[MPlayer-DOCS] CVS: homepage/src news.src.en,1.108,1.109

Diego Biurrun CVS syncmail at mplayerhq.hu
Thu Apr 29 14:49:02 CEST 2004 

CVS change done by Diego Biurrun CVS

Update of /cvsroot/mplayer/homepage/src
In directory mail:/var2/tmp/cvs-serv6688/src

Modified Files:
	news.src.en 
Log Message:
Advisory added, mention xine in the release notes now that they have made
their release, spelling.


Index: news.src.en
===================================================================
RCS file: /cvsroot/mplayer/homepage/src/news.src.en,v
retrieving revision 1.108
retrieving revision 1.109
diff -u -r1.108 -r1.109
--- news.src.en	28 Apr 2004 06:38:05 -0000	1.108
+++ news.src.en	29 Apr 2004 12:48:59 -0000	1.109
@@ -3,6 +3,132 @@
 
 <font class="bigheader">
 	<br>
+	<a name="vuln03">
+	2004.04.28, Wednesday :: Exploitable remote buffer overflow vulnerability in the Real RTSP streaming code
+	</a>
+	<br>
+</font>
+<font class="header">
+	posted by Diego<br>
+</font>
+<font class="text">
+	<br>
+	<b>Summary:</b>
+	<br>
+	Multiple vulnerabilities have being found and fixed in the Real-Time
+	Streaming Protocol (RTSP) client for RealNetworks servers, including a
+	series of potentially remotely exploitable buffer overflows. This is a
+	joint	advisory by the MPlayer and xine teams as the code in question is
+	common to these projects. The xine team has assigned ID XSA-2004-3 to this
+	security announcement.
+	<br>
+	<br>
+	<b>Severity:</b>
+	<br>
+	High (arbitrary remote code execution under the user ID running the player)
+	when playing Real RTSP streams.
+	At this time, there is no known exploit for these vulnerabilities.
+	<br>
+	<br>
+	<b>Prerequisites:</b>
+	<br>
+	The players are only vulnerable when playing Real RTSP streams.
+	There is no risk if Real RTSP (realrtsp) streaming is not employed.
+	<br>
+	<br>
+	<b>Solution:</b>
+	<br>
+	A fix was checked into MPlayer CVS on Sat, 24 Apr 2004 12:33:22 +0200 (CEST).
+	This fix is included in MPlayer 1.0pre4.  Users of affected MPlayer versions
+	should upgrade to MPlayer 1.0pre4 or later.
+	<br>
+	xine-lib fix was checked into CVS on Fri, Apr 23 21:59:04 2004 UTC. This fix
+	is included in xine-lib 1-rc4. Users of affected xine-lib versions should
+	upgrade to xine-lib 1-rc4 or later.
+	If this upgrade is not feasible for some reason, the vulnerable code
+	can be disabled by removing xine's RTSP input plugin, which is located at
+	$(xine-config --plugindir)/xineplug_inp_rtsp.so). If installed with default
+	paths, that is: /usr/local/lib/xine/plugins/1.0.0/xineplug_inp_rtsp.so
+	This workaround disables RTSP streaming.
+	<br>
+	<br>
+	<b>Affected versions:</b>
+	<br>
+	MPlayer 1.0pre1-pre3try2
+	<br>
+	xine-lib 1-beta1 to 1-rc3c
+	<br>
+	<br>
+	<b>Unaffected versions:</b>
+	<br>
+	MPlayer 0.92.1 and below
+	<br>
+	MPlayer 1.0pre4 and above
+	<br>
+	MPlayer CVS HEAD
+	<br>
+	<br>
+	xine-lib 1-beta0 and below
+	<br>
+	xine-lib 1-rc4 and above
+	<br>
+	xine-lib CVS HEAD
+	<br>
+	<br>
+	<b>History / Attack Vectors:</b>
+	<br>
+	On Thu, 22 Apr 2004 Diego Biurrun found a crashing bug in the MPlayer
+	realrtsp code that Roberto Togni confirmed to be a buffer overflow
+	vulnerability later that day. The xine team was notified and independent
+	code audits were performed by Miguel Freitas (xine) and Roberto Togni
+	(MPlayer), revealing multiple vulnerabilities.
+	<ol>
+	<li>Fixed length buffers were assigned for the URL used in server requests
+		and	the length of the input was never checked. Very long URLs could thus
+		overflow these buffers and crash the application. A malicious person
+		might possibly use a specially crafted URL or playlist to run arbitrary
+		code on the user's machine.</li>
+	<li>Not all strings returned from a Real server were checked for length.
+		It might be possible to cause a buffer overflow during the RTSP session
+		negotiation sequence. A malicious person could use a fake RTSP server
+		to feed the client with malformed strings.</li>
+	<li>Packets of RealNetworks' Real Data Transport (RDT) format were received
+		using a fixed length buffer whose size was never checked. It might also be
+		possible to exploit this by emulating a RealNetworks' RTSP server.</li>
+	<li>On Wed, 14 Apr 2004 22:45:28 +0200 (CEST) a change was made to MPlayer
+		CVS that removes the extension checking on RTSP streams. MPlayer now
+		attempts to handle every RTSP connection as realrtsp first, falling back
+		to live.com RTSP. CVS	versions from that date to the time the fix was
+		checked in are susceptible to the same problem when playing normal RTSP
+		streams as well.</li>
+	<li>At the time of the writing of this advisory no real exploits are known
+		to the authors and we hope to be the first to stumble across this
+		vulnerability. Since we believe that the bugs described in this advisory
+		are exploitable we have	released this proactive advisory.</li>
+	</ol>
+	<b>Download:</b>
+	<br>
+	<br>
+	MPlayer 1.0pre4 can be downloaded from the MPlayer homepage or one of its many
+	mirrors. Go to the
+	<a href="dload.html">MPlayer download page</a>
+	to get MPlayer 1.0pre4 source code.
+	<br>
+	<br>
+	xine-lib 1-rc4 can be downloaded from the
+	<a href="http://xinehq.de/index.php/releases">xine homepage</a>.
+	<br>
+	<br>
+</font>
+
+
+
+
+
+
+
+<font class="bigheader">
+	<br>
 	<a name="mplayer10pre4">
 	2004.04.28, Wednesday :: MPlayer 1.0pre4 released
 	</a>
@@ -32,10 +158,9 @@
 	<br>
 	<br>
   We fixed a remotely exploitable security vulnerability in the Real
-  RTSP code.
-  <!-- , please read our advisory for details. Many thanks go to the
-  <a href="http://www.xinehq.de">xine</a> team for cooperating so well with
-  us in the audit of this shared code. -->
+  RTSP code, please read our advisory for details. Many thanks go to the
+  <a href="http://www.xinehq.de">xine</a> team for cooperating so well
+	with us in the audit of this shared code.
 	We also found a buffer overflow in the Matroska demuxer and in
   the CDDB code, so we strongly urge you to upgrade.
 	<br>
@@ -152,7 +277,7 @@
 
     <b>Streaming:</b>
     <ul>
-    <li>smil playlist parser</li>
+    <li>SMIL playlist parser</li>
     <li>support for URL redirection</li>
     <li>support for seeking in HTTP streams</li>
     <li>updated LIVE.COM streaming code</li>

More information about the MPlayer-DOCS mailing list