-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#10 - ------------------------------------------------------------
Name: mplayer Date: 2007-02-27 Severity: High Warning #: 2007-#10 - ------------------------------------------------------------ Product Background =================== MPlayer is a media player capable of playing multiple media formats. Problem Background =================== A buffer overflow was found in MPlayer's RTSP plugin that could lead to a Denial of Service or arbitrary code execution. When checking for matching asm rules in the asmrp.c code, the results are stored in a fixed-size array without boundary checks which may allow a buffer overflow. Impact ====== An attacker can entice a user to connect to a manipulated RTSP server resulting in a Denial of Service and possibly execution of arbitrary code. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ mplayer extra multimedia <= 1.0rc1 only patched Package Fix =================== Apply this patch, waiting 1.0rc2. From mplayer's website: "Please note that we are not releasing an updated tarball with this fix at this moment, since MPlayer 1.0rc2 is already in process. If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball, apply the patch with the fix and recompile MPlayer; else upgrade to SVN. If you mantain a binary package for MPlayer, please name the updated version MPlayer 1.0rc1try2." The patch: http://www.mplayerhq.hu/MPlayer/patches/asmrules_fix_20061231.diff I'm really happy to introduce this page: http://jjdanimoth.netsons.org/alsw.html where I will summarize all warning. I try to make a place where we, member of community, can talk about these: http://jjdanimoth.netsons.org/flyspray/ Please, give me your feedback on this. Reference(s) =================== http://security.gentoo.org/glsa/glsa-200702-11.xml http://www.mplayerhq.hu/design7/news.html Contact =================== JJDaNiMoTh (jjdanimoth AT gmail DOT com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5F3PcJj0HNhER0MRAuq2AKCL8RccpmsaYWgCOqIcGHcD99Qg/gCfUQyw eLicvxFoasOShPt9e/YOBJ0= =jS5H -----END PGP SIGNATURE----- _______________________________________________ arch mailing list [email protected] http://www.archlinux.org/mailman/listinfo/arch
