[MPlayer-users] Buffer Overflow in Mplayer v0.91 and prior

zimon@iki.fi zimon at niksula.hut.fi
Mon Sep 1 00:36:28 CEST 2003

On Sun, Aug 31, 2003 at 05:37:39PM -0400, D Richard Felker III wrote:
> > Vulnerable Versions: Mplayer v0.91 and prior
> > Risk: Low / Medium
> > Impact: Stack Buffer Overflow
> > bash-2.05b$ gmplayer `perl -e 'print "A" x 550'`
> Umm, this advisory is incredibly stupid. How is it a vulnerability if
> you make mplayer (which runs as your uid) crash based on the filename
> *you* give it on the command line?!? If this can be done from

Some people do make mplayer SUID root, because they use for example
DirectFB-device, or DGA-device, or mplayer complains about RTC permissions
and user does not know how to set it up without suid root in /etc/sysctl.conf

There is warnings about this in DOCS/en/video.html though.
Also faq.html tells about RTC: "You need root privileges ...or"...then
it tells later "but requires root privileges, a setuid root MPlayer binary
or a properly set up kernel." 

However, it does emphasize: "Note: NEVER install a setuid root MPlayer binary
on a multiuser system!"

So, the buffer smash exploit can be risky for some people who give access to
other people to their home-entertainment box, which uses DirectFB to show
movies on TV. Dropping privileges just after the device has been opened,
if it was suid root, at least would be a good idea, although it wouldn't solve
that mentioned stack overflow exploit in parameter parsing.

More information about the MPlayer-users mailing list