This bug was tested against the publicly available POC in Intrepid / Hardy / Gutsy. In all cases the mplayer crashed.
mplayer realmplayerPOC.rm MPlayer 1.0rc2-4.3.2 (C) 2000-2007 MPlayer Team CPU: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz (Family: 6, Model: 15, Stepping: 11) CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1 Compiled with runtime CPU detection. mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing realmplayerPOC.rm. REAL file format detected. Stream description: Exploit! Stream mimetype: video/x-pn-realvideo [real] Video stream found, -vid 1 Stream description: Exploit! Stream mimetype: audio/X-MP3-draft-00 [real] Audio stream found, -aid 0 VIDEO: [RV20] 1x1 24bpp 30.000 fps 0.0 kbps ( 0.0 kbyte/s) xscreensaver_disable: Could not find XScreenSaver window. GNOME screensaver disabled ========================================================================== Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family [rv20 @ 0x896b2d0]unknown header 10 Selected video codec: [ffrv20] vfm: ffmpeg (FFmpeg RV20 decoder) ========================================================================== ========================================================================== Forced audio codec: mad Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders AUDIO: 24000 Hz, 2 ch, s16le, 48.0 kbit/6.25% (ratio: 6000->96000) Selected audio codec: [ffmp3adu] afm: ffmpeg (FFmpeg MPEG layer-3 adu audio decoder) ========================================================================== AO: [pulse] 24000Hz 2ch s16le (2 bytes per sample) Starting playback... [rv20 @ 0x896b2d0]error, qscale:0 [rv20 @ 0x896b2d0]HEADER ERROR [rv20 @ 0x896b2d0]error, qscale:0 0.000 1/ 1 ??% ??% ??,?% 0 0 [rv20 @ 0x896b2d0]HEADER ERROR [rv20 @ 0x896b2d0]error, qscale:0 -0.003 2/ 2 ??% ??% ??,?% 0 0 [rv20 @ 0x896b2d0]HEADER ERROR A: -0.2 V: 0.0 A-V: -0.222 ct: -0.010 3/ 3 ??% ??% ??,?% 0 0 Exiting... (End of file) *** glibc detected *** mplayer: free(): invalid next size (normal): 0x0a132438 *** ======= Backtrace: ========= <snip stackstrace> After applying the fix, mplayer no longer crashes. Note to other testers: When testing from within a chroot environment, there is no graphical display and you should execute mplayer with the mplayer -vo null option. -- [CVE-2008-3827] Multiple integer underflows in MPlayer 1.0_rc2 and earlier allow remote attackers to cause a denial of service https://bugs.launchpad.net/bugs/279030 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
