Author: rtogni Date: Wed Jan 30 22:35:29 2008 New Revision: 3127 Log: Security fixes for url.c and stream_cddb.c
Modified: trunk/src/news.src.en Modified: trunk/src/news.src.en ============================================================================== --- trunk/src/news.src.en (original) +++ trunk/src/news.src.en Wed Jan 30 22:35:29 2008 @@ -9,6 +9,130 @@ <div class="newsentry"> <h2> + <a name="vuln19">2008-01-30, Wednesday :: buffer overflow in stream_cddb.c</a> + <br><span class="poster">posted by Roberto</span> +</h2> + +<h3>Summary</h3> + +<p> +A buffer overflow was found and reported by Adam Bozanich of Musecurity in the +code used to extract album titles from cbbd server answers. +</p> + +<p> +When parsing answers from the cddb server, the album title is copied into a +fixed-size buffer with insufficient checks on its size, and may cause a buffer +overflow. A malicious database entry could trigger a buffer overflow in the +program, that can lead to arbitrary code execution with the UID of the user +running MPlayer. +</p> + +<h3>Severity</h3> + +<p> +High (arbitrary code execution under the user ID running the player) when +getting disk information from a malicious cddb entry, null if you do not use +this feature. Please note that it is possible to overwrite entries in the cddb +database, so an attack can also be performed via a non-compromised server. At +the time the buffer overflow was fixed there was no known exploit in the wild. +</p> + +<h3>Solution</h3> + +<p> +A +<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/stream_cddb.c?r1=25820&r2=25824";>fix</a> +for this problem was committed to SVN on Sun Jan 20 20:58:02 2008 UTC as r25824. +Users of affected MPlayer versions should download a +<a href="http://www.mplayerhq.hu/MPlayer/patches/stream_cddb_fix_20080120.diff";>patch</a> +for MPlayer 1.0rc2 or update to the latest version if they're using SVN. +</p> + +<h3>Affected versions</h3> + +<p> +MPlayer 1.0rc2 and SVN before r25824 (Sun Jan 20 20:58:02 2008 UTC). +Older versions are probably affected, too, but they were not checked. +</p> + + +<h3>Unaffected versions</h3> + +<p> +SVN HEAD after r25824 (Sun Jan 20 20:58:02 2008 UTC)<br> +MPlayer 1.0rc2 + security patches +</p> + +</div> + + + +<div class="newsentry"> + +<h2> + <a name="vuln18">2008-01-30, Wednesday :: buffer overflow in url.c</a> + <br><span class="poster">posted by Roberto</span> +</h2> + +<h3>Summary</h3> + +<p> +A buffer overflow was found and reported by Adam Bozanich of Musecurity in the +code used to escape url strings. +</p> + +<p> +The code used to skip over IPv6 addresses can be tricked to leave a pointer to +a temporary buffer with a non-NULL value; this causes the unescape code to reuse +the buffer, and may lead to a buffer overflow if the old buffer is smaller than +required. A malicious url string may be used to trigger a buffer overflow in the +program, that can lead to arbitrary code execution with the UID of the user +running MPlayer. +</p> + +<h3>Severity</h3> + +<p> +High (arbitrary code execution under the user ID running the player) if you can +play untrusted urls (eg. delivered by a remote playlist), null if you do not +use this feature. At the time the buffer overflow was fixed there was no known +exploit in the wild. +</p> + +<h3>Solution</h3> + +<p> +A +<a href="http://svn.mplayerhq.hu/mplayer/trunk/stream/url.c?r1=25648&r2=25823";>fix</a> +for this problem was committed to SVN on Sun Jan 20 20:43:46 2008 UTC as r25823. +Users of affected MPlayer versions should download a +<a href="http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff";>patch</a> +for MPlayer 1.0rc2 or update to the latest version if they're using SVN. +</p> + +<h3>Affected versions</h3> + +<p> +MPlayer 1.0rc2 and SVN before r25823 (Sun Jan 20 20:43:46 2008 UTC). +Older versions are probably affected, too, but they were not checked. +</p> + + +<h3>Unaffected versions</h3> + +<p> +SVN HEAD after r25823 (Sun Jan 20 20:43:46 2008 UTC)<br> +MPlayer 1.0rc2 + security patches +</p> + +</div> + + + +<div class="newsentry"> + +<h2> <a name="vuln17">2008-01-29, Tuesday :: buffer overflow in demux_mov.c</a> <br><span class="poster">posted by Roberto</span> </h2> _______________________________________________ MPlayer-DOCS mailing list [email protected] https://lists.mplayerhq.hu/mailman/listinfo/mplayer-docs
