Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Date: Thu, 25 Sep 2003 12:38:26 +0200 From: Gabucino <gabucino-NO-SPAM@mplayerhq.hu> To: bugtraq@securityfocus.com Subject: MPlayer Security Advisory #01: Remotely exploitable buffer overflow User-Agent: Mutt/1.3.27i X-Operating-System: Linux woodstock 2.4.22-xfs Sender: <gabucino@mplayerhq.hu> Severity: HIGH (if playing ASX streaming content) LOW (if playing only normal files) Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. MPlayer versions affected: MPlayer 0.90pre series MPlayer 0.90rc series MPlayer 0.90 MPlayer 0.91 MPlayer 1.0pre1 MPlayer versions unaffected: MPlayer releases before 0.90pre1 MPlayer 0.92 MPlayer HEAD CVS Notification status: Developers were notified on 2003.09.24 Fix was commited into HEAD CVS at 2003.09.25 02:36:36 CEST MPlayer 0.92 (vuln-fix-only release) was released on 2003.09.25 12:00:00 CEST Patch availability: A patch is available for all vulnerable versions. Suggested upgrading methods: MPlayer 1.0pre1 users should upgrade to latest CVS MPlayer 0.91 (and below) users should upgrade to 0.92 OR latest CVS MPlayer 0.92 is available for download. -- Gabucino MPlayer Core Team
*** Bug 29632 has been marked as a duplicate of this bug. ***
*** Bug 29725 has been marked as a duplicate of this bug. ***
FIX: Install MPlayer 0.92. This can be done in Portage by simply copying mplayer-0.91.ebuild to mplayer-0.92.ebuild and re-emerging mplayer. MPlayer 0.92 is (supposedly) exactly the same as 0.91, just with the buffer overflow patched, and applying this simple fix seems to work just fine.
How about the MPlayer 1.0pre1. Are we going to be able patch or shall we package.mask ?
Found the mplayer patch and bumping versions. tested 0.92 works just fine. Not tested other than unpacking 1.00_pre1-r1 + secuirty fix
just commited 0.92
Just commited fix for 1.0_pre1 as 1.0_pre1-r1
------------------------------------------------------------------------ GENTOO LINUX SECURITY ANNOUNCEMENT 200309-15 ------------------------------------------------------------------------ PACKAGE : media-video/mplayer SUMMARY : Buffer Overflow Vulnerability DATE : 2003-09-27 21:37 UTC EXPLOIT : remote VERSIONS AFFECTED : <=mplayer-0.91 =mplayer-1.0_pre1 FIXED VERSION : =mplayer-0.92 =mplayer-1.0_pre1-r1 GENTOO BUG ID : 29640 CVE : none that we are aware of at this time ------------------------------------------------------------------------ SUMMARY: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. read the full advisory at: http://www.mplayerhq.hu/homepage/design6/news.html SOLUTION: It is recommended that all Gentoo Linux users who are running media-video/mplayer upgrade to mplayer-0.92 as follows emerge sync emerge =media-video/mplayer-0.92 emerge clean Additionally PaX users might want to /sbin/chpax -m /usr/bin/mplayer
The 1.0_pre1-r1 ebuild seems to carry a wrong md5 in the digest file for Blue-1.0.tar.bz2. The md5 I get from the Blue-1.0.tar.bz2 file pulled from 3 mirrors matches the md5 in the older ebuild digest, so I assume a mistake seeped into the update. Resync didn't fix this for me :)
md5sum from http://gentoo.oregonstate.edu/distfiles/Blue-1.0.tar.bz2 shows ee26d46d5c52c5e3ac15164e78300b44 This seems to go back a while. http://www.mail-archive.com/gentoo-user@gentoo.org/msg17690.html Ronald please attach what md5sum you think this should be and why.
Resolving gentoo.oregonstate.edu... done. Connecting to gentoo.oregonstate.edu[128.193.0.3]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 219,130 [application/x-tar] 100%[============================================================================================>] 219,130 13.77K/s ETA 00:00 21:52:43 (13.77 KB/s) - `Blue-1.0.tar.bz2' saved [219130/219130] ronald@natasha ronald $ md5sum Blue-1.0.tar.bz2 64e2d18438bbef16822c141d846884f6 Blue-1.0.tar.bz2 This md5 matches the file I pulled from ftp.mirror.ac.uk, ftp.easynet.nl and ftp.student.utwente.nl. # grep Blue digest-mplayer-0.92 MD5 64e2d18438bbef16822c141d846884f6 Blue-1.0.tar.bz2 219130 # grep Blue digest-mplayer-1.0_pre1-r1 MD5 ee26d46d5c52c5e3ac15164e78300b44 Blue-1.0.tar.bz2 219130 Also the just now deleted digest-mplayer-1.0_pre1 carried the 64e2d... md5sum
Reading the topic on gentoo-user Solar pointed to I downloaded Blue from http://www1.mplayerhq.hu/MPlayer/Skin/ This file also carries the 64e2d... md5sum and this md5sum is the same as listed in the md5 file in the download dir.
*** Bug 29871 has been marked as a duplicate of this bug. ***
gentoo-devs please update your Blue-1.0.tar.bz2 digest update now in cvs
*** Bug 29859 has been marked as a duplicate of this bug. ***
*** Bug 29555 has been marked as a duplicate of this bug. ***
Can someone explain to me how Bug 29859 is a duplicate?
