Author: diego Date: Tue Dec 11 00:35:50 2007 New Revision: 3099 Log: Move 2006 news to the archive.
Modified: trunk/src/news-archive.src.en trunk/src/news.src.en Modified: trunk/src/news-archive.src.en ============================================================================== --- trunk/src/news-archive.src.en (original) +++ trunk/src/news-archive.src.en Tue Dec 11 00:35:50 2007 @@ -9,6 +9,294 @@ <div class="newsentry"> <h2> + <a name="vuln14">2006-12-31, Sunday :: buffer overflow in asmrp.c</a> + <br><span class="poster">posted by Roberto</span> +</h2> + +<h3>Summary</h3> + +<p> +The code mentioned in +<a href="http://www.debian.org/security/2006/dsa-1244";>DSA 1244-1</a> +is also included in MPlayer. +A potential buffer overflow was found in the code used to handle RealMedia RTSP +streams. When checking for matching asm rules, the code stores the results in +a fixed-size array, but no boundary checks are performed. This may lead to a +buffer overflow if the user is tricked into connecting to a malicious server. +Since the attacker cannot write arbitrary data into the buffer, creating an +exploit is very hard; but a DoS attack is easily made. +</p> + +<h3>Severity</h3> + +<p> +High (DoS and eventually arbitrary remote code execution under the user ID +running the player) when setting up a RTSP session from a malicious server, +null if you do not use this feature. +At the time the buffer overflow was fixed there was no known exploit. +</p> + +<h3>Solution</h3> + +<p> +A fix for this problem was committed to SVN on Sun Dec 31 13:27:53 2006 UTC +as r21799. The fix involves three files: +<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/realrtsp/asmrp.c?r1=20717&r2=21799";>stream/realrtsp/asmrp.c</a>, +<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/realrtsp/asmrp.h?r1=19277&r2=21799";>stream/realrtsp/asmrp.h</a> and +<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/realrtsp/real.c?r1=21523&r2=21799";>stream/realrtsp/real.c</a>. +Users of affected MPlayer versions should download a +<a href="http://www.mplayerhq.hu/MPlayer/patches/asmrules_fix_20061231.diff";>patch</a> +for MPlayer 1.0rc1 or update to the latest version if they're using SVN. +</p> + +<p> +Please note that we are not releasing an updated tarball with this fix at this +moment, since MPlayer 1.0rc2 is already in process.<br> +If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball, +apply the patch with the fix and recompile MPlayer; else upgrade to SVN.<br> +If you mantain a binary package for MPlayer, please name the updated version +MPlayer 1.0rc1try2. +</p> + +<h3>Affected versions</h3> + +<p> +MPlayer 1.0rc1 and SVN before r21799 (Sun Dec 31 13:27:53 2006 UTC). +Older versions are probably affected, too, but they were not checked. +</p> + + +<h3>Unaffected versions</h3> + +<p> +SVN HEAD after r21799 (Sun Dec 31 13:27:53 2006 UTC)<br> +MPlayer 1.0rc1 + security patch +</p> + +<h4>Happy new year from the MPlayer team.</h4> + +</div> + + + +<div class="newsentry"> + +<h2> + <a name="mplayer10rc1">2006-10-22, Sunday :: MPlayer 1.0rc1 released</a> + <br><span class="poster">posted by the release team</span> +</h2> + +<p> +We wish to thank the Google Summer of Code project for sponsoring the +FFmpeg project. Thanks to the SoC program for 2006, the FFmpeg project +was able to get help from students to implement more native codecs. +</p> + +<p> +The highlights of this release are native VC-1/WMV3, On2 VP5 and VP62 +(used in some Flash video files) decoding, which works even on +non-Intel platforms, and SSA/ASS/color subtitles. +</p> + +<p> +Furthermore we can now run natively on Intel Macs (you just have to +pass --disable-win32 --disable-mp3lib to configure), -endpos was +finally added to MPlayer and the Windows GUI has seen a number of +improvements. +</p> + +<p> +Vorbis decoding has seen a big speedup, as has H.264. The +optimizations to H.264 are still ongoing, but the difference should +already be noticeable. +</p> + +<p> +And last not least many bugs were found and