[arch] [security] Warning on mplayer
JJDaNiMoTh
jjdanimoth at gmail.com
Tue Feb 27 11:35:28 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------
Arch Linux Security Warning ALSW 2007-#10
- ------------------------------------------------------------
Name: mplayer
Date: 2007-02-27
Severity: High
Warning #: 2007-#10
- ------------------------------------------------------------
Product Background
===================
MPlayer is a media player capable of playing multiple media formats.
Problem Background
===================
A buffer overflow was found in MPlayer's RTSP plugin that could lead to
a Denial of Service or arbitrary code execution.
When checking for matching asm rules in the asmrp.c code, the results
are stored in a fixed-size array without boundary checks which may
allow a buffer overflow.
Impact
======
An attacker can entice a user to connect to a manipulated RTSP server
resulting in a Denial of Service and possibly execution of arbitrary
code.
Problem Packages
===================
- ------------------------------------------------------------------
Package | Repo | Group | Unsafe | Safe |
- ------------------------------------------------------------------
mplayer extra multimedia <= 1.0rc1 only patched
Package Fix
===================
Apply this patch, waiting 1.0rc2. From mplayer's website:
"Please note that we are not releasing an updated tarball with this
fix at this
moment, since MPlayer 1.0rc2 is already in process.
If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball,
apply the patch with the fix and recompile MPlayer; else upgrade to SVN.
If you mantain a binary package for MPlayer, please name the updated
version
MPlayer 1.0rc1try2."
The patch:
http://www.mplayerhq.hu/MPlayer/patches/asmrules_fix_20061231.diff
I'm really happy to introduce this page:
http://jjdanimoth.netsons.org/alsw.html
where I will summarize all warning.
I try to make a place where we, member of community, can talk about these:
http://jjdanimoth.netsons.org/flyspray/
Please, give me your feedback on this.
Reference(s)
===================
http://security.gentoo.org/glsa/glsa-200702-11.xml
http://www.mplayerhq.hu/design7/news.html
Contact
===================
JJDaNiMoTh (jjdanimoth AT gmail DOT com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF5F3PcJj0HNhER0MRAuq2AKCL8RccpmsaYWgCOqIcGHcD99Qg/gCfUQyw
eLicvxFoasOShPt9e/YOBJ0=
=jS5H
-----END PGP SIGNATURE-----
More information about the arch
mailing list