Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 215006 - media-video/mplayer <1.0_rc2_p26450 "sdpplin_parse()" Integer Overflow Vulnerability (CVE-2008-1558)
Summary: media-video/mplayer <1.0_rc2_p26450 "sdpplin_parse()" Integer Overflow Vulner...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on: 217773 219133 222447
  Show dependency tree
Reported: 2008-03-27 04:02 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-30 12:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Patch for correcting sparc build failure (Comments 13, 16) (libswscale-sparc-1.0_rc2_p26753.patch,706 bytes, patch)
2008-05-17 20:07 UTC, Ferris McCormick (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 04:02:11 UTC
k`sOSe has discovered a vulnerability in MPlayer, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an integer overflow error in the "sdpplin_parse()" function in stream/realrtsp/sdpplin.c. This can be exploited to overwrite arbitrary memory regions via an overly large "StreamCount" SDP parameter.

Successful exploitation may allow execution of arbitrary code.

Original Advisory:
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 21:32:02 UTC
Comment 2 Toralf Förster gentoo-dev 2008-03-30 10:02:04 UTC
BTW package media-video/realplayer-10.0.9 crashes too after ~ 70 sec
Comment 3 Steve Dibb (RETIRED) gentoo-dev 2008-04-03 16:33:55 UTC
(In reply to comment #1)
> patch:

For the record, there is currently an updated mplayer in the tree, but please don't consider it a candidate for stabling yet since there's other MPlayer bugs I'd like to see get fixed first.

IOW, please to wait a bit more. :)
Comment 4 Ben de Groot (RETIRED) gentoo-dev 2008-04-15 01:57:55 UTC
Latest revision in tree:
candidate for stable
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-04-15 02:44:03 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2008-04-15 05:36:30 UTC
somehow this version tries to build i386 code on ppc64:

i386/mmx.h:24:2: warning: #warning Everything in this header is deprecated, use plain asm()! New code using this header will be rejected.
i386/fdct_mmx.c: In function 'ff_fdct_mmx':
i386/fdct_mmx.c:527: warning: dereferencing type-punned pointer will break strict-aliasing rules
i386/fdct_mmx.c: In function 'ff_fdct_mmx2':
i386/fdct_mmx.c:545: warning: dereferencing type-punned pointer will break strict-aliasing rules
i386/fdct_mmx.c: In function 'ff_fdct_sse2':
i386/fdct_mmx.c:563: warning: dereferencing type-punned pointer will break strict-aliasing rules
{standard input}: Assembler messages:
{standard input}:28: Error: Unrecognized opcode: `movdqa'
{standard input}:29: Error: Unrecognized opcode: `movdqa'

I might have time to look into this tomorrow.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-15 09:56:35 UTC
Same for HPPA:

[ebuild     U ] media-video/mplayer-1.0_rc2_p26450 [1.0_rc2_p25993] USE="X a52 aac aalib alsa amrnb amrwb arts bidi bl cddb cdparanoia cpudetection custom-cflags dga directfb dts dv dvd enca encode esd fbcon ftp ggi gif gtk iconv ipv6 jack jpeg libcaca live lzo mad mp3 musepack nas opengl oss png pulseaudio rtc samba sdl speex tga theora truetype unicode v4l v4l2 vidix vorbis xanim xscreensaver xv xvid xvmc (-3dnow) (-3dnowext) (-altivec) -bindist -cdio -debug -doc -dvb -joystick -ladspa (-lirc) -md5sum (-mmx) (-mmxext) -mp2 -nemesi (-openal) -pnm -quicktime -radio -rar (-real) -srt (-sse) (-sse2) (-ssse3) (-svga) -teletext -tivo (-win32codecs) (-x264) -xinerama -zoran (-livecd%)" VIDEO_CARDS="(-mga) (-s3virge) (-tdfx) (-vesa)" 0 kB [1]
Comment 8 Steve Dibb (RETIRED) gentoo-dev 2008-05-06 13:25:28 UTC
(In reply to comment #5)
> Arches, please test and mark stable:
> =media-video/mplayer-1.0_rc2_p26450

Yah, that one is buggy so ignore the stable request for now.