fixed since pre8. +</p> + +<p> +MPlayer 1.0rc1 will no longer load a file-specific configure file +located in the same directory as the file you're playing, because of +potential security concerns (thanks to Rudolf Polzer for pointing this +out); if you want to restore the old behavior add -use-filedir-conf. +</p> + +<p> +If you already have the binary codec package from pre8 you don't need +to redownload it: The new 20061022 packages do not contain any new +codecs, they just miss some that now work natively. +</p> + +<h3>MPlayer 1.0rc1: <i>"Codename intentionally left blank"</i></h3> + +<h4>DOCS:</h4> + +<ul> + <li>German documentation translation finished</li> + <li>Russian documentation translation synced and almost finished</li> +</ul> + +<h4>Drivers:</h4> + +<ul> + <li>IVTV hardware MPEG audio/video decoder output</li> + <li>ALSA audio output: AC3 passthrough now works even when the device + name of the digital output port has been set by the user</li> + <li>bicubic OpenGL scaling works with ATI cards</li> + <li>md5sum switched to the libavutil MD5 implementation</li> + <li>support for libcaca 1.0 via compatibility layer</li> +</ul> + +<h4>Decoders:</h4> + +<ul> + <li>liba52 updated to 0.7.4 (slightly faster)</li> + <li>SSE optimizations for mp3lib</li> + <li>removed support for obsolete and non-free divx4 libraries</li> +</ul> + +<h4>Demuxers:</h4> + +<ul> + <li>audio stream switching in MPEG-TS/PS, Matroska and + streams supported by libavformat</li> + <li>audio stream switching between streams with different codecs</li> + <li>libavformat demuxer now honors -alang</li> + <li>chapter seeking in Matroska files</li> + <li>fixed seeking to absolute and percent position for libavformat demuxer</li> + <li>NUT demuxer using libnut</li> + <li>Matroska SimpleBlock support</li> +</ul> + +<h4>Inputs:</h4> + +<ul> + <li>split of stream layer from libmpdemux to new stream library</li> + <li>PVR input for hardware MPEG encoder based cards, such as Hauppauge + WinTV PVR-150/250/350/500 AKA IVTV but also pvrusb2 and cx88 + (requires Linux >= 2.6.18 kernel, featuring native V4L2 MPEG API)</li> + <li>native RTSP input (handles MPEG-TS over RTP) for generic RTSP servers</li> + <li>support for seeking to chapters in dvd:// and dvdnav:// streams</li> + <li>radio support (radio://)</li> +</ul> + +<h4>FFmpeg/libavcodec:</h4> + +<ul> + <li>VC-1/WMV3/WMV9 video decoder</li> + <li>Vorbis decoding speedup, now default Vorbis decoder</li> + <li>VMware Video decoder</li> + <li>On2 VP50 and VP62 decoder</li> + <li>lossless audio decoders: WavPack, TTA, Shorten</li> + <li>CAVS decoder</li> + <li>GXF muxer/demuxer</li> + <li>MXF demuxer</li> + <li>much improved FLAC encoder</li> + <li>more H.264 decoding speed improvements, plus support for -lavdopts fast</li> + <li>Theora decoder fixes</li> + <li>preliminary Vorbis encoder</li> + <li>MTV demuxer</li> +</ul> + +<h4>GUI:</h4> + +<ul> + <li>Windows version added</li> + <li>drag-and-drop ignored last file</li> + <li>save and load cache setting correctly</li> + <li>working audio stream selection for Ogg and Matroska files</li> + <li>executable names like gmplayer_old etc. will now start GUI as well</li> + <li>-gui/-nogui options</li> + <li>xinerama fixes, now behaves similar to MPlayer without GUI</li> +</ul> + +<h4>Filters:</h4> + +<ul> + <li>MMX-optimizations for -vf yadif</li> + <li>MMX-optimizations for -vf zrmjpeg</li> +</ul> + +<h4>MEncoder:</h4> + +<ul> + <li>support of x264 encoding via libavcodec</li> + <li>rewrite -x264encopts option parser to use the 264 option parser; + likely breaks 3rd party tools as the syntax of some options has changed</li> + <li>removed support for obsolete and non-free divx4 libraries</li> +</ul> + +<h4>Ports:</h4> + +<ul> + <li>partial Intel Mac support, --disable-win32 --disable-mp3lib is needed</li> + <li>OpenGL can now create windows > screen size under Windows</li> + <li>allow filenames starting with \\ for remote paths on Windows</li> +</ul> + +<h4>Others:</h4> + +<ul> + <li>SSA/ASS subtitle