[MPlayer-DOCS] CVS: homepage/src news.src.en,1.98,1.99
Gabucino
syncmail at mplayerhq.hu
Tue Mar 30 17:55:14 CEST 2004
CVS change done by Gabucino
Update of /cvsroot/mplayer/homepage/src
In directory mail:/var2/tmp/cvs-serv14186/src
Modified Files:
news.src.en
Log Message:
MPlayer Security Advisory #002
Index: news.src.en
===================================================================
RCS file: /cvsroot/mplayer/homepage/src/news.src.en,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -r1.98 -r1.99
--- news.src.en 26 Mar 2004 00:56:09 -0000 1.98
+++ news.src.en 30 Mar 2004 15:55:12 -0000 1.99
@@ -1,6 +1,105 @@
<!-- content begin -->
<font class="bigheader">
<br>
+ <a name="vuln02">
+ 2004.03.30, Tuesday :: Exploitable remote buffer overflow vulnerability in the HTTP parser
+ </a>
+ <br>
+</font>
+<font class="header">
+ posted by Gabucino</a><br>
+</font>
+<font class="text">
+ <br>
+ <b>Severity:</b><br>
+ HIGH (if playing HTTP streaming content)<br>
+ LOW (if playing only normal files)<br>
+ <br>
+ <b>Description:</b><br>
+ A remotely exploitable buffer overflow vulnerability was found in MPlayer.
+ A malicious host can craft a harmful HTTP header ("Location:"), and trick MPlayer
+ into executing arbitrary code upon parsing that header.<br>
+ <br>
+ <b>MPlayer versions affected:</b><br>
+ MPlayer 0.90pre series<br>
+ MPlayer 0.90rc series<br>
+ MPlayer 0.90<br>
+ MPlayer 0.91<br>
+ MPlayer 1.0pre1<br>
+ MPlayer 1.0pre2<br>
+ MPlayer 1.0pre3<br>
+ <br>
+ <b>MPlayer versions unaffected:</b><br>
+ MPlayer releases before 0.60pre1<br>
+ MPlayer 0.92.1<br>
+ MPlayer 1.0pre3try2<br>
+ MPlayer 0_92 CVS<br>
+ MPlayer HEAD CVS<br>
+ <br>
+ <b>Notification status:</b><br>
+ Developers were notified on <b>2004.03.29</b> (by <b><a href="mailto:blexim at hush.com">"blexim"</a></b>)<br>
+ Fix was commited into HEAD CVS at <b>2004.03.30 12:58:43 CEST</b><br>
+ <i>MPlayer 0.92.1 (vuln-fix-only release)</i> was released on <b>2003.03.30
+ 16:45:00 CEST</b><br>
+ <i>MPlayer 1.0pre3try2 (vuln-fix-only release)</i> was released on <b>2003.03.30
+ 16:51:00 CEST</b><br>
+ <br>
+ <b>Patch availability:</b><br>
+ A patch is available for all vulnerable versions
+ <a href="../../MPlayer/patches/vuln02-fix.diff">here</a>.<br>
+ <br>
+ <b>Suggested upgrading methods:</b><br>
+ MPlayer 1.0pre3 users should upgrade to <b>latest CVS</b><br>
+ MPlayer 0.92 (and below) users should upgrade to <b>0.92.1</b> OR
+ <b>latest CVS</b><br>
+ <br>
+ MPlayer 0.92.1 <A HREF="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2.asc">(PGP signature)</A> <A HREF="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2.md5">(MD5 checksum)</A> can be downloaded from the following sites:
+ <UL>
+ <LI>Hungary 1, HTTP -> <A HREF="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>Hungary 1, FTP -> <A HREF="ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>Hungary 2, HTTP -> <A HREF="http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>Hungary 2, FTP -> <A HREF="ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>USA, HTTP -> <A HREF="http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>USA, FTP -> <A HREF="ftp://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">ftp://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>Switzerland, HTTP -> <A HREF="http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>USA2, HTTP -> <A HREF="http://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">http://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>USA2, FTP -> <A HREF="ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2">ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>Australia, FTP -> <A HREF="ftp://ftp6.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.1.tar.bz2">ftp://ftp6.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ <LI>Finland, HTTP -> <A HREF="http://www7.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.1.tar.bz2">http://www7.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.1.tar.bz2</A></LI>
+ </UL>
+ <br>
+ MPlayer 1.0pre3try2 <A HREF="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2.asc">(PGP signature)</A> <A HREF="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2.md5">(MD5 checksum)</A> can be downloaded from the following sites:
+ <UL>
+ <LI>Hungary 1, HTTP -> <A HREF="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>Hungary 1, FTP -> <A HREF="ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>Hungary 2, HTTP -> <A HREF="http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>Hungary 2, FTP -> <A HREF="ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>USA, HTTP -> <A HREF="http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>USA, FTP -> <A HREF="ftp://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">ftp://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>Switzerland, HTTP -> <A HREF="http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>USA2, HTTP -> <A HREF="http://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">http://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>USA2, FTP -> <A HREF="ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2">ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>Australia, FTP -> <A HREF="ftp://ftp6.mplayerhq.hu/pub/mplayer/releases/MPlayer-1.0pre3try2.tar.bz2">ftp://ftp6.mplayerhq.hu/pub/mplayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ <LI>Finland, HTTP -> <A HREF="http://www7.mplayerhq.hu/pub/mplayer/releases/MPlayer-1.0pre3try2.tar.bz2">http://www7.mplayerhq.hu/pub/mplayer/releases/MPlayer-1.0pre3try2.tar.bz2</A></LI>
+ </UL>
+ <br>
+</font>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<font class="bigheader">
+ <br>
<a name="arpiton">
2004.03.26, Friday :: Leaving MPlayer
</a>
More information about the MPlayer-DOCS
mailing list