[MPlayer-DOCS] [homepage]: r2955 - trunk/src/news.src.en
rtogni
subversion at mplayerhq.hu
Tue Jun 5 23:08:59 CEST 2007
Author: rtogni
Date: Tue Jun 5 23:08:58 2007
New Revision: 2955
Log:
Security advisory for cddb bug
Modified:
trunk/src/news.src.en
Modified: trunk/src/news.src.en
==============================================================================
--- trunk/src/news.src.en (original)
+++ trunk/src/news.src.en Tue Jun 5 23:08:58 2007
@@ -9,6 +9,93 @@
<div class="newsentry">
<h2>
+ <a name="vuln15">2007-06-05, Tuesday :: stack overflow in stream_cddb.c</a>
+ <br><span class="poster">posted by Roberto</span>
+</h2>
+
+<h3>Summary</h3>
+
+<p>
+A stack overflow was found and reported by Stefan Cornelius of Secunia
+Researchin in the code used to handle cddb queries. Two other similar issues
+were found by Reimar Döffinger while fixing the issue. The vulnerability is
+identified with CVE-2007-2948 and
+<a href="http://secunia.com/advisories/24302/">SAID 24302</a>.
+</p>
+
+<p>
+When copying the album title and category, no checking was performed on the size
+of the strings before storing them in a fixed-size array. A malicious entry in
+the database could trigger a stack overflow in the program, leading to arbitrary
+code execution with the uid of the user running MPlayer.
+</p>
+
+<h3>Severity</h3>
+
+<p>
+High (arbitrary remote code execution under the user ID running the player)
+when getting disk information from a malicious cddb entry, null if you do not
+use this feature. Please note that is possible to overwrite entries in the cddb
+database, so an attack can be performed also via a non-compromised server.
+At the time the buffer overflow was fixed there was no known exploit in the
+wild.
+</p>
+
+<h3>Solution</h3>
+
+<p>
+A
+<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/stream_cddb.c?r1=23287&r2=23470">fix</a>
+for this problem was committed to SVN on Tue Jun 5 11:13:32 2007 UTC as r23470.
+Users of affected MPlayer versions should download a
+<a href="http://www.mplayerhq.hu/MPlayer/patches/cddb_fix_20070605.diff">patch</a>
+for MPlayer 1.0rc1 or update to the latest version if they're using SVN.
+</p>
+
+<p>
+If case you can't upgrade or apply the suggested patch, these are some possible
+workarounds:
+<ul>
+ <li>Don't use cddb:// urls (be careful also with playlists)</li>
+ <li>Redirect freedb.freedb.org to 127.0.0.1 (e.g. via hosts file)</li>
+ <li>Recompile with --disable-cddb</li>
+</ul>
+</p>
+
+<p>
+Please note that we are not releasing an updated tarball with this fix at this
+moment.<br>
+If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball,
+apply the patch with the fix and recompile MPlayer; else upgrade to SVN.<br>
+If you decide to stay with rc1, don't forget to apply also this
+<a href="http://www.mplayerhq.hu/MPlayer/patches/asmrules_fix_20061231.diff">older fix.</a>
+If you mantain a binary package for MPlayer, please name the updated version
+MPlayer 1.0rc1try3.
+</p>
+
+<h3>Affected versions</h3>
+
+<p>
+MPlayer 1.0rc1, MPlayer 1.0rc1try2 and SVN before r23470 (Tue Jun 5 11:13:32
+2007 UTC).
+Older versions are probably affected, too, but they were not checked.
+</p>
+
+
+<h3>Unaffected versions</h3>
+
+<p>
+SVN HEAD after r23470 (Tue Jun 5 11:13:32 2007 UTC)<br>
+MPlayer 1.0rc1 + security patches
+</p>
+
+</div>
+
+
+
+<div class="newsentry">
+
+<h2>
<a name="LinuxTag2007">2007-05-13, Sunday :: MPlayer at LinuxTag 2007</a>
<br><span class="poster">posted by Roberto</span>
</h2>
More information about the MPlayer-DOCS
mailing list