renderer</li> + <li>-endpos option for MPlayer</li> + <li>-correct-pts option</li> + <li>UTF-8 used for OSD and subtitles, some bitmap fonts will no longer + work correctly and -subcp must be set for all non-UTF-8 subtitles</li> + <li>more audio-truncation fixes</li> + <li>libavutil mandatory for MPlayer compilation</li> + <li>more intuitive -edlout behaviour</li> + <li>-nortc is now default since -rtc has disadvantages with recent kernels</li> +</ul> + +<p> +MPlayer 1.0rc1 can be downloaded from the following locations. Please be kind +to our server and use one of our many mirrors. +</p> + +<ul> + <li>Switzerland + <a href="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> + <a href="ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> + <li>Hungary + <a href="http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> + <a href="ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> + <li>USA + <a href="http://www3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a></li> + <li>Serbia + <a href="http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> + <a href="ftp://ftp4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> + <li>Korea + <a href="http://www5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> + <a href="ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> + <li>Sweden + <a href="http://www6.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> + <a href="ftp://ftp6.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> + <li>Germany + <a href="ftp://ftp.fu-berlin.de/unix/X11/multimedia/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> +</ul> + +<p> +MPlayer 1.0rc1 is also available on BitTorrent. +</p> + +<ul> + <li>BitTorrent + <a href="../../MPlayer/releases/MPlayer-1.0rc1.tar.bz2.torrent">torrent</a></li> +</ul> + +<p> +MD5SUM: <b>18c05d88e22c3b815a43ca8d7152ccdc</b><br> +SHA1SUM: <b>a450c0b0749c343a8496ba7810363c9d46dfa73c</b> +</p> + +</div> + + + +<div class="newsentry"> + +<h2> <a name="translators">2006-09-5, Tuesday :: A Call for Translators</a> <br><span class="poster">posted by Diego</span> </h2> Modified: trunk/src/news.src.en ============================================================================== --- trunk/src/news.src.en (original) +++ trunk/src/news.src.en Tue Dec 11 00:35:50 2007 @@ -537,292 +537,4 @@ </div> - - -<div class="newsentry"> - -<h2> - <a name="vuln14">2006-12-31, Sunday :: buffer overflow in asmrp.c</a> - <br><span class="poster">posted by Roberto</span> -</h2> - -<h3>Summary</h3> - -<p> -The code mentioned in -<a href="http://www.debian.org/security/2006/dsa-1244";>DSA 1244-1</a> -is also included in MPlayer. -A potential buffer overflow was found in the code used to handle RealMedia RTSP -streams. When checking for matching asm rules, the code stores the results in -a fixed-size array, but no boundary checks are performed. This may lead to a -buffer overflow if the user is tricked into connecting to a malicious server. -Since the attacker cannot write arbitrary data into the buffer, creating an -exploit is very hard; but a DoS attack is easily made. -</p> - -<h3>Severity</h3> - -<p> -High (DoS and eventually arbitrary remote code execution under the user ID -running the player) when setting up a RTSP session from a malicious server, -null if you do not use this feature. -At the time the buffer overflow was fixed there was no known exploit. -</p> - -<h3>Solution</h3> - -<p> -A fix for this problem was committed to SVN on Sun Dec 31 13:27:53 2006 UTC -as r21799. The fix involves three files: -<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/realrtsp/asmrp.c?r1=20717&r2=21799";>stream/realrtsp/asmrp.c</a>, -<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/realrtsp/asmrp.h?r1=19277&r2=21799";>stream/realrtsp/asmrp.h</a> and -<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/realrtsp/real.c?r1=21523&r2=21799";>stream/realrtsp/real.c</a>. -Users of affected MPlayer versions should download a -<a href="http://www.mplayerhq.hu/MPlayer/patches/asmrules_fix_20061231.diff";>patch</a> -for MPlayer 1.0rc1 or update to the latest version if they're using SVN. -</p> - -<p> -Please note that we are not releasing an updated tarball with this fix at this -moment, since MPlayer 1.0rc2 is already in process.