Just to update eveyrone, I'm waiting on upstream to finish making some changes, and then we'll get another candidate tested and in the tree.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-05-12 19:44:59 UTC
any update here?
Comment 10 Steve Dibb (RETIRED) gentoo-dev 2008-05-15 21:05:07 UTC
mplayer-1.0_rc2_p26753 should be a stable candidate, I need arches to test out.

I have heard of reports of problems with PPC boxes, but I can't test / describe / fix the problem myself, so any help would be much appreciated in that area.  I suspect it's just a tiny bug with either the configure script or the Makefile.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-05-16 05:16:13 UTC
Arches please test and mark stable. Target keywords are:

mplayer-1.0_rc2_p26753.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2008-05-16 10:32:15 UTC
Stable for HPPA.
Comment 13 Ferris McCormick (RETIRED) gentoo-dev 2008-05-16 13:32:46 UTC
Well, I have to get around this before doing anything with sparc:
make -C libswscale
make[1]: Entering directory `/var/tmp/portage/media-video/mplayer-1.0_rc2_p26753/work/mplayer-1.0_rc2_p26753/libswscale'
yuv2rgb_vis.c:1: *** missing separator.  Stop.
make[1]: Leaving directory `/var/tmp/portage/media-video/mplayer-1.0_rc2_p26753/work/mplayer-1.0_rc2_p26753/libswscale'
make: *** [libswscale/libswscale.a] Error 2
make: *** Waiting for unfinished jobs....
This failure is reproducible on my system and fails as well if I force MAKEOPTS='-j1'
Comment 14 Jonas Pedersen 2008-05-16 14:58:22 UTC
media-video/mplayer-1.0_rc2_p26753  USE="X a52 aac alsa arts cpudetection dga directfb dts dvd encode ftp gif gtk iconv ipv6 jpeg live mad mmx mp2 mp3 opengl png quicktime real samba sdl sse sse2 theora truetype unicode vorbis x264 xscreensaver xv xvid -3dnow -3dnowext -aalib (-altivec) -amrnb -amrwb -bidi -bindist -bl -cddb -cdio -cdparanoia -custom-cflags -debug -doc -dv -dvb -enca -esd -fbcon -ggi -jack -joystick -ladspa -libcaca -lirc -lzo -md5sum -mmxext -musepack -nas -nemesi -openal -oss -pnm -pulseaudio -radio -rar -rtc -speex -srt -ssse3 (-svga) -teletext -tga -v4l -v4l2 (-vidix) (-win32codecs) -xanim -xinerama -xvmc -zoran" VIDEO_CARDS="-mga -s3virge -tdfx -vesa"

1. Emerges on AMD64. 
2. No collisions etc. 
3. Works. Have played a real player stream and a X264 video. 

Portage (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r2 x86_64)
System uname: 2.6.24-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Fri, 16 May 2008 13:45:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos live lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd threads tiff truetype unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"

Comment 15 Markus Meier gentoo-dev 2008-05-17 10:45:21 UTC
amd64/x86 stable, thanks Jonas.
Comment 16 Ferris McCormick (RETIRED) gentoo-dev 2008-05-17 13:26:35 UTC
Here's what's happening on sparc:  There is a sparc-only assembly routine,
libswscale/yuv2rgb_vis.c and clearly the Makefile in libswscale must be architecture-specific.  And for sparc, it is wrong --- it contains this little bit of code:
OBJS-$(ARCH_BFIN)          +=  swscale_bfin.o yuv2rgb_bfin.o
OBJS-$(CONFIG_GPL)         +=  yuv2rgb.o
OBJS-$(CONFIG_MLIB)        +=  yuv2rgb_mlib.c
OBJS-$(HAVE_ALTIVEC)       +=  yuv2rgb_altivec.o
OBJS-$(HAVE_VIS)           +=  yuv2rgb_vis.c             <<<<< WRONG!

