[MPlayer-DOCS] CVS: homepage/src news.src.en, 1.236, 1.237 dload.src.en, 1.164, 1.165
Roberto Togni CVS
syncmail at mplayerhq.hu
Sat Aug 27 02:56:20 CEST 2005
CVS change done by Roberto Togni CVS
Update of /cvsroot/mplayer/homepage/src
In directory mail:/var2/tmp/cvs-serv23530
Modified Files:
news.src.en dload.src.en
Log Message:
MPlayer-1.0pre7try2
Index: news.src.en
===================================================================
RCS file: /cvsroot/mplayer/homepage/src/news.src.en,v
retrieving revision 1.236
retrieving revision 1.237
diff -u -r1.236 -r1.237
--- news.src.en 26 Aug 2005 19:49:45 -0000 1.236
+++ news.src.en 27 Aug 2005 00:56:17 -0000 1.237
@@ -10,17 +10,86 @@
<a name="server_thanks">2005.08.26, Friday :: Heap buffer overflow in ad_pcm.c</a>
<br><span class="poster">posted by Attila</span>
</h2>
+<p>
There is a bug which, depending on configuration, can lead to a heap buffer overflow.
If and under which circumstances this is exploitable is unclear to us as of now.
-We have found a file that is supposed exploit it but could not make it work.
-Still we do not want to put you at risk by waiting longer to publish this.
-<br>
-<a href="http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpcodecs/ad_pcm.c.diff?r1=1.18&r2=1.19">Here</a>
-is a patch that fixes the problem.
-<br>
+We are aware that at least one person was able to write a working exploit on
+his system using an avi file with uncompressed pcm audio.
+We have found a file that is supposed exploit it but could not make it work, but
+still we do not want to put you at risk by waiting longer to publish this.
+</p>
+
+<h3>Solution</h3>
+
+<p>
+A
+<a href="http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpcodecs/ad_pcm.c.diff?r1=1.18&r2=1.19">patch</a>
+for this problem was committed to CVS on Thu Aug 25 19:46:20 2005 UTC.
+You can download a patch for Mplayer 1.0pre7
+<a href="http://www1.mplayerhq.hu/MPlayer/patches/ad_pcm_fix_20050826.diff">here.</a>
+</p>
+
+<p>
Adding "ac=-pcm," (notice the trailing ',') to the config file is a quick fix that should keep you
safe as long as you don't use the -ac option on the commandline. Though you will not be able to play uncompressed
audio then.
+</p>
+
+<p>
+We also prepared a new tarball for pre7 release with the fix already applied.
+Please note that this is not a new release of MPlayer, if you want to have all
+the new features introduced after pre7 you should use CVS version.
+</p>
+
+<h3>Affected versions</h3>
+
+<p>
+MPlayer 1.0pre7 and before<br>
+Up to now the only version where an exploit was demonstrated is
+MPlayer 1.0pre7, but the bug is present also in all prevoius versions.
+</p>
+
+
+<h3>Unaffected versions</h3>
+
+<p>
+MPlayer 1.0pre7try2 and after<br>
+CVS HEAD after Thu Aug 25 19:46:20 2005 UTC
+</p>
+
+<p>
+MPlayer 1.0pre7try2 can be downloaded from the following locations. Please be
+kind to our server and use one of our many mirrors.
+</p>
+
+<ul>
+ <li>Hungary 1
+ <a href="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HTTP</a>
+ <a href="http://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">FTP</a></li>
+ <li>Hungary 2
+ <a href="http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HTTP</a>
+ <a href="ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">FTP</a></li>
+ <li>USA
+ <a href="ftp://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">FTP</a></li>
+ <li>Switzerland
+ <a href="http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HTTP</a></li>
+ <li>USA 2
+ <a href="http://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre7try2.tar.bz2">HTTP</a>
+ <a href="ftp://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre7try2.tar.bz2">FTP</a></li>
+ <li>Australia
+ <a href="ftp://ftp6.mplayerhq.hu/pub/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">FTP</a></li>
+ <li>USA 3
+ <a href="http://www7.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HTTP</a></li>
+ <li>Bulgaria
+ <a href="ftp://ftp8.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre7try2.tar.bz2">FTP</a></li>
+ <li>Yugoslavia
+ <a href="http://www9.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HTTP</a>
+ <a href="ftp://ftp9.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">FTP</a></li>
+</ul>
+
+<p>
+MD5SUM: <b>aaca4fd327176c1afb463f0f047ef6f4</b>
+</p>
</div>
Index: dload.src.en
===================================================================
RCS file: /cvsroot/mplayer/homepage/src/dload.src.en,v
retrieving revision 1.164
retrieving revision 1.165
diff -u -r1.164 -r1.165
--- dload.src.en 21 Aug 2005 23:41:21 -0000 1.164
+++ dload.src.en 27 Aug 2005 00:56:17 -0000 1.165
@@ -40,25 +40,25 @@
<th>FTP</th>
</tr>
<tr>
- <td>MPlayer v1.0pre7 source</td>
+ <td>MPlayer v1.0pre7try2 source</td>
<td class="mirror">
[
-<!-- <a href="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7.tar.bz2">HU</a> -->HU
+ <a href="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HU</a>
|
- <a href="http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7.tar.bz2">HU2</a>
+ <a href="http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HU2</a>
|
- <a href="http://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre7.tar.bz2">US</a>
+ <a href="http://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre7try2.tar.bz2">US</a>
|
- <a href="http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7.tar.bz2">CH</a>
+ <a href="http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">CH</a>
]
</td>
<td class="mirror">
[
-<!-- <a href="ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7.tar.bz2">HU</a> -->HU
+ <a href="ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HU</a>
|
- <a href="ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7.tar.bz2">HU2</a>
+ <a href="ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre7try2.tar.bz2">HU2</a>
|
- <a href="ftp://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre7.tar.bz2">US</a>
+ <a href="ftp://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre7try2.tar.bz2">US</a>
]
</td>
</tr>
More information about the MPlayer-DOCS
mailing list