Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 181097 - media-video/mplayer{-bin} CDDB Parsing Buffer Overflows (CVE-2007-2948)
Summary: media-video/mplayer{-bin} CDDB Parsing Buffer Overflows (CVE-2007-2948)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/24302/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 182923
Blocks:
  Show dependency tree
 
Reported: 2007-06-06 15:51 UTC by Lars Hartmann
Modified: 2007-07-24 23:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2007-06-06 15:51:35 UTC
Secunia Research has discovered some vulnerabilities in MPlayer, which can be exploited by malicious people to compromise a user's system.

1) A boundary error within the "cddb_query_parse()" function in stream/stream_cddb.c when parsing album titles can be exploited to cause a stack-based buffer overflow by tricking a user into parsing malicious CDDB entries via overly long album titles.

Successful exploitation allows execution of arbitrary code.

2) Boundary errors within the "cddb_parse_matches_list()" and "cddb_read_parse()" functions in stream/stream_cddb.c when parsing album and category titles can be exploited to cause stack-based buffer overflows by tricking a user into parsing malicious CDDB entries via overly long album or category titles.

Successful exploitation allows execution of arbitrary code, but may require that the user connects to a malicious server.

The vulnerabilities are confirmed in version 1.0rc1. Other versions may also be affected.

Solution:
Apply patch:
http://svn.mplayerhq.hu/mplayer/trunk...=23287&r2=23470&diff_format=u

Provided and/or discovered by:
1) Stefan Cornelius, Secunia Research
2) Stefan Cornelius, Secunia Research and Reimar Döffinger

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2007-55/

Reproducible: Always
Comment 1 Lars Hartmann 2007-06-06 15:55:47 UTC
maintainers - please advice and bump as necessary
Comment 2 Lars Hartmann 2007-06-15 18:21:35 UTC
maintainers - please advice and bump as necessary
Comment 3 Steve Dibb (RETIRED) gentoo-dev 2007-06-22 15:27:40 UTC
mplayer-1.0.20070622 in tree
Comment 4 Lars Hartmann 2007-06-23 06:37:35 UTC
thaks maintainers for providing that ebuild

arches please test and mark stable target keywords are:
media-video/mplayer-1.0.20070622:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Simon Cooper 2007-06-23 10:12:28 UTC
AMD64: 

emerges ok (USE="3dnow 3dnowext X a52 aac alsa cddb cdparanoia dts dvb dvd dvdread encode gif gtk iconv jpeg lirc mad mmx mmxext mp3 openal opengl png rtc sdl srt sse sse2 truetype unicode v4l v4l2 vorbis x264 xv -aalib (-altivec) -amrnb -amrwb -arts -bidi -bindist -bl -cpudetection -custom-cflags -debug -dga -directfb -doc -dv -dvdnav -enca -esd -fbcon -ftp -ggi -ipv6 -ivtv -jack -joystick -libcaca -live -livecd -lzo -md5sum -mp2 -musepack -nas -oss -pnm -quicktime -radio -rar -real -samba -speex (-svga) -tga -theora -tivo (-vidix) (-win32codecs) -xanim -xinerama -xvid -xvmc -zoran" VIDEO_CARDS="-mga -s3virge -tdfx -vesa")

no collisions

warnings during emerge:

 * Make install completed
cp: cannot stat `/var/tmp/portage/media-video/mplayer-1.0.20070622/image//Gui/mplayer/pixmaps/logo.xpm': No such file or directory
>>> Completed installing mplayer-1.0.20070622 into /var/tmp/portage/media-video/mplayer-1.0.20070622/image/

ecompressdir: bzip2 -9 usr/share/man

 * QA Notice: Package has poor programming practices which may compile
 *            fine but exhibit random runtime failures.
 * asxparser.c:564: warning: dereferencing type-punned pointer will break strict-aliasing rules
...loads more errors of the same for different files

 * QA Notice: Package has poor programming practices which may compile
 *            fine but exhibit random runtime failures.
 * interface.c:655: warning: implicit declaration of function 'vcd_seek_to_track'
...similar errors with different functions

 * QA Notice: Package has poor programming practices which may compile
 *            fine but exhibit random runtime failures.
 * vf_qp.c:91: warning: incompatible implicit declaration of built-in function 'lrintf'
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-06-23 10:44:31 UTC
ppc64 stable
Comment 7 Jeroen Roovers gentoo-dev 2007-06-23 17:38:53 UTC
Marked stable for HPPA:
 media-libs/amrnb-6.1.0.3
 media-libs/amrwb-7.0.0.0
 media-video/mplayer-1.0.20070622
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2007-06-23 18:23:13 UTC
amd64 done, thanks Simon
Comment 9 Harlan Lieberman-Berg (RETIRED) gentoo-dev 2007-06-24 02:57:15 UTC
Marked this bug as blocked by 183013 - mplayer fails compile.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-06-24 22:04:59 UTC
alpha/ia64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-06-25 18:38:08 UTC
x86 stable
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2007-06-25 20:48:15 UTC
20070622 sparc stable.
Was -r1 intended to go stable? Because x86 did it.
Comment 13 Steve Dibb (RETIRED) gentoo-dev 2007-06-26 13:27:25 UTC
(In reply to comment #12)
> 20070622 sparc stable.
> Was -r1 intended to go stable? Because x86 did it.
> 

Minor changes, either one should be fine.  I marked -r1 stable on amd64.
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-06-28 19:39:33 UTC
ppc stable
Comment 15 Lars Hartmann 2007-07-04 06:47:15 UTC
arches please test and mark stable target keywords are:
media-video/mplayer-1.0.20070622-r1:KEYWORDS=alpha amd64 hppa ia64 ppc ppc64
sparc x86
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-04 12:50:58 UTC
Lars: why? As steve said -r1 isn't related to this security bug so you shouldn't have called for stabling here and just adds up to confusion...
Comment 17 Jeroen Roovers gentoo-dev 2007-07-04 19:16:19 UTC
(In reply to comment #16)
> Lars: why?

+1
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2007-07-05 11:50:58 UTC
alpha/ia64 stable
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2007-07-05 19:52:48 UTC
ppc64 stable
Comment 20 Lars Hartmann 2007-07-08 22:12:24 UTC
this bug is ready for glsa decision
Comment 21 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-24 23:11:29 UTC
B2 always implies a GLSA.

GLSA 200707-07, thanks everybody