Summary A potential buffer overflow was found in the ASF demuxer, and further analysis showed that the bug was in some more generic code in demuxer.h, used to create and resize buffers. You can read the original bug report here media-video/mplayer ASF File Parsing Integer Overflow (CAN-2006-0579) on Gentoo Bugzilla.
Severity High (arbitrary remote code execution under the user ID running the player) when streaming an ASF file from a malicious server, medium (local code execution under the user ID running the player) if you play a malicious ASF file locally. At the time the buffer overflow was fixed there was no known exploit. A debdiff for a breezy-security upload is attached. -- Dennis K. - Linux for human beings: http://www.ubuntu.com - Linux voor iedereen: http://www.ubuntu-nl.org
diff -u mplayer-1.0-pre7cvs20050716/debian/patches/00list mplayer-1.0-pre7cvs20050716/debian/patches/00list
--- mplayer-1.0-pre7cvs20050716/debian/patches/00list
+++ mplayer-1.0-pre7cvs20050716/debian/patches/00list
@@ -5,0 +6 @@
+57_demuxer_heap_overflow
diff -u mplayer-1.0-pre7cvs20050716/debian/changelog mplayer-1.0-pre7cvs20050716/debian/changelog
--- mplayer-1.0-pre7cvs20050716/debian/changelog
+++ mplayer-1.0-pre7cvs20050716/debian/changelog
@@ -1,3 +1,10 @@
+mplayer (1:1.0-pre7cvs20050716-0.1ubuntu9.1) breezy; urgency=low
+
+ * debian/patches/57_demuxer_heap_overflow.dpatch:
+ - CAN-2006-0579: heap overflow in mplayer demuxer routines
+
+ -- Dennis Kaarsemaker <[EMAIL PROTECTED]> Sun, 26 Feb 2006 00:02:54 +0100
+
mplayer (1:1.0-pre7cvs20050716-0.1ubuntu9) breezy; urgency=low
* Install codecs.conf
only in patch2:
unchanged:
--- mplayer-1.0-pre7cvs20050716.orig/debian/patches/57_demuxer_heap_overflow.dpatch
+++ mplayer-1.0-pre7cvs20050716/debian/patches/57_demuxer_heap_overflow.dpatch
@@ -0,0 +1,58 @@
+#! /bin/sh -e
+
+if [ $# -ne 1 ]; then
+ echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+ exit 1
+fi
+case "$1" in
+ -patch) patch -f --no-backup-if-mismatch -p1 < $0;;
+ -unpatch) patch -f --no-backup-if-mismatch -R -p1 < $0;;
+ *)
+ echo >&2 "`basename $0`: script expects -patch|-unpatch as argument"
+ exit 1;;
+esac
+exit 0
+
+Index: libmpdemux/demuxer.h
+===================================================================
+RCS file: /cvsroot/mplayer/main/libmpdemux/demuxer.h,v
+retrieving revision 1.87
+retrieving revision 1.90
+diff -u -r1.87 -r1.90
+--- Mplayer-1.0pre7try2/libmpdemux/demuxer.h 9 Feb 2006 19:39:51 -0000 1.87
++++ Mplayer-1.0pre7try3/libmpdemux/demuxer.h 12 Feb 2006 17:01:30 -0000 1.90
+@@ -190,17 +190,19 @@
+ dp->flags=0;
+ dp->refcount=1;
+ dp->master=NULL;
+- dp->buffer=len?(unsigned char*)malloc(len+8):NULL;
+- if(len) memset(dp->buffer+len,0,8);
++ dp->buffer=NULL;
++ if (len > 0 && (dp->buffer = (unsigned char *)malloc(len + 8)))
++ memset(dp->buffer + len, 0, 8);
++ else
++ dp->len = 0;
+ return dp;
+ }
+
+ inline static void resize_demux_packet(demux_packet_t* dp, int len)
+ {
+- if(len)
++ if(len > 0)
+ {
+ dp->buffer=(unsigned char *)realloc(dp->buffer,len+8);
+- memset(dp->buffer+len,0,8);
+ }
+ else
+ {
+@@ -208,6 +210,10 @@
+ dp->buffer=NULL;
+ }
+ dp->len=len;
++ if (dp->buffer)
++ memset(dp->buffer + len, 0, 8);
++ else
++ dp->len = 0;
+ }
+
+ inline static demux_packet_t* clone_demux_packet(demux_packet_t* pack){
signature.asc
Description: This is a digitally signed message part
-- Ubuntu-motu mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
