Author: rtogni Date: Tue Jan 29 23:49:17 2008 New Revision: 3126 Log: Security fixes for demux_mov.c and demux_audio.c
Modified: trunk/src/news.src.en Modified: trunk/src/news.src.en ============================================================================== --- trunk/src/news.src.en (original) +++ trunk/src/news.src.en Tue Jan 29 23:49:17 2008 @@ -9,6 +9,130 @@ <div class="newsentry"> <h2> + <a name="vuln17">2008-01-29, Tuesday :: buffer overflow in demux_mov.c</a> + <br><span class="poster">posted by Roberto</span> +</h2> + +<h3>Summary</h3> + +<p> +A buffer overflow was found and reported by Felipe Manzano and Anibal Sacco of +CORE Security Technologies in the code used to parse the mov file headers. +Other similar issues were found by Reimar Döffinger while fixing the code. +The vulnerability is identified with CORE-2008-0122. +</p> + +<p> +The code read some values from the file and uses them as indexes into an array +allocated on the heap, without performing any boundary check. A malicious file +may be used to trigger a buffer overflow in the program, that can lead to +arbitrary code execution with the UID of the user running MPlayer. +</p> + +<h3>Severity</h3> + +<p> +High (arbitrary code execution under the user ID running the player) when +playing a malicious mov file, null if you do not use this feature. At the time +the buffer overflow was fixed there was no known exploit in the wild. +</p> + +<h3>Solution</h3> + +<p> +A +<a href="http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_mov.c?r1=25920&r2=25922";>fix</a> +for this problem was committed to SVN on Tue Jan 29 22:13:20 2008 UTC as r25920, +Tue Jan 29 22:13:47 2008 UTC as r25921 and Tue Jan 29 22:14:00 2008 UTC as +r25922. +Users of affected MPlayer versions should download a +<a href="http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff";>patch</a> +for MPlayer 1.0rc2 or update to the latest version if they're using SVN. +</p> + +<h3>Affected versions</h3> + +<p> +MPlayer 1.0rc2 and SVN before r25922 (Tue Jan 29 22:14:00 2008 UTC). +Older versions are probably affected, too, but they were not checked. +</p> + + +<h3>Unaffected versions</h3> + +<p> +SVN HEAD after r25922 (Tue Jan 29 22:14:00 2008 UTC)<br> +MPlayer 1.0rc2 + security patches +</p> + +</div> + + + +<div class="newsentry"> + +<h2> + <a name="vuln16">2008-01-29, Tuesday :: stack overflow in demux_audio.c</a> + <br><span class="poster">posted by Roberto</span> +</h2> + +<h3>Summary</h3> + +<p> +A stack overflow was found and reported by Damian Frizza and Alfredo Ortega of +CORE Security Technologies in the code used to parse FLAC comments. The +vulnerability is identified with CORE-2008-1218. +</p> + +<p> +When loading a comment from the file, a length value is read from the file and +then used as an index to a VLA array with no check performed. A malicious file +could trigger a stack overflow in the program, leading to arbitrary code +execution with the UID of the user running MPlayer. +</p> + +<h3>Severity</h3> + +<p> +High (arbitrary code execution under the user ID running the player) when +playing a FLAC file with malicious comments, null if you do not use this +feature. At the time the buffer overflow was fixed there was no known exploit +in the wild. +</p> + +<h3>Solution</h3> + +<p> +A +<a href="http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_audio.c?r1=25911&r2=25917";>fix</a> +for this problem was committed to SVN on Tue Jan 29 22:00:58 2008 UTC as r25917. +Users of affected MPlayer versions should download a +<a href="http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff";>patch</a> +for MPlayer 1.0rc2 or update to the latest version if they're using SVN. +</p> + +<h3>Affected versions</h3> + +<p> +MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC). +Older versions are probably affected, too, but they were not checked. +</p> + + +<h3>Unaffected versions</h3> + +<p> +SVN HEAD after r25917 (Tue Jan 29 22:00:58 2008 UTC)<br> +MPlayer 1.0rc2 + security patches +</p> + +</div> + + + +<div class="newsentry"> + +<h2> <a name="HUPAward2007">2008-01-03, Wednesday :: HUP Readers' Choice Award 2007</a> <br><span class="poster">posted by Diego</span> </h2> _______________________________________________ MPlayer-DOCS mailing list [email protected] https://lists.mplayerhq.hu/mailman/listinfo/mplayer-docs
