Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 231836

Summary: media-video/mplayer < 1.0_rc2_p27725 FFmpeg psxstr.c Buffer overflow (CVE-2008-3162)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 231831, 241110    
Bug Blocks:    
Attachments:
Description Flags
mplayer-1.0_rc2_p26753-CVE-2008-3162.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 03:32:58 UTC 
+++ This bug was initially created as a clone of Bug #231831 +++

CVE-2008-3162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3162):
  Stack-based buffer overflow in the str_read_packet function in
  libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause
  a denial of service (application crash) or execute arbitrary code via a
  crafted STR file that interleaves audio and video sectors.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-07-15 03:33:22 UTC 
Created attachment 160415 [details, diff]
mplayer-1.0_rc2_p26753-CVE-2008-3162.patch
Comment 2 Steve Dibb (RETIRED) gentoo-dev 2008-10-07 01:57:21 UTC 
mplayer-1.0_rc2_p27725 in the tree
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-10-09 21:53:00 UTC 
(In reply to comment #2)
> mplayer-1.0_rc2_p27725 in the tree
> 

Some ~arch keywords are missing, is that intentional?
Comment 4 Steve Dibb (RETIRED) gentoo-dev 2008-10-10 13:12:57 UTC 
(In reply to comment #3)
> (In reply to comment #2)
> > mplayer-1.0_rc2_p27725 in the tree
> > 
> 
> Some ~arch keywords are missing, is that intentional?
> 

No, that was a bit of a keyword snafoo on my part.  See bug 241110
Comment 5 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-19 09:51:08 UTC 
Stabling is handled in bug 239130.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-11-29 14:08:42 UTC 
request filed
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-12 19:50:53 UTC 
GLSA 200901-07. Thanks everyone, sorry about the delay.