[MPlayer-DOCS] [homepage]: r3127 - trunk/src/news.src.en

rtogni subversion at mplayerhq.hu
Wed Jan 30 22:35:31 CET 2008


Author: rtogni
Date: Wed Jan 30 22:35:29 2008
New Revision: 3127

Log:
Security fixes for url.c and stream_cddb.c


Modified:
   trunk/src/news.src.en

Modified: trunk/src/news.src.en
==============================================================================
--- trunk/src/news.src.en	(original)
+++ trunk/src/news.src.en	Wed Jan 30 22:35:29 2008
@@ -9,6 +9,130 @@
 <div class="newsentry">
 
 <h2>
+	<a name="vuln19">2008-01-30, Wednesday :: buffer overflow in stream_cddb.c</a>
+	<br><span class="poster">posted by Roberto</span>
+</h2>
+
+<h3>Summary</h3>
+
+<p>
+A buffer overflow was found and reported by Adam Bozanich of Musecurity in the
+code used to extract album titles from cbbd server answers.
+</p>
+
+<p>
+When parsing answers from the cddb server, the album title is copied into a
+fixed-size buffer with insufficient checks on its size, and may cause a buffer
+overflow. A malicious database entry could trigger a buffer overflow in the
+program, that can lead to arbitrary code execution with the UID of the user
+running MPlayer.
+</p>
+
+<h3>Severity</h3>
+
+<p>
+High (arbitrary code execution under the user ID running the player) when
+getting disk information from a malicious cddb entry, null if you do not use
+this feature. Please note that it is possible to overwrite entries in the cddb
+database, so an attack can also be performed via a non-compromised server. At
+the time the buffer overflow was fixed there was no known exploit in the wild.
+</p>
+
+<h3>Solution</h3>
+
+<p>
+A
+<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/stream_cddb.c?r1=25820&r2=25824">fix</a>
+for this problem was committed to SVN on Sun Jan 20 20:58:02 2008 UTC as r25824.
+Users of affected MPlayer versions should download a
+<a href="http://www.mplayerhq.hu/MPlayer/patches/stream_cddb_fix_20080120.diff">patch</a>
+for MPlayer 1.0rc2 or update to the latest version if they're using SVN.
+</p>
+
+<h3>Affected versions</h3>
+
+<p>
+MPlayer 1.0rc2 and SVN before r25824 (Sun Jan 20 20:58:02 2008 UTC).
+Older versions are probably affected, too, but they were not checked.
+</p>
+
+
+<h3>Unaffected versions</h3>
+
+<p>
+SVN HEAD after r25824 (Sun Jan 20 20:58:02 2008 UTC)<br>
+MPlayer 1.0rc2 + security patches
+</p>
+
+</div>
+
+
+
+<div class="newsentry">
+
+<h2>
+	<a name="vuln18">2008-01-30, Wednesday :: buffer overflow in url.c</a>
+	<br><span class="poster">posted by Roberto</span>
+</h2>
+
+<h3>Summary</h3>
+
+<p>
+A buffer overflow was found and reported by Adam Bozanich of Musecurity in the
+code used to escape url strings.
+</p>
+
+<p>
+The code used to skip over IPv6 addresses can be tricked to leave a pointer to
+a temporary buffer with a non-NULL value; this causes the unescape code to reuse
+the buffer, and may lead to a buffer overflow if the old buffer is smaller than
+required. A malicious url string may be used to trigger a buffer overflow in the
+program, that can lead to arbitrary code execution with the UID of the user
+running MPlayer.
+</p>
+
+<h3>Severity</h3>
+
+<p>
+High (arbitrary code execution under the user ID running the player) if you can
+play untrusted urls (eg. delivered by a remote playlist), null if you do not
+use this feature. At the time the buffer overflow was fixed there was no known
+exploit in the wild.
+</p>
+
+<h3>Solution</h3>
+
+<p>
+A
+<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/url.c?r1=25648&r2=25823">fix</a>
+for this problem was committed to SVN on Sun Jan 20 20:43:46 2008 UTC as r25823.
+Users of affected MPlayer versions should download a
+<a href="http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff">patch</a>
+for MPlayer 1.0rc2 or update to the latest version if they're using SVN.
+</p>
+
+<h3>Affected versions</h3>
+
+<p>
+MPlayer 1.0rc2 and SVN before r25823 (Sun Jan 20 20:43:46 2008 UTC).
+Older versions are probably affected, too, but they were not checked.
+</p>
+
+
+<h3>Unaffected versions</h3>
+
+<p>
+SVN HEAD after r25823 (Sun Jan 20 20:43:46 2008 UTC)<br>
+MPlayer 1.0rc2 + security patches
+</p>
+
+</div>
+
+
+
+<div class="newsentry">
+
+<h2>
 	<a name="vuln17">2008-01-29, Tuesday :: buffer overflow in demux_mov.c</a>
 	<br><span class="poster">posted by Roberto</span>
 </h2>



More information about the MPlayer-DOCS mailing list