Bug 181097 - media-video/mplayer{-bin} CDDB Parsing Buffer Overflows (CVE-2007-2948)
|
Bug#:
181097
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: lars@chaotika.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/24302/
|
|
Summary: media-video/mplayer{-bin} CDDB Parsing Buffer Overflows (CVE-2007-2948)
|
|
Keywords:
|
|
Status Whiteboard: B2 [glsa]
|
|
Opened: 2007-06-06 15:51 0000
|
Secunia Research has discovered some vulnerabilities in MPlayer, which can be
exploited by malicious people to compromise a user's system.
1) A boundary error within the "cddb_query_parse()" function in
stream/stream_cddb.c when parsing album titles can be exploited to cause a
stack-based buffer overflow by tricking a user into parsing malicious CDDB
entries via overly long album titles.
Successful exploitation allows execution of arbitrary code.
2) Boundary errors within the "cddb_parse_matches_list()" and
"cddb_read_parse()" functions in stream/stream_cddb.c when parsing album and
category titles can be exploited to cause stack-based buffer overflows by
tricking a user into parsing malicious CDDB entries via overly long album or
category titles.
Successful exploitation allows execution of arbitrary code, but may require
that the user connects to a malicious server.
The vulnerabilities are confirmed in version 1.0rc1. Other versions may also be
affected.
Solution:
Apply patch:
http://svn.mplayerhq.hu/mplayer/trunk...=23287&r2=23470&diff_format=u
Provided and/or discovered by:
1) Stefan Cornelius, Secunia Research
2) Stefan Cornelius, Secunia Research and Reimar Döffinger
Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2007-55/
Reproducible: Always
maintainers - please advice and bump as necessary
maintainers - please advice and bump as necessary
mplayer-1.0.20070622 in tree
thaks maintainers for providing that ebuild
arches please test and mark stable target keywords are:
media-video/mplayer-1.0.20070622:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64
sparc x86"
AMD64:
emerges ok (USE="3dnow 3dnowext X a52 aac alsa cddb cdparanoia dts dvb dvd
dvdread encode gif gtk iconv jpeg lirc mad mmx mmxext mp3 openal opengl png rtc
sdl srt sse sse2 truetype unicode v4l v4l2 vorbis x264 xv -aalib (-altivec)
-amrnb -amrwb -arts -bidi -bindist -bl -cpudetection -custom-cflags -debug -dga
-directfb -doc -dv -dvdnav -enca -esd -fbcon -ftp -ggi -ipv6 -ivtv -jack
-joystick -libcaca -live -livecd -lzo -md5sum -mp2 -musepack -nas -oss -pnm
-quicktime -radio -rar -real -samba -speex (-svga) -tga -theora -tivo (-vidix)
(-win32codecs) -xanim -xinerama -xvid -xvmc -zoran" VIDEO_CARDS="-mga -s3virge
-tdfx -vesa")
no collisions
warnings during emerge:
* Make install completed
cp: cannot stat
`/var/tmp/portage/media-video/mplayer-1.0.20070622/image//Gui/mplayer/pixmaps/logo.xpm':
No such file or directory
>>> Completed installing mplayer-1.0.20070622 into /var/tmp/portage/media-video/mplayer-1.0.20070622/image/
ecompressdir: bzip2 -9 usr/share/man
* QA Notice: Package has poor programming practices which may compile
* fine but exhibit random runtime failures.
* asxparser.c:564: warning: dereferencing type-punned pointer will break
strict-aliasing rules
...loads more errors of the same for different files
* QA Notice: Package has poor programming practices which may compile
* fine but exhibit random runtime failures.
* interface.c:655: warning: implicit declaration of function
'vcd_seek_to_track'
...similar errors with different functions
* QA Notice: Package has poor programming practices which may compile
* fine but exhibit random runtime failures.
* vf_qp.c:91: warning: incompatible implicit declaration of built-in function
'lrintf'
Marked stable for HPPA:
media-libs/amrnb-6.1.0.3
media-libs/amrwb-7.0.0.0
media-video/mplayer-1.0.20070622
Marked this bug as blocked by 183013 - mplayer fails compile.
20070622 sparc stable.
Was -r1 intended to go stable? Because x86 did it.
(In reply to comment #12)
> 20070622 sparc stable.
> Was -r1 intended to go stable? Because x86 did it.
>
Minor changes, either one should be fine. I marked -r1 stable on amd64.
arches please test and mark stable target keywords are:
media-video/mplayer-1.0.20070622-r1:KEYWORDS=alpha amd64 hppa ia64 ppc ppc64
sparc x86
Lars: why? As steve said -r1 isn't related to this security bug so you
shouldn't have called for stabling here and just adds up to confusion...
this bug is ready for glsa decision
B2 always implies a GLSA.
GLSA 200707-07, thanks everybody