If I correct that, the make gest a bit further and gives this:
sparc-unknown-linux-gnu-gcc -MM -DHAVE_AV_CONFIG_H -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_ISOC9X_SOURCE -I.. -I.. -Wdisabled-optimization -Wno-pointer-sign -Wdeclaration-after-statement -I. -Wall -Wno-switch -Wpointer-arith -Wredundant-decls -O4  -mcpu=ultrasparc -pipe -ffast-math -fomit-frame-pointer -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAVE_CONFIG_H -I/usr/X11R6/include -I/usr/include/SDL  -D_REENTRANT  -I/usr/include/freetype2 -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng12    yuv2rgb_vis.c | sed "s,[0-9a-z._-]*: \(/libswscale/\)*\([a-z0-9]*/\)[^/]* ,\2&," > yuv2rgb_vis.d
sparc-unknown-linux-gnu-gcc -DHAVE_AV_CONFIG_H -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_ISOC9X_SOURCE -I.. -I.. -Wdisabled-optimization -Wno-pointer-sign -Wdeclaration-after-statement -I. -Wall -Wno-switch -Wpointer-arith -Wredundant-decls -O4  -mcpu=ultrasparc -pipe -ffast-math -fomit-frame-pointer -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAVE_CONFIG_H -I/usr/X11R6/include -I/usr/include/SDL  -D_REENTRANT  -I/usr/include/freetype2 -I/usr/include/gtk-2.0 -I/usr/lib/gtk-2.0/include -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng12     -c -o yuv2rgb_vis.o yuv2rgb_vis.c
yuv2rgb_vis.c:82: error: expected ‘)’ before ‘*’ token
yuv2rgb_vis.c:133: error: expected ‘)’ before ‘*’ token
yuv2rgb_vis.c:184: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘yuv2rgb_init_vis’
make: *** [yuv2rgb_vis.o] Error 1

That's because yuv2rgb_vis.c is messed up, too.  It's missing an include file,
#include "swscale.h"
#include "swscale_internal.h"        <<<< MISSING --- I added it by hand

When I put that include for swscale_internal.h into yuv2rgb_vis.c, it can build at least

So, for sparc, in libswscale/ both the Makefile and the assembler helper are wrong.
Comment 17 Tobias Klausmann (RETIRED) gentoo-dev 2008-05-17 14:03:34 UTC
Stabilized 1.0_rc2_p26753 on alpha.
Comment 18 Ferris McCormick (RETIRED) gentoo-dev 2008-05-17 20:07:19 UTC
Created attachment 153461 [details, diff]
Patch for correcting sparc build failure (Comments 13, 16)

This patch fixes the problems noted on sparc in Comment #13 and described in Comment #16.  If I put it in media-video/files/libswscale-sparc-1.0_rc2_p26753.patch
and apply it in src_unpack, for example, like this:
--- mplayer-1.0_rc2_p26753.ebuild-      2008-05-17 19:59:47.000000000 +0000
+++ mplayer-1.0_rc2_p26753.ebuild       2008-05-17 19:46:39.000000000 +0000
@@ -198,6 +198,11 @@
        # Fix polish spelling errors
        [[ -n ${LINGUAS} ]] && sed -e 's:Zarz?dano:Za??dano:' -i help/help_mp-pl.h
+       # Fix libswscale-sparc-1.0_rc2_p26753
+       einfo "Fix sparc-specific problems in libscale"
+       cd "${S}"
+       epatch "${FILESDIR}/libswscale-sparc-${PVR}.patch"
 then mplayer-1.0_rc2_p26753 builds without error on sparc.  I cannot test it before Monday the 19th, however.

