[MPlayer-DOCS] [homepage]: r3126 - trunk/src/news.src.en

rtogni subversion at mplayerhq.hu
Tue Jan 29 23:49:18 CET 2008 

Author: rtogni
Date: Tue Jan 29 23:49:17 2008
New Revision: 3126

Log:
Security fixes for demux_mov.c and demux_audio.c


Modified:
   trunk/src/news.src.en

Modified: trunk/src/news.src.en
==============================================================================
--- trunk/src/news.src.en	(original)
+++ trunk/src/news.src.en	Tue Jan 29 23:49:17 2008
@@ -9,6 +9,130 @@
 <div class="newsentry">
 
 <h2>
+	<a name="vuln17">2008-01-29, Tuesday :: buffer overflow in demux_mov.c</a>
+	<br><span class="poster">posted by Roberto</span>
+</h2>
+
+<h3>Summary</h3>
+
+<p>
+A buffer overflow was found and reported by Felipe Manzano and Anibal Sacco of
+CORE Security Technologies in the code used to parse the mov file headers.
+Other similar issues were found by Reimar Döffinger while fixing the code.
+The vulnerability is identified with CORE-2008-0122.
+</p>
+
+<p>
+The code read some values from the file and uses them as indexes into an array
+allocated on the heap, without performing any boundary check. A malicious file
+may be used to trigger a buffer overflow in the program, that can lead to
+arbitrary code execution with the UID of the user running MPlayer.
+</p>
+
+<h3>Severity</h3>
+
+<p>
+High (arbitrary code execution under the user ID running the player) when
+playing a malicious mov file, null if you do not use this feature. At the time
+the buffer overflow was fixed there was no known exploit in the wild.
+</p>
+
+<h3>Solution</h3>
+
+<p>
+A
+<a href="http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_mov.c?r1=25920&amp;r2=25922">fix</a>
+for this problem was committed to SVN on Tue Jan 29 22:13:20 2008 UTC as r25920,
+Tue Jan 29 22:13:47 2008 UTC as r25921 and Tue Jan 29 22:14:00 2008 UTC as
+r25922.
+Users of affected MPlayer versions should download a
+<a href="http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff">patch</a>
+for MPlayer 1.0rc2 or update to the latest version if they're using SVN.
+</p>
+
+<h3>Affected versions</h3>
+
+<p>
+MPlayer 1.0rc2 and SVN before r25922 (Tue Jan 29 22:14:00 2008 UTC).
+Older versions are probably affected, too, but they were not checked.
+</p>
+
+
+<h3>Unaffected versions</h3>
+
+<p>
+SVN HEAD after r25922 (Tue Jan 29 22:14:00 2008 UTC)<br>
+MPlayer 1.0rc2 + security patches
+</p>
+
+</div>
+
+
+
+<div class="newsentry">
+
+<h2>
+	<a name="vuln16">2008-01-29, Tuesday :: stack overflow in demux_audio.c</a>
+	<br><span class="poster">posted by Roberto</span>
+</h2>
+
+<h3>Summary</h3>
+
+<p>
+A stack overflow was found and reported by Damian Frizza and Alfredo Ortega of
+CORE Security Technologies in the code used to parse FLAC comments. The
+vulnerability is identified with CORE-2008-1218.
+</p>
+
+<p>
+When loading a comment from the file, a length value is read from the file and
+then used as an index to a VLA array with no check performed. A malicious file
+could trigger a stack overflow in the program, leading to arbitrary code
+execution with the UID of the user running MPlayer.
+</p>
+
+<h3>Severity</h3>
+
+<p>
+High (arbitrary code execution under the user ID running the player) when
+playing a FLAC file with malicious comments, null if you do not use this
+feature. At the time the buffer overflow was fixed there was no known exploit
+in the wild.
+</p>
+
+<h3>Solution</h3>
+
+<p>
+A
+<a href="http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_audio.c?r1=25911&amp;r2=25917">fix</a>
+for this problem was committed to SVN on Tue Jan 29 22:00:58 2008 UTC as r25917.
+Users of affected MPlayer versions should download a
+<a href="http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff">patch</a>
+for MPlayer 1.0rc2 or update to the latest version if they're using SVN.
+</p>
+
+<h3>Affected versions</h3>
+
+<p>
+MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC).
+Older versions are probably affected, too, but they were not checked.
+</p>
+
+
+<h3>Unaffected versions</h3>
+
+<p>
+SVN HEAD after r25917 (Tue Jan 29 22:00:58 2008 UTC)<br>
+MPlayer 1.0rc2 + security patches
+</p>
+
+</div>
+
+
+
+<div class="newsentry">
+
+<h2>
 	<a name="HUPAward2007">2008-01-03, Wednesday :: HUP Readers' Choice Award 2007</a>
 	<br><span class="poster">posted by Diego</span>
 </h2>

More information about the MPlayer-DOCS mailing list