[MPlayer-users] When do I *have to* update MPlayer?

Reimar Döffinger Reimar.Doeffinger at gmx.de
Thu Nov 24 19:48:48 CET 2011

On Thu, Nov 24, 2011 at 12:25:43PM -0600, Jonathan Isom wrote:
> On Thu, Nov 24, 2011 at 10:01 AM, Manuel Reimer
> <Manuel.Spam at nurfuerspam.de> wrote:
> >> I may misunderstand the question: Whenever you update MPlayer, FFmpeg is
> >> also
> >> updated. So whenever FFmpeg receives (for you) important updates, you
> >> should
> >> update MPlayer.
> >
> > Is it possible to separate both and have FFMPEG as separate dynamically
> > linked library?
> Yeah, I believe most distros package it this way.  However it isn't recommended
> by the developers.  It is easier for all features that you want/need
> to just compile
> MPlayer statically with FFMPEG.

You can also enable/disable features in both MPlayer and FFmpeg
depending on what you actually need which helps avoiding most of the
issues (thus coming back on-topic).
To stay on topic however: If you expect to be personally targeted by
anyone competent you'd still have to be insane to run MPlayer in the
browser. Actually, unless maybe it is lynx you'd be insane just for
running a browser - at least if you run it outside a VM that isn't
used for anything else, and even then...
If you aren't specifically targeted by anyone just running slackware
means basically none of the exploits you can expect to encounter
really will work.
Except maybe some hilariously stupid ones, like trivial on-stack buffer
overflow, haven't had one of those since ages I think.
Not that I have heard of anyone at all ever bothering with really
exploiting MPlayer except for researchers.
Apart from that there are loads of security-enhancing tools, features
etc. that you could probably spend a lifetime setting up.
Since few to none depend on the specific program and make at least as
much sense to apply to the browser as MPlayer I don't think this is
really the right list to discuss this though.

> > Why was there no announcement about the possible security problem on the
> > "announce" list? Why don't you roll a new release if the old one has a known
> > hole?
> Most projects/people call svn bleeding edge.  MPlayer developers calls
> svn  stable :)

Besides that it is an FFmpeg issue, and to my knowledge does not have a
CVE or similar (which usually is the point where that kind of thing is
done, if someone remembers)...

More information about the MPlayer-users mailing list