Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 122029

Summary: media-video/mplayer ASF File Parsing Integer Overflow (CAN-2006-0579)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: media-video, mgorny, Reimar.Doeffinger
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/18718/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-07 12:48:52 UTC
AFI Security Research has discovered two vulnerabilities in mplayer, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system.
 
 Integer overflow errors exist in the "new_demux_packet()" function in "libmpdemux/demuxer.h" and the "demux_asf_read_packet()" function in "libmpdemux/demux_asf.c" when allocating memory to copy data from an ".asf" file. This can be exploited to cause heap-based buffer overflows via a specially crafted ".asf" file with an overly large value in the packet length field. 
 
 The vulnerabilities have been confirmed in version 1.0pre7try2. Other versions may also be affected.

Solution:
Do not open untrusted ".asf" files.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-02-11 13:56:54 UTC
Waiting for upstream patch...
Comment 2 Reimar Döffinger 2006-02-12 01:43:31 UTC
Please avoid saying ".asf", it sounds like you mean the extension, but what matters here is that it is ASF file format - nobody cares about the extension.
And maybe this: http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpdemux/demuxer.h.diff?r1=1.87&r2=1.88
already fixes it.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-02-12 11:00:20 UTC
Should be bundled with bug 115760
Comment 4 Reimar Döffinger 2006-02-13 08:41:37 UTC
This would be the current version of that patch:
http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpdemux/demuxer.h.diff?r1=1.87&r2=1.90&f=u
Just to make clear: I did _not_ check demux_asf.c for (further) problems.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 12:58:47 UTC
*
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-02-21 10:39:25 UTC
Stable handling on bug 115760
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-03-03 10:11:43 UTC
Common GLSA with bug 115760
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-03-04 10:09:12 UTC
GLSA 200603-03
Comment 9 Derek Hval (DISABLED FOR SPAM) 2008-01-14 22:04:28 UTC
(Spam administratively removed, by robbat2@gentoo.org, at Tue Jan 15 00:37:28 UTC 2008)
Comment 10 Derek Hval (DISABLED FOR SPAM) 2008-01-14 22:07:36 UTC
(Spam administratively removed, by robbat2@gentoo.org, at Tue Jan 15 00:37:28 UTC 2008)