Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Description: The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination. Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video file can be crafted in order to make the stream_read function reading or writing arbitrary amounts of memory. The following patch fixes the issues: http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch
apparently this is fixed in r27675, mplayer/trunk/libmpdemux/demux_real.c
Created an attachment (id=166868) [details] The patch was released.. This was from the Maintainers
Can we get either stable an mplayer that has this and bug 231836 fixed, or apply the two patches onto our current stable?
mplayer-1.0_rc2_p27725 in the tree
I see that mplayer-1.0_rc2_p27725-r1 is in the tree, does https://bugs.gentoo.org/show_bug.cgi?id=241110 still need to be fixed? I'd like to get this thing into stable.
Arches, please test and mark stable: =media-video/mplayer-1.0_rc2_p27725-r1 Target keywords: "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Arches which don't even have ~arch: "alpha ia64 ppc sparc" Apparently, there are still problems w/ sparc and alpha (according to the bug in the dependencies), can you fix them beandog (or anyone from media-video)?
this needs the following packages stable on amd64/x86 (according to repoman): '>=media-video/dirac-0.10.0', 'media-libs/schroedinger', '>=media-libs/x264-0.0.20080406'
(In reply to comment #7) > this needs the following packages stable on amd64/x86 (according to repoman): > '>=media-video/dirac-0.10.0', 'media-libs/schroedinger', these should be ok > '>=media-libs/x264-0.0.20080406' please check stable packages from: http://tinderbox.dev.gentoo.org/misc/rindex/media-libs/x264 against 0.0.20080819 This snapshot had been slatted just before an API change; I don't remember any specific breakage with that version, but better double check. Note that you'll need to stabilize x264-encoder of the same version at the same time. 0.0.20081006 changes a bit the API and will break a couple of stable packages.
amd64/x86 stable for the following packages: =media-video/dirac-1.0.0 =media-libs/schroedinger-1.0.5 =media-libs/x264-0.0.20080819 =media-video/x264-encoder-0.0.20080819 =media-video/mplayer-1.0_rc2_p27725-r1
hppa stable
ppc64 stable
ppc stable
Stable on alpha. Had to mask the dxr3 USE flag due to lack of hardware for testing.
ia64 stable, sparc is waiting for bug 241110
Sparc stable, sorry for the hold-up :(
request filed
GLSA 200901-07. Thanks everyone, sorry about the delay.
