Your message dated Mon, 15 Dec 2008 21:32:19 +0000
with message-id <e1lcl35-0003rv...@ries.debian.org>
and subject line Bug#508803: fixed in mplayer 1.0~rc2-19
has caused the Debian Bug report #508803,
regarding SA33136: MPlayer TwinVQ Processing Buffer Overflow Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
508803: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508803
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: SA33136: MPlayer TwinVQ Processing Buffer Overflow Vulnerability
Package: mplayer
Version: 1.0~rc1-12etch5
Severity: grave
Tags: security patch
Hi,
The following SA (Secunia Advisory) id was published for mplayer:
SA33136[1]
> Description:
> Tobias Klein has reported a vulnerability in MPlayer, which
> potentially can be exploited by malicious people to compromise a
> user's system.
>
> The vulnerability is caused due to a boundary error within the
> "demux_open_vqf()" function in libmpdemux/demux_vqf.c. This can be
> exploited to cause a stack-based buffer overflow via a specially
> crafted TwinVQ file.
>
> Successful exploitation may allow execution of arbitrary code.
>
> The vulnerability is reported in version 1.0rc2. Other versions may
> also be affected.
>
> Solution:
> Fixed in the SVN repository.
> http://svn.mplayerhq.hu/mplayer/branc...=24723&r2=28150&pathrev=28150
>
> Provided and/or discovered by:
> Tobias Klein
>
> Original Advisory:
> http://trapkit.de/advisories/TKADV2008-014.txt
You can find the patch[2] in the upstream svn repository.
If you fix the vulnerability please also make sure to include the CVE id
(if available) in the changelog entry.
[1]http://secunia.com/advisories/33136/
[2]http://svn.mplayerhq.hu/mplayer/branches/1.0rc2/libmpdemux/demux_vqf.c?view=patch&r1=24723&r2=28150&pathrev=28150
Cheers,
Giuseppe.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: mplayer
Source-Version: 1.0~rc2-19
We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:
mplayer-dbg_1.0~rc2-19_amd64.deb
to pool/main/m/mplayer/mplayer-dbg_1.0~rc2-19_amd64.deb
mplayer-doc_1.0~rc2-19_all.deb
to pool/main/m/mplayer/mplayer-doc_1.0~rc2-19_all.deb
mplayer_1.0~rc2-19.diff.gz
to pool/main/m/mplayer/mplayer_1.0~rc2-19.diff.gz
mplayer_1.0~rc2-19.dsc
to pool/main/m/mplayer/mplayer_1.0~rc2-19.dsc
mplayer_1.0~rc2-19_amd64.deb
to pool/main/m/mplayer/mplayer_1.0~rc2-19_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 508...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
A Mennucc1 <mennu...@debian.org> (supplier of updated mplayer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 15 Dec 2008 21:05:07 +0100
Source: mplayer
Binary: mplayer mplayer-dbg mplayer-doc
Architecture: source all amd64
Version: 1.0~rc2-19
Distribution: unstable
Urgency: high
Maintainer: A Mennucc1 <mennu...@debian.org>
Changed-By: A Mennucc1 <mennu...@debian.org>
Description:
mplayer - movie player for Unix-like systems
mplayer-dbg - debugging symbols for MPlayer
mplayer-doc - documentation for MPlayer
Closes: 508803
Changes:
mplayer (1.0~rc2-19) unstable; urgency=high
.
* SA33136: MPlayer TwinVQ Processing Buffer Overflow Vulnerability
Thanks to T. Klein, G. Iuculano, R. Döffinger (Closes: #508803).
Checksums-Sha1:
8a077de9c86142f18b97c7de01f8055b4077e3ea 2075 mplayer_1.0~rc2-19.dsc
70c2ec08e5970b7d062e4044f3ec8926e64fc851 358940 mplayer_1.0~rc2-19.diff.gz
c600df19952345ab587a84a287e9b2986f951fb5 2463224 mplayer-doc_1.0~rc2-19_all.deb
791ad30871868f1cc130397ad79b8b2e30e1b8bd 3199388 mplayer_1.0~rc2-19_amd64.deb
db517b59310c12b471c2556756a7bd3881dce1c7 2446554
mplayer-dbg_1.0~rc2-19_amd64.deb
Checksums-Sha256:
7628f3f7a2f8936780d02f8ccd051576869e73060035c5c2347ccbf530d4ffff 2075
mplayer_1.0~rc2-19.dsc
618b201af76985eef9b8d6959a2e13705a7603d6b8d3053da42d3c0da90d94bd 358940
mplayer_1.0~rc2-19.diff.gz
a5d3fca69c6bc59d452586de3844781280ee6bde6fd85cce39536ace2f24b392 2463224
mplayer-doc_1.0~rc2-19_all.deb
7918fd4186e30d1c81d17bf0ec74f42f2edc1e4345601c0f3bbe0c4921c1d2f1 3199388
mplayer_1.0~rc2-19_amd64.deb
5a5e87a450fed758e620a53dc43a5f1bb9266ebfa9060f3dc349978fba624b02 2446554
mplayer-dbg_1.0~rc2-19_amd64.deb
Files:
0dc594c4b40e793c5119440656731a41 2075 graphics optional mplayer_1.0~rc2-19.dsc
8f0297be2a2b0632a39091bd7c4983c3 358940 graphics optional
mplayer_1.0~rc2-19.diff.gz
be328f70d4731aee11df123d618bd67b 2463224 doc optional
mplayer-doc_1.0~rc2-19_all.deb
60e53a646fda47ec623db345a511bcdc 3199388 graphics optional
mplayer_1.0~rc2-19_amd64.deb
4fcf7b7ea080546f6ee62663afd5e294 2446554 graphics extra
mplayer-dbg_1.0~rc2-19_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAklGxp8ACgkQ9B/tjjP8QKRlHQCfdLirvwPWVSBGhNvS/2PE2YNf
WrcAnRR2oZ5F20s9LsXav2BSKk+oJg3U
=qfma
-----END PGP SIGNATURE-----
--- End Message ---