I had thought that mplayer must build the Makefile on the fly, but it comes with that Makefile and yuv2rgb_vis.c already setup and incorrect.
Comment 19 Friedrich Oslage (RETIRED) gentoo-dev 2008-05-18 17:45:32 UTC
Tested =media-video/mplayer-1.0_rc2_p26753 USE="X a52 aac aalib alsa custom-cflags dga doc dts dv dvd encode ftp gif gtk ipv6 jpeg lzo mad mp2 mp3 musepack openal opengl png pnm quicktime samba sdl speex theora truetype unicode vidix vorbis x264 xanim xinerama xv xvid (-3dnow) (-3dnowext) (-altivec) -amrnb -amrwb -arts -bidi -bindist -bl -cddb -cdio -cdparanoia -cpudetection -debug (-directfb) (-dvb) -enca -esd -fbcon -ggi -iconv -jack -joystick -ladspa -libcaca (-lirc) -live -md5sum (-mmx) (-mmxext) -nas -nemesi -oss -pulseaudio -radio (-rar) (-real) -rtc -srt (-sse) (-sse2) (-ssse3) (-svga) -teletext -tga -v4l (-v4l2) (-win32codecs) -xscreensaver (-xvmc) (-zoran)" on sparc.

After appling the patch from comment 18 it compiles fine and I'm able to play xvid movies, mp3 files/streams and dvds.

# emerge --info
Portage (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8 sparc64)
System uname: 2.6.24-gentoo-r8 sparc64 sun4u
Timestamp of tree: Sun, 18 May 2008 16:06:01 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.24
CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb"
FEATURES="collision-protect distlocks installsources metadata-transfer parallel-fetch sandbox splitdebug strict test unmerge-orphans userfetch userpriv usersandbox"
LINGUAS="de en"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/portage/local/layman/gnash-cvs /usr/local/portage"
USE="64bit 7zip X a52 aac aalib ace agg alsa artworkextra audacious blender-game bluetooth bzip2 c++ caps clock-screen cups curl custom-cflags cvs cxx dbus devhelp dga disk-partition divx doc dri dts dv dvd dvdread eds encode evo exif fastcgi fat festival ffmpeg flac ftp fuse gd gif gimp gimpprint glade gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 imap ipv6 ithreads javascript jpeg jpeg2k key-screen libsexy lyrics lzo mad mbrola memcache midi mikmod mjpeg mng mouse mp2 mp3 mpeg mpeg2 mplayer musepack musicbrainz nautilus ncurses network network-cron networking nls nptl nptlonly nsplugin offensive ogg openal opengl openmp opera pam parallel pcre pdf png pnm ppds qt3support quicktime raw realmedia regex ruby samba sasl sdl sdl-image search-screen slang smartcard smp sms sound soundex source sourceview sparc speex spell sqlite3 ssl stream subversion svg symlink taglib tagwriting theora threads tiff timidity tools truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf wmp wordexp x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_CARDS="CS4231" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm asym dmix empty iec958 ioplug plug softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="de en" USERLAND="GNU" VIDEO_CARDS="mach64 fbdev mga"
Comment 20 Ferris McCormick (RETIRED) gentoo-dev 2008-05-18 18:54:24 UTC
Friedrich, thanks for testing.  I'll finish this off tomorrow when I'm a bit closer to the sparc system I run this on.
Comment 21 Ferris McCormick (RETIRED) gentoo-dev 2008-05-19 12:21:18 UTC
I'll also say that on sparc, =media-video/mplayer-1.0_rc2_p26753 seems fine with the Patch #153461 and ebuild change from Comment 18.  Otherwise, of course, it won't even build.
Comment 22 Markus Rothe (RETIRED) gentoo-dev 2008-05-21 06:37:29 UTC
=media-video/mplayer-1.0_rc2_p26753-r1 (yes, -r1) stable on ppc64
Comment 23 Ferris McCormick (RETIRED) gentoo-dev 2008-05-21 14:14:59 UTC
Sparc stable for mplayer-1.0_rc2_p26753-r1.  Now builds fine and works as expected.
Comment 24 Markus Rothe (RETIRED) gentoo-dev 2008-05-21 18:33:46 UTC
ppc stable
Comment 25 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-22 17:38:02 UTC
GLSA request filed.
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2008-05-22 17:45:04 UTC
ia64 stable
Comment 27 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-29 19:17:08 UTC
GLSA 200805-22
Comment 28 Peter Volkov (RETIRED) gentoo-dev 2008-05-30 12:31:07 UTC
And you forgot to CC release, but in any case this bug is fixed in release snapshot too :P