<br> -If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball, -apply the patch with the fix and recompile MPlayer; else upgrade to SVN.<br> -If you mantain a binary package for MPlayer, please name the updated version -MPlayer 1.0rc1try2. -</p> - -<h3>Affected versions</h3> - -<p> -MPlayer 1.0rc1 and SVN before r21799 (Sun Dec 31 13:27:53 2006 UTC). -Older versions are probably affected, too, but they were not checked. -</p> - - -<h3>Unaffected versions</h3> - -<p> -SVN HEAD after r21799 (Sun Dec 31 13:27:53 2006 UTC)<br> -MPlayer 1.0rc1 + security patch -</p> - -<h4>Happy new year from the MPlayer team.</h4> - -</div> - - - -<div class="newsentry"> - -<h2> - <a name="mplayer10rc1">2006-10-22, Sunday :: MPlayer 1.0rc1 released</a> - <br><span class="poster">posted by the release team</span> -</h2> - -<p> -We wish to thank the Google Summer of Code project for sponsoring the -FFmpeg project. Thanks to the SoC program for 2006, the FFmpeg project -was able to get help from students to implement more native codecs. -</p> - -<p> -The highlights of this release are native VC-1/WMV3, On2 VP5 and VP62 -(used in some Flash video files) decoding, which works even on -non-Intel platforms, and SSA/ASS/color subtitles. -</p> - -<p> -Furthermore we can now run natively on Intel Macs (you just have to -pass --disable-win32 --disable-mp3lib to configure), -endpos was -finally added to MPlayer and the Windows GUI has seen a number of -improvements. -</p> - -<p> -Vorbis decoding has seen a big speedup, as has H.264. The -optimizations to H.264 are still ongoing, but the difference should -already be noticeable. -</p> - -<p> -And last not least many bugs were found and fixed since pre8. -</p> - -<p> -MPlayer 1.0rc1 will no longer load a file-specific configure file -located in the same directory as the file you're playing, because of -potential security concerns (thanks to Rudolf Polzer for pointing this -out); if you want to restore the old behavior add -use-filedir-conf. -</p> - -<p> -If you already have the binary codec package from pre8 you don't need -to redownload it: The new 20061022 packages do not contain any new -codecs, they just miss some that now work natively. -</p> - -<h3>MPlayer 1.0rc1: <i>"Codename intentionally left blank"</i></h3> - -<h4>DOCS:</h4> - -<ul> - <li>German documentation translation finished</li> - <li>Russian documentation translation synced and almost finished</li> -</ul> - -<h4>Drivers:</h4> - -<ul> - <li>IVTV hardware MPEG audio/video decoder output</li> - <li>ALSA audio output: AC3 passthrough now works even when the device - name of the digital output port has been set by the user</li> - <li>bicubic OpenGL scaling works with ATI cards</li> - <li>md5sum switched to the libavutil MD5 implementation</li> - <li>support for libcaca 1.0 via compatibility layer</li> -</ul> - -<h4>Decoders:</h4> - -<ul> - <li>liba52 updated to 0.7.4 (slightly faster)</li> - <li>SSE optimizations for mp3lib</li> - <li>removed support for obsolete and non-free divx4 libraries</li> -</ul> - -<h4>Demuxers:</h4> - -<ul> - <li>audio stream switching in MPEG-TS/PS, Matroska and - streams supported by libavformat</li> - <li>audio stream switching between streams with different codecs</li> - <li>libavformat demuxer now honors -alang</li> - <li>chapter seeking in Matroska files</li> - <li>fixed seeking to absolute and percent position for libavformat demuxer</li> - <li>NUT demuxer using libnut</li> - <li>Matroska SimpleBlock support</li> -</ul> - -<h4>Inputs:</h4> - -<ul> - <li>split of stream layer from libmpdemux to new stream library</li> - <li>PVR input for hardware MPEG encoder based cards, such as Hauppauge - WinTV PVR-150/250/350/500 AKA IVTV but also pvrusb2 and cx88 - (requires Linux >= 2.6.18 kernel, featuring native V4L2 MPEG