[MPlayer-DOCS] CVS: homepage/src news.src.en,1.191,1.192
Diego Biurrun CVS
syncmail at mplayerhq.hu
Sun Apr 10 19:30:30 CEST 2005
CVS change done by Diego Biurrun CVS
Update of /cvsroot/mplayer/homepage/src
In directory mail:/var2/tmp/cvs-serv30860/src
Modified Files:
news.src.en
Log Message:
mp3lib advisory
Index: news.src.en
===================================================================
RCS file: /cvsroot/mplayer/homepage/src/news.src.en,v
retrieving revision 1.191
retrieving revision 1.192
diff -u -r1.191 -r1.192
--- news.src.en 9 Apr 2005 19:00:30 -0000 1.191
+++ news.src.en 10 Apr 2005 17:30:26 -0000 1.192
@@ -8,7 +8,7 @@
<div class="newsentry">
<h2>
- <a name="about_advisories">2005.04.09, Saturday :: a word about the last round of advisories</a>
+ <a name="about_advisories">2005.04.10, Sunday :: a word about the last round of advisories</a>
<br><span class="poster">posted by Diego</span>
</h2>
@@ -33,6 +33,66 @@
<div class="newsentry">
<h2>
+ <a name="vuln09">2005.04.10, Sunday :: mpg123 buffer overflows</a>
+ <br><span class="poster">posted by Diego</span>
+</h2>
+
+<h3>Summary</h3>
+
+<p>
+Several potential buffer overflows were found in mpg123, an
+MP3 decoder library included with MPlayer in the mp3lib directory.
+You can read more details in the
+<a href="http://www.securityfocus.com/archive/1/374433">mpg123 advisory</a>.
+</p>
+
+<h3>Severity</h3>
+
+<p>
+Medium (arbitrary code execution under the user ID running the player)
+when playing MP3 audio, should the buffer overflows be exploitable.
+It is unclear whether this is the case.
+At the time the buffer overflows were fixed there was no known exploit.
+</p>
+
+<h3>Solution</h3>
+
+<p>
+A fix for the vulnerability was checked into MPlayer CVS on
+Tue Sep 14 21:02:19 2004 UTC. Users of affected MPlayer
+versions should upgrade to an unaffected MPlayer version. Alternatively a
+<a href="../../MPlayer/patches/mp3_fix_20041215.diff">patch</a>
+is available that can be applied to the MPlayer source tree.
+</p>
+
+
+<h3>Affected versions</h3>
+
+<p>
+MPlayer 1.0pre5 and before
+</p>
+
+
+<h3>Unaffected versions</h3>
+
+<p>
+MPlayer 1.0pre5try2 and after
+</p>
+
+<h3>History</h3>
+
+<p>
+After being alerted to the potential buffer overflows
+a fix was checked into MPlayer CVS on Tue Sep 14 21:02:19 2004 UTC.
+</p>
+
+</div>
+
+
+
+<div class="newsentry">
+
+<h2>
<a name="vuln08">2005.04.09, Saturday :: PNM streaming buffer overflow vulnerabilities</a>
<br><span class="poster">posted by Diego</span>
</h2>
More information about the MPlayer-DOCS
mailing list