[MPlayer-dev-eng] Attack by subtitles - from subtitles to complete takeover

Compn tempn at mi.rr.com
Mon May 29 17:14:18 EEST 2017

On Mon, 29 May 2017 00:20:09 +0200, Ingo Br├╝ckl <ib at wupperonline.de>

> Does anyone know or can estimate whether MPlayer is affected by

mplayer is not affected.

wm4 reported that mpv is also not affected 
[15:52] <wm4> mpv + subliminal script is apparently not affected

from the blog post:
> http://blog.checkpoint.com/2017/05/23/hacked-in-translation/,
> Some media players download subtitles automatically; these repositories hold extensive potential for attackers.

mplayer does not download subtitles automatically, which is what this
vector targeted.

imo opensubtitles website should sanitize their subtitle repository to
avoid vectors like this in the future.

> particularly by any overflows as mentioned in
> https://news.ycombinator.com/item?id=14408859?

from that post:

>The Kodi issue was a zip archive path traversal (i.e. no protection against zip files extracting files to parent directories).

mplayer does not look for subtitles in zip / archives either , so this
vector is not applicable.


More information about the MPlayer-dev-eng mailing list