Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 208566 (CVE-2008-0485) - media-video/mplayer: various security issues (CVE-2008-0485, CVE-2008-0486, CVE-2008-0629, CVE-2008-0630)
Summary: media-video/mplayer: various security issues (CVE-2008-0485, CVE-2008-0486, ...
Status: RESOLVED FIXED
Alias: CVE-2008-0485
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/28779/
Whiteboard: A2 [glsa]
Keywords:
: 209104 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-02-02 12:08 UTC by Hanno Böck
Modified: 2008-12-29 21:17 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-02-02 12:08:01 UTC 
from mplayerhq.hu:

2008-01-29, Tuesday :: stack overflow in demux_audio.c
2008-01-29, Tuesday :: buffer overflow in demux_mov.c
2008-01-30, Wednesday :: buffer overflow in url.c
2008-01-30, Wednesday :: buffer overflow in stream_cddb.c

All fixed in current mplayer svn, no release (and probably not to be expected soon).
Comment 1 Hanno Böck gentoo-dev 2008-02-06 11:40:10 UTC 
*** Bug 209104 has been marked as a duplicate of this bug. ***
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 14:53:48 UTC 
media-video please advise.
Comment 3 Steve Dibb (RETIRED) gentoo-dev 2008-02-14 01:35:17 UTC 
(In reply to comment #2)
> media-video please advise.
> 

media-video/mplayer-1.0_rc2_p25993 in tree
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-14 19:02:15 UTC 
Arches please test and mark stable. Target keywords are:

mplayer-1.0_rc2_p25993.ebuild:KEYWORDS="alpha amd64 hppa ia64 ~mips ppc ppc64 sparc x86 ~x86-fbsd"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-14 20:26:16 UTC 
x86 stable
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2008-02-14 21:46:19 UTC 
Sparc stable (also for media-libs/libggiwmh-0.3.2 which is required if USE=ggi).
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-02-15 01:52:56 UTC 
ppc64 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-15 17:28:47 UTC 
Readding ppc64:

   media-video/mplayer/mplayer-1.0_rc2_p25993.ebuild: ppc64(default-linux/ppc/ppc64/2007.0/64bit-userland) ['media-libs/libggiwmh']
   media-video/mplayer/mplayer-1.0_rc2_p25993.ebuild: ppc64(hardened/ppc64) ['media-libs/libggiwmh']

@Brent: I think it would a good idea to review how you commit your keywording changes. You tend to miss some dependencies here and there...
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-15 17:34:08 UTC 
Stable for HPPA:
  =media-libs/libggiwmh-0.3.2
  =media-video/mplayer-1.0_rc2_p25993
Comment 10 Brent Baude (RETIRED) gentoo-dev 2008-02-15 20:24:08 UTC 
got the libgg dep
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-02-15 20:33:23 UTC 
alpha/ia64 stable, thanks Tobias
Comment 12 Torsten Rehn 2008-02-15 22:28:54 UTC 
#### AMD64 TEST REPORT #####

* overall emerge:       PASS
* multilib-strict:      PASS
* collision-protect:    PASS
* test phase:           NONE
* manual testing:       PASS

USE="X a52 aac alsa arts cdparanoia dts dvd encode ftp ggi gif gtk iconv ipv6 jack jpeg mmx mp3 opengl png quicktime sdl sse sse2 theora truetype unicode vorbis x264 xinerama xv xvid -3dnow -3dnowext -aalib (-altivec) -amrnb -amrwb -bidi -bindist -bl -cddb -cdio -cpudetection -custom-cflags -debug -dga -directfb -doc -dv -dvb -enca -esd -fbcon -joystick -ladspa -libcaca -lirc -live -livecd -lzo -mad -md5sum -mmxext -mp2 -musepack -nas -nemesi -openal -oss -pnm -pulseaudio -radio -rar -real -rtc -samba -speex -srt -ssse3 (-svga) -teletext -tga -tivo -v4l -v4l2 (-vidix) (-win32codecs) -xanim -xvmc -zoran" VIDEO_CARDS="-mga -s3virge -tdfx -vesa"

media-libs/libggiwmh-0.3.2 builds and passes tests.

---

Portage 2.1.4.4 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r8 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-50
Timestamp of tree: Fri, 15 Feb 2008 20:30:01 +0000
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 arts bash-completion bitmap-fonts bzip2 cdda cdparanoia cdr cgi cli cracklib crypt cups curl cvs dbus divx dri dts dvd dvdnav dvdr dvdread encode exif fastcgi ffmpeg firefox fortran ftp fuse gcj ggi gif glitz glut gmail gnutls gstreamer gtk gtk2 hal hbci history httpd iconv icq imagemagick imap ipv6 isdnlog jabber jack java jpeg jpeg2k kde kdm keyring midi mmx mod mozdevelop mp3 mpd mpeg mplayer mudflap ncurses network nntp nptl nptlonly nsplugin nvidia offensive ogg opengl openmp openvpn oscar pam pcmcia pcre pdf png pop pppd python qt3 qt3support qt4 quicktime readline reflection rtsp sdl sdl-image shout skins smp soup spl sql sqlite sqlite3 sse sse2 ssl statistics stream subversion svg symlink taglib tcpd theora threads tiff truetype truetype-fonts type1-fonts unicode usb vcd vim-syntax vorbis widescreen wifi wxwindows x264 xcomposite xinerama xml xorg xv xvid zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-16 18:48:31 UTC 
ppc keyword has been dropped ... any specific reason I need to look for?
Comment 14 Christoph Mende (RETIRED) gentoo-dev 2008-02-17 13:14:21 UTC 
amd64 stable
Comment 15 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-19 17:53:05 UTC 
ppc stable
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-19 20:10:32 UTC 
request filed.
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2008-02-25 10:59:25 UTC 
This bug was fixed in 2008.0 snapshot, removing release@ from CC.
Comment 18 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-10 21:06:29 UTC 
GLSA 200803-16