Bug 239130 - media-video/mplayer <1.0_rc2_p27725-r1 Real demuxer heap overflow (CVE-2008-3827)
Bug#: 239130 (CVE-2008-3827) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: craig@gentoo.org
Component: Vulnerabilities
URL:  http://www.ocert.org/advisories/ocert-2008-013.html
Summary: media-video/mplayer <1.0_rc2_p27725-r1 Real demuxer heap overflow (CVE-2008-3827)
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2008-09-30 10:05 0000
Description:   Opened: 2008-09-30 10:05 0000 
Description:

The MPlayer multimedia player suffers from a vulnerability which could result
in arbitrary code execution and at the least, in unexpected process
termination.

Three integer underflows located in the Real demuxer code can be used to
exploit a heap overflow, a specific video file can be crafted in order to make
the stream_read function reading or writing arbitrary amounts of memory.

The following patch fixes the issues:
http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch

------- Comment #1 From Robert Buchholz 2008-09-30 16:37:33 0000 ------- 
apparently this is fixed in r27675, mplayer/trunk/libmpdemux/demux_real.c

------- Comment #2 From Leo Jackson 2008-09-30 20:51:17 0000 ------- 
Created an attachment (id=166868) [details]
The patch was released..

This was from the Maintainers

------- Comment #3 From Robert Buchholz 2008-10-04 18:42:26 0000 ------- 
Can we get either stable an mplayer that has this and bug 231836 fixed, or
apply the two patches onto our current stable?

------- Comment #4 From Steve Dibb 2008-10-07 01:57:32 0000 ------- 
mplayer-1.0_rc2_p27725 in the tree

------- Comment #5 From Stefan Behte 2008-10-18 23:33:31 0000 ------- 
I see that mplayer-1.0_rc2_p27725-r1 is in the tree, does
https://bugs.gentoo.org/show_bug.cgi?id=241110 still need to be fixed? I'd like
to get this thing into stable.

------- Comment #6 From Christian Hoffmann 2008-10-19 09:50:59 0000 ------- 
Arches, please test and mark stable:
  =media-video/mplayer-1.0_rc2_p27725-r1

Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Arches which don't even have ~arch: "alpha ia64 ppc sparc"

Apparently, there are still problems w/ sparc and alpha (according to the bug
in the dependencies), can you fix them beandog (or anyone from media-video)?

------- Comment #7 From Markus Meier 2008-10-19 14:30:13 0000 ------- 
this needs the following packages stable on amd64/x86 (according to repoman):
'>=media-video/dirac-0.10.0', 'media-libs/schroedinger',
'>=media-libs/x264-0.0.20080406'

------- Comment #8 From Alexis Ballier 2008-10-19 14:37:33 0000 ------- 
(In reply to comment #7)
> this needs the following packages stable on amd64/x86 (according to repoman):
> '>=media-video/dirac-0.10.0', 'media-libs/schroedinger',

these should be ok

> '>=media-libs/x264-0.0.20080406'
please check stable packages from:
http://tinderbox.dev.gentoo.org/misc/rindex/media-libs/x264
against 0.0.20080819
This snapshot had been slatted just before an API change; I don't remember any
specific breakage with that version, but better double check.
Note that you'll need to stabilize x264-encoder of the same version at the same
time.
0.0.20081006 changes a bit the API and will break a couple of stable packages.

------- Comment #9 From Markus Meier 2008-10-19 17:12:07 0000 ------- 
amd64/x86 stable for the following packages:
=media-video/dirac-1.0.0
=media-libs/schroedinger-1.0.5
=media-libs/x264-0.0.20080819
=media-video/x264-encoder-0.0.20080819
=media-video/mplayer-1.0_rc2_p27725-r1

------- Comment #10 From Guy Martin 2008-10-20 19:48:42 0000 ------- 
hppa stable

------- Comment #11 From Markus Rothe 2008-10-21 17:23:09 0000 ------- 
ppc64 stable

------- Comment #12 From Tobias Scherbaum 2008-10-30 20:08:44 0000 ------- 
ppc stable

------- Comment #13 From Tobias Klausmann 2008-11-09 11:44:12 0000 ------- 
Stable on alpha. Had to mask the dxr3 USE flag due to lack of hardware for
testing.

------- Comment #14 From Raúl Porcel 2008-11-10 11:24:09 0000 ------- 
ia64 stable, sparc is waiting for bug 241110

------- Comment #15 From Friedrich Oslage 2008-11-24 23:08:07 0000 ------- 
Sparc stable, sorry for the hold-up :(

------- Comment #16 From Robert Buchholz 2008-11-29 14:09:07 0000 ------- 
request filed

------- Comment #17 From Tobias Heinlein 2009-01-12 19:51:36 0000 ------- 
GLSA 200901-07. Thanks everyone, sorry about the delay.