rc1, don't forget to apply also this older fix. If you mantain a binary package for MPlayer, please name the updated version MPlayer 1.0rc1try3.
Affected versions

MPlayer 1.0rc1, MPlayer 1.0rc1try2 and SVN before r23470 (Tue Jun 5 11:13:32 2007 UTC). Older versions are probably affected, too, but they were not checked.
Unaffected versions

SVN HEAD after r23470 (Tue Jun 5 11:13:32 2007 UTC)
MPlayer 1.0rc1 + security patches

More information about the MPlayer-announce mailing list