[MPlayer-dev-eng] my two cents

Sven Tantau sven at sven-tantau.de
Fri Aug 26 18:10:38 CEST 2005 

Reimar Döffinger wrote:
> Hi,
> On Fri, Aug 26, 2005 at 04:38:39AM +0200, Sven Tantau wrote:
> 
>>as you are crying about my posting to full disclosure, I need to comment
>>on this:
> 
> 
> "Crying" is not the the right word IMHO. Also it is more the content
> that we complain about than just the posting in itself.

Ok. I am open to talk about this.
It was done quickly, I asked for confirmation and I even stated that I
am not sure about my conclusions. If you need more information, (What I
can fully understand after your problems to reproduce.) please just ask
for it.


> Some things made it really look bad (and things difficult for us to make
> a quick fix): the bad availability of the sample, saying "2 bytes strf
> parameter" (it is not a parameter, it is a chunk, and it contains the
> who WAVEFORMATEX structure in this case), pointing to
> af_calc_insize_constrained as the source of the problem although it
> seems it is not, and saying that ot gets overwritten in demuxer.c
> although it seems to be in ad_pcm.c.
> Though please check if
> http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpcodecs/ad_pcm.c.diff?r1=1.18&r2=1.19
> fixes it, to make sure we are talking about the same thing here.


I patched and can confirm that it works. We talk about the same thing.

>>At first I applologise for not contacting the developers via private
>>channel. I can explain this. I did not know that I have to do so. As
>>there is not special security contact person; and from your guide lines:
>>
>>B.3. Where to report bugs
>>
>>Subscribe to the MPlayer-users mailing list:
>>http://mplayerhq.hu/mailman/listinfo/mplayer-users and send your bug
>>report to mailto:mplayer-users at mplayerhq.hu where you can discuss it.
> 
> 
> What annoyed us here is that it was below what we expect from bug
> reports: It didn't contain a sample file (sorry, but at least I don't
> have filesharing programs around, and you didn't exactly say where to
> look for it either),

I knew it is findable. Most times I am forced to use a modem too.
I can understand that you do not like this way of reporting. I can not
understand why nobody asked me for the file after you read my posting.

> it did not contain MPlayer output, no gdb
> backtrace,

I missed the backtrace. True. Not good. I would like to ask for
apoligize on this. I thought: They will reproduce this.. and do the
backtrace their own. You had problems to reproduce. Once again: Why is
there no mail in my inbox asking for more details?

> not even command line used to start MPlayer.
> So even after becoming aware of it, that made it very difficult to
> reproduce it as with CVS versions this happens very rarely.
> And in my case I am still a modem user so no "quickly downloading" pre7.

As I mentioned, me too. One reason for not sending the (video) file.


>>Nobody has to follow your reporting guide lines.
> 
> 
> Sure not, but I would object to the "vendor contacted" part of the
> advisory since it didn't really reach us (I always find "vendor" very
> weird in this context).

Next time I use the word developers.
I am sorry that my posting on the user-ml went down in noise. I saw
several postings of developers (or at least people knowing mplayer
details), including you. As there is not that much traffic on the list,
I had no real reason to believe nobody saw my report.


>>Btw: I asked for confirmation in my postings to your list and to full
>>disclosure. In my opinion heise made the big deal of it... (Until I read
>>your complains, I thought they checked all I said and I saw their story
>>as confirmation.)
> 
> 
> I guess nobody who knows heise is really shocked when they make a big
> deal about it. But IMHO they should have stated that a MediaPlayer is
> probably never something you should assume to be "safe to use". I am
> certain there are a lot more holes in MPlayer.
> I hope you can at least partially understand why we were quite annoyed
> about all this.

Yes. I can even understand that some of you freak out about me posting
this to an open list. But please understand that all (including lame
bug-report) happend because of bad communication and me beeing lazy. Not
because I wanted you in trouble.

Although I never planed to spend much time on this, I still offer my
help reproducing this (as it is exploitable on my (some) systems). My
Testbox is a notebook; we can even meet in the Bonn/Cologne area and I
show you the reaction on my system. With version pre4 and pre7. I would
like to see one of you developers saying: 'Ok.. it is exploitable in
some setups.'


Regards

Sven


-- 
Sven Tantau
+49 177 7824828
http://www.sven-tantau.de/  ***  http://www.beastiebytes.de/
http://twe.sven-tantau.de/  ***  http://www.bewiso.de/

More information about the MPlayer-dev-eng mailing list