[MPlayer-dev-eng] remote buffer overflow vulnerabilities in the GUI code

Diego Biurrun diego at biurrun.de
Thu Jul 1 16:20:26 CEST 2004


________
Summary:
~~~~~~~~

Multiple string vulnerabilities have been found and fixed in the
MPlayer GUI code, at least one of which was remotely exploitable.


_________
Severity:
~~~~~~~~~

High (arbitrary remote code execution under the user ID running the
player) if using the GUI to play certain types of playlist files, none
when using only the command line. The MPlayer GUI is optional and not
built by default.


_________
Solution:
~~~~~~~~~

A fix for the vulnerability with the known exploit was checked into
MPlayer CVS on Wed, 2 June 2004 12:40:41 +0000 (UTC). The result of a
thorough code audit that uncovered further potentially exploitable
bugs was checked into MPlayer CVS on Fri, 25 June 2004 16:49:52 +0000
(UTC). All of this will be included inMPlayer 1.0pre5. Users of
affected MPlayer versions should upgrade to MPlayer 1.0pre5 or a
current CVS snapshot.


__________________
Affected versions:
------------------

MPlayer 1.0pre4 and before
MPlayer 0.92.1 and before


____________________
Unaffected versions:
--------------------

none


________
History:
~~~~~~~~

On Tue, 1 June 2004 MPlayer developers were contacted by c0ntex
<c0ntex at open-security.org> who had found a string handling
vulnerability in the MPlayer GUI code complete with an example exploit
and a preliminary fix. That fix was checked into MPlayer CVS on Wed, 2
June 2004 12:40:41 +0000 (UTC).

When playing certain types of playlist files with extremely long
entries a buffer overflow error occurs. This allows an attacker to
overwrite memory with specially crafted playlist files and execute
arbitrary code under the user ID running MPlayer.

Richard Felker started a general audit of the GUI code for further
string handling problems and uncovered a host of potential bugs, some
of which were probably exploitable. Nicholas Kain proceeded to do a
full audit of the MPlayer code for insecure string handling, which was
finished by Alexander Strasser.  The result of this audit was checked
into MPlayer CVS on Fri, 25 June 2004 16:49:52 +0000 (UTC).

Since the first quick review of the GUI code immediately revealed
several potentially exploitable bugs we have refrained from publishing
this advisory until a thorough audit of the whole code was finished.

On Thu, 1 July 2004 11:22:29 (UTC) a simple port of the fixes was
committed to the 0_90 stable MPlayer source tree. This was done
without a further audit of the 0_90 code base due to lack of
resources. We have therefore dropped further support of the 0_90 tree
and recommend upgrading to MPlayer 1.0pre5 or latest CVS.


_________
Download:
~~~~~~~~~

MPlayer 1.0pre5, 0.93 and CVS snapshots can be downloaded from the
MPlayer homepage or one of its many mirrors. Go to the MPlayer
download page at

http://www.mplayerhq.hu/homepage/dload.html

to get MPlayer 1.0pre5 source code or a CVS snapshot.




More information about the MPlayer-dev-eng mailing list