First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 122029
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 122029 depends on: Show dependency tree
Bug 122029 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-02-07 12:48 0000 
AFI Security Research has discovered two vulnerabilities in mplayer, which can
be exploited by malicious people to cause a DoS (Denial of Service) and
potentially compromise a user's system.

 Integer overflow errors exist in the "new_demux_packet()" function in
"libmpdemux/demuxer.h" and the "demux_asf_read_packet()" function in
"libmpdemux/demux_asf.c" when allocating memory to copy data from an ".asf"
file. This can be exploited to cause heap-based buffer overflows via a
specially crafted ".asf" file with an overly large value in the packet length
field. 

 The vulnerabilities have been confirmed in version 1.0pre7try2. Other versions
may also be affected.

Solution:
Do not open untrusted ".asf" files.

------- Comment #1 From Thierry Carrez (RETIRED) 2006-02-11 13:56:54 0000 ------- 
Waiting for upstream patch...

------- Comment #2 From Reimar Döffinger 2006-02-12 01:43:31 0000 ------- 
Please avoid saying ".asf", it sounds like you mean the extension, but what
matters here is that it is ASF file format - nobody cares about the extension.
And maybe this:
http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpdemux/demuxer.h.diff?r1=1.87&r2=1.88
already fixes it.

------- Comment #3 From Thierry Carrez (RETIRED) 2006-02-12 11:00:20 0000 ------- 
Should be bundled with bug 115760

------- Comment #4 From Reimar Döffinger 2006-02-13 08:41:37 0000 ------- 
This would be the current version of that patch:
http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpdemux/demuxer.h.diff?r1=1.87&r2=1.90&f=u
Just to make clear: I did _not_ check demux_asf.c for (further) problems.

------- Comment #5 From Thierry Carrez (RETIRED) 2006-02-16 12:58:47 0000 ------- 
*

------- Comment #6 From Thierry Carrez (RETIRED) 2006-02-21 10:39:25 0000 ------- 
Stable handling on bug 115760

------- Comment #7 From Thierry Carrez (RETIRED) 2006-03-03 10:11:43 0000 ------- 
Common GLSA with bug 115760

------- Comment #8 From Thierry Carrez (RETIRED) 2006-03-04 10:09:12 0000 ------- 
GLSA 200603-03

------- Comment #9 From Derek Hval (DISABLED FOR SPAM) 2008-01-14 22:04:28 0000 ------- 
(Spam administratively removed, by robbat2@gentoo.org, at Tue Jan 15 00:37:28
UTC 2008)

------- Comment #10 From Derek Hval (DISABLED FOR SPAM) 2008-01-14 22:07:36 0000 ------- 
(Spam administratively removed, by robbat2@gentoo.org, at Tue Jan 15 00:37:28
UTC 2008)
First Last Prev Next    No search results available      Search page      Enter new bug