239130 CVE-2008-3827 2008-09-30 10:05 0000 media-video/mplayer <1.0_rc2_p27725-r1 Real demuxer heap overflow (CVE-2008-3827) 2009-01-12 19:51:36 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.ocert.org/advisories/ocert-2008-013.html A2 [glsa] P2 major --- 241110 1 craig@gentoo.org security@gentoo.org media-video@gentoo.org craig@gentoo.org 2008-09-30 10:05:40 0000 Description: The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination. Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video file can be crafted in order to make the stream_read function reading or writing arbitrary amounts of memory. The following patch fixes the issues: http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch rbu@gentoo.org 2008-09-30 16:37:33 0000 apparently this is fixed in r27675, mplayer/trunk/libmpdemux/demux_real.c lajjr@yahoo.com 2008-09-30 20:51:17 0000 Created an attachment (id=166868) The patch was released.. This was from the Maintainers rbu@gentoo.org 2008-10-04 18:42:26 0000 Can we get either stable an mplayer that has this and bug 231836 fixed, or apply the two patches onto our current stable? beandog@gentoo.org 2008-10-07 01:57:32 0000 mplayer-1.0_rc2_p27725 in the tree craig@gentoo.org 2008-10-18 23:33:31 0000 I see that mplayer-1.0_rc2_p27725-r1 is in the tree, does https://bugs.gentoo.org/show_bug.cgi?id=241110 still need to be fixed? I'd like to get this thing into stable. hoffie@gentoo.org 2008-10-19 09:50:59 0000 Arches, please test and mark stable: =media-video/mplayer-1.0_rc2_p27725-r1 Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Arches which don't even have ~arch: "alpha ia64 ppc sparc" Apparently, there are still problems w/ sparc and alpha (according to the bug in the dependencies), can you fix them beandog (or anyone from media-video)? maekke@gentoo.org 2008-10-19 14:30:13 0000 this needs the following packages stable on amd64/x86 (according to repoman): '>=media-video/dirac-0.10.0', 'media-libs/schroedinger', '>=media-libs/x264-0.0.20080406' aballier@gentoo.org 2008-10-19 14:37:33 0000 (In reply to comment #7) > this needs the following packages stable on amd64/x86 (according to repoman): > '>=media-video/dirac-0.10.0', 'media-libs/schroedinger', these should be ok > '>=media-libs/x264-0.0.20080406' please check stable packages from: http://tinderbox.dev.gentoo.org/misc/rindex/media-libs/x264 against 0.0.20080819 This snapshot had been slatted just before an API change; I don't remember any specific breakage with that version, but better double check. Note that you'll need to stabilize x264-encoder of the same version at the same time. 0.0.20081006 changes a bit the API and will break a couple of stable packages. maekke@gentoo.org 2008-10-19 17:12:07 0000 amd64/x86 stable for the following packages: =media-video/dirac-1.0.0 =media-libs/schroedinger-1.0.5 =media-libs/x264-0.0.20080819 =media-video/x264-encoder-0.0.20080819 =media-video/mplayer-1.0_rc2_p27725-r1 gmsoft@gentoo.org 2008-10-20 19:48:42 0000 hppa stable corsair@gentoo.org 2008-10-21 17:23:09 0000 ppc64 stable dertobi123@gentoo.org 2008-10-30 20:08:44 0000 ppc stable klausman@gentoo.org 2008-11-09 11:44:12 0000 Stable on alpha. Had to mask the dxr3 USE flag due to lack of hardware for testing. armin76@gentoo.org 2008-11-10 11:24:09 0000 ia64 stable, sparc is waiting for bug 241110 bluebird@gentoo.org 2008-11-24 23:08:07 0000 Sparc stable, sorry for the hold-up :( rbu@gentoo.org 2008-11-29 14:09:07 0000 request filed keytoaster@gentoo.org 2009-01-12 19:51:36 0000 GLSA 200901-07. Thanks everyone, sorry about the delay. 166868 2008-09-30 20:51 0000 The patch was released.. mplayer_demux_real.patch text/plain SW5kZXg6IGxpYm1wZGVtdXgvZGVtdXhfcmVhbC5jCj09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIGxpYm1wZGVtdXgv ZGVtdXhfcmVhbC5jCShyZXZpc2lvbiAyNzYwNSkKKysrIGxpYm1wZGVtdXgvZGVtdXhfcmVhbC5j CSh3b3JraW5nIGNvcHkpCkBAIC05NDcsNiArOTQ3LDcgQEAKIAkJCSAgICAvLyBsYXN0IGZyYWdt ZW50IQogCQkJICAgIGlmKGRwX2hkci0+bGVuIT12cGtnX2xlbmd0aC12cGtnX29mZnNldCkKIAkJ CQltcF9tc2coTVNHVF9ERU1VWCxNU0dMX1YsIndhcm5pbmchIGFzc2VtYmxlZC5sZW49JWQgIGZy YWcubGVuPSVkICB0b3RhbC5sZW49JWQgIFxuIixkcC0+bGVuLHZwa2dfb2Zmc2V0LHZwa2dfbGVu Z3RoLXZwa2dfb2Zmc2V0KTsKKwkJCSAgICBpZiAodnBrZ19vZmZzZXQgPiBkcC0+bGVuIC0gc2l6 ZW9mKGRwX2hkcl90KSAtIGRwX2hkci0+bGVuKSB2cGtnX29mZnNldCA9IGRwLT5sZW4gLSBzaXpl b2YoZHBfaGRyX3QpIC0gZHBfaGRyLT5sZW47CiAgICAgICAgICAgICAJCSAgICBzdHJlYW1fcmVh ZChkZW11eGVyLT5zdHJlYW0sIGRwX2RhdGErZHBfaGRyLT5sZW4sIHZwa2dfb2Zmc2V0KTsKIAkJ CSAgICBpZigoZHBfZGF0YVtkcF9oZHItPmxlbl0mMHgyMCkgJiYgKHNoX3ZpZGVvLT5mb3JtYXQ9 PTB4MzAzMzU2NTIpKSAtLWRwX2hkci0+Y2h1bmtzOyBlbHNlCiAJCQkgICAgZHBfaGRyLT5sZW4r PXZwa2dfb2Zmc2V0OwpAQCAtOTcwLDYgKzk3MSw3IEBACiAJCQkvLyBub24tbGFzdCBmcmFnbWVu dDoKIAkJCWlmKGRwX2hkci0+bGVuIT12cGtnX29mZnNldCkKIAkJCSAgICBtcF9tc2coTVNHVF9E RU1VWCxNU0dMX1YsIndhcm5pbmchIGFzc2VtYmxlZC5sZW49JWQgIG9mZnNldD0lZCAgZnJhZy5s ZW49JWQgIHRvdGFsLmxlbj0lZCAgXG4iLGRwLT5sZW4sdnBrZ19vZmZzZXQsbGVuLHZwa2dfbGVu Z3RoKTsKKwkJCWlmIChsZW4gPiBkcC0+bGVuIC0gc2l6ZW9mKGRwX2hkcl90KSAtIGRwX2hkci0+ bGVuKSBsZW4gPSBkcC0+bGVuIC0gc2l6ZW9mKGRwX2hkcl90KSAtIGRwX2hkci0+bGVuOwogICAg ICAgICAgICAgCQlzdHJlYW1fcmVhZChkZW11eGVyLT5zdHJlYW0sIGRwX2RhdGErZHBfaGRyLT5s ZW4sIGxlbik7CiAJCQlpZigoZHBfZGF0YVtkcF9oZHItPmxlbl0mMHgyMCkgJiYgKHNoX3ZpZGVv LT5mb3JtYXQ9PTB4MzAzMzU2NTIpKSAtLWRwX2hkci0+Y2h1bmtzOyBlbHNlCiAJCQlkcF9oZHIt Pmxlbis9bGVuOwpAQCAtOTkyLDYgKzk5NCw3IEBACiAJCWV4dHJhWzBdPTE7IGV4dHJhWzFdPTA7 IC8vIG9mZnNldCBvZiB0aGUgZmlyc3QgY2h1bmsKIAkJaWYoMHgwMD09KHZwa2dfaGVhZGVyJjB4 YzApKXsKIAkJICAgIC8vIGZpcnN0IGZyYWdtZW50OgorCQkgICAgaWYgKGxlbiA+IGRwLT5sZW4g LSBzaXplb2YoZHBfaGRyX3QpKSBsZW4gPSBkcC0+bGVuIC0gc2l6ZW9mKGRwX2hkcl90KTsKIAkJ ICAgIGRwX2hkci0+bGVuPWxlbjsKIAkJICAgIHN0cmVhbV9yZWFkKGRlbXV4ZXItPnN0cmVhbSwg ZHBfZGF0YSwgbGVuKTsKIAkJICAgIGRzLT5hc2ZfcGFja2V0PWRwOwo=