According to SecurityFocus: MPlayer is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input data. Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed attacks will result in denial-of-service conditions. No upstream patch available yet.
Setting whiteboard and cc'ing maintainers. media-video, according to the avdisory mplayer upstream was contacted a month ago. It seems they did not discuss or commit anything related to this issue yes.
Patch to be found here http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447
We did not fix this because it is not a security issue (only null-pointer dereference) unless combined with a libc calloc integer overflow. This was our reply to the people reporting it, they never responded: Hello, On Mon, Jul 30, 2007 at 02:54:59PM +0800, Code Audit Labs wrote: [...] > and example code > calloc(0x10000001, 0x10); > > it will return NULL in winxp or gligc 2.5 In this case it only results in a crash and is not critical (still the suggestion of exchanging the checks seems good and will very likely be implemented). > it will return 0x10 sizes heap in glibc <2.5(maybe prior) or > win2000 sp4 This is an integer overflow vulnerability in the calloc implementations (see also e.g. http://cert.uni-stuttgart.de/advisories/calloc.php), and we have no intention of working around it. Greetings, Reimar Döffinger
(In reply to comment #3) > We did not fix this because it is not a security issue (only null-pointer > dereference) unless combined with a libc calloc integer overflow. Thanks a lot for getting back to us. I did not have time to review patch and impact yet, sorry. CVE assigned CVE-2007-4938 to this issue.
Any news? And is there actually anyone checking these security reports? Most even left the horrible spelling of the original report, quite a few silently removed the dependency on libc version mentioned in the original report etc.
(In reply to comment #5) > Any news? And is there actually anyone checking these security reports? Yes, we're checking them. That's why we opened a bug for it. A bug does not verify the claim the researchers made. I'm sorry if this non-issue causes you a headache upstream. I talked to nion who handled the Debian bug yesterday and agree this is only a possible Denial of Service, since glibc 2.3 and later are stable on Gentoo for quite a while. Closing. Thanks again.
Thanks for looking into it. And sorry for my unrelated rant I couldn't resist to make that you unfortunately misunderstood, I wasn't complaining about you distro people. I was complaining about SecurityFocus etc. that not only didn't seem to have done much checking but also left out critical information, and of course the vulnhunt guys for completely ignoring our input. I really had expected more :-( (well, there is still CVE, maybe they manage a more useful description whenever they come around to handling it).
