[MPlayer-dev-eng] [SECURITY] heap-based buffer overflow in libmpdemux/aviheader.c - fixed in SVN already?

Reimar Döffinger Reimar.Doeffinger at stud.uni-karlsruhe.de
Sat Sep 22 13:46:50 CEST 2007


Hello,
On Sat, Sep 22, 2007 at 12:48:48PM +0200, Dominik 'Rathann' Mierzejewski wrote:
> Am I correct in thinking that r24447 fixes that?
> 
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4938
> 
> If what they say here:
> http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt
> ...
> DISCLOSURE TIMELINE:
> ====================
> 1: 2007-07-30 notice MPlayer vendor 
> 2: 2007-07-31 the vendor reply
> ...
> 
> is true, then why was the fix committed only 8 days ago?

Because I was hoping that despite their inability to spell they would
get their act together and explain why they think this is a security
issue (I don't count NULL dereference as such in MPlayer for now) in
MPlayer and not a libc problem that has been known for years and they
are recycling now.
This was also already discussed on this list some days/weeks ago.
And this is what they refer to as "vendor reply":

"
Hello,
On Mon, Jul 30, 2007 at 02:54:59PM +0800, Code Audit Labs wrote:
[...]
>      and example code
>      calloc(0x10000001, 0x10);
> 
>      it will return NULL in winxp or gligc 2.5

In this case it only results in a crash and is not critical (still the
suggestion of exchanging the checks seems good and will very likely be
implemented).

>      it will return 0x10 sizes heap in glibc <2.5(maybe prior) or 
> win2000 sp4

This is an integer overflow vulnerability in the calloc implementations
(see also e.g. http://cert.uni-stuttgart.de/advisories/calloc.php), and
we have no intention of working around it.

Greetings,
Reimar Döffinger
"




More information about the MPlayer-dev-eng mailing list