API)</li> - <li>native RTSP input (handles MPEG-TS over RTP) for generic RTSP servers</li> - <li>support for seeking to chapters in dvd:// and dvdnav:// streams</li> - <li>radio support (radio://)</li> -</ul> - -<h4>FFmpeg/libavcodec:</h4> - -<ul> - <li>VC-1/WMV3/WMV9 video decoder</li> - <li>Vorbis decoding speedup, now default Vorbis decoder</li> - <li>VMware Video decoder</li> - <li>On2 VP50 and VP62 decoder</li> - <li>lossless audio decoders: WavPack, TTA, Shorten</li> - <li>CAVS decoder</li> - <li>GXF muxer/demuxer</li> - <li>MXF demuxer</li> - <li>much improved FLAC encoder</li> - <li>more H.264 decoding speed improvements, plus support for -lavdopts fast</li> - <li>Theora decoder fixes</li> - <li>preliminary Vorbis encoder</li> - <li>MTV demuxer</li> -</ul> - -<h4>GUI:</h4> - -<ul> - <li>Windows version added</li> - <li>drag-and-drop ignored last file</li> - <li>save and load cache setting correctly</li> - <li>working audio stream selection for Ogg and Matroska files</li> - <li>executable names like gmplayer_old etc. will now start GUI as well</li> - <li>-gui/-nogui options</li> - <li>xinerama fixes, now behaves similar to MPlayer without GUI</li> -</ul> - -<h4>Filters:</h4> - -<ul> - <li>MMX-optimizations for -vf yadif</li> - <li>MMX-optimizations for -vf zrmjpeg</li> -</ul> - -<h4>MEncoder:</h4> - -<ul> - <li>support of x264 encoding via libavcodec</li> - <li>rewrite -x264encopts option parser to use the 264 option parser; - likely breaks 3rd party tools as the syntax of some options has changed</li> - <li>removed support for obsolete and non-free divx4 libraries</li> -</ul> - -<h4>Ports:</h4> - -<ul> - <li>partial Intel Mac support, --disable-win32 --disable-mp3lib is needed</li> - <li>OpenGL can now create windows > screen size under Windows</li> - <li>allow filenames starting with \\ for remote paths on Windows</li> -</ul> - -<h4>Others:</h4> - -<ul> - <li>SSA/ASS subtitle renderer</li> - <li>-endpos option for MPlayer</li> - <li>-correct-pts option</li> - <li>UTF-8 used for OSD and subtitles, some bitmap fonts will no longer - work correctly and -subcp must be set for all non-UTF-8 subtitles</li> - <li>more audio-truncation fixes</li> - <li>libavutil mandatory for MPlayer compilation</li> - <li>more intuitive -edlout behaviour</li> - <li>-nortc is now default since -rtc has disadvantages with recent kernels</li> -</ul> - -<p> -MPlayer 1.0rc1 can be downloaded from the following locations. Please be kind -to our server and use one of our many mirrors. -</p> - -<ul> - <li>Switzerland - <a href="http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> - <a href="ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> - <li>Hungary - <a href="http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> - <a href="ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> - <li>USA - <a href="http://www3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a></li> - <li>Serbia - <a href="http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> - <a href="ftp://ftp4.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> - <li>Korea - <a href="http://www5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> - <a href="ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> - <li>Sweden - <a href="http://www6.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>HTTP</a> - <a href="ftp://ftp6.mplayerhq.hu/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> - <li>Germany - <a href="ftp://ftp.fu-berlin.de/unix/X11/multimedia/MPlayer/releases/MPlayer-1.0rc1.tar.bz2";>FTP</a></li> -</ul> - -<p> -MPlayer 1.0rc1 is also available on BitTorrent. -</p> - -<ul> - <li>BitTorrent - <a href="../../MPlayer/releases/MPlayer-1.0rc1.tar.bz2.torrent">torrent</a></li> -</ul> - -<p> -MD5SUM: <b>18c05d88e22c3b815a43ca8d7152ccdc</b><br> -SHA1SUM: <b>a450c0b0749c343a8496ba7810363c9d46dfa73c</b> -</p> - -</div> - <!-- content end --> _______________________________________________ MPlayer-DOCS mailing list [email protected] http://lists.mplayerhq.hu/mailman/listinfo/mplayer-docs
