Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 251017 - media-video/mplayer <1.0_rc2_p28058-r1 Stack Buffer Overflow (CVE-2008-5616)
Summary: media-video/mplayer <1.0_rc2_p28058-r1 Stack Buffer Overflow (CVE-2008-5616)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://trapkit.de/advisories/TKADV200...
Whiteboard: A2 [glsa]
Keywords:
: CVE-2008-5616 251567 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-12-15 12:17 UTC by Bruno Buss
Modified: 2009-01-12 19:51 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruno Buss 2008-12-15 12:17:12 UTC
Description:
MPlayer contains a stack buffer overflow vulnerability while parsing 
malformed TwinVQ media files. The vulnerability may be exploited by a 
(remote) attacker to execute arbitrary code in the context of MPlayer.

Fix in SVN:
http://svn.mplayerhq.hu/mplayer/branches/1.0rc2/libmpdemux/demux_vqf.c?r1=24723&r2=28150&pathrev=28150

Also from Secunia:
http://secunia.com/Advisories/33136/
Comment 1 stupendoussteve 2008-12-17 03:09:01 UTC
*** Bug 251277 has been marked as a duplicate of this bug. ***
Comment 2 stupendoussteve 2008-12-17 03:09:49 UTC
This has been assigned CVE-2008-5616
Comment 3 Steve Dibb (RETIRED) gentoo-dev 2008-12-17 15:15:56 UTC
Patch applied in mplayer-1.0_rc2_p28058-r1

Thanks, Bruno
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:11:45 UTC
CVE-2008-5616 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5616):
  Stack-based buffer overflow in the demux_open_vqf function in
  libmpdemux/demux_vqf.c in MPlayer 1.0 rc2 before r28150 allows remote
  attackers to execute arbitrary code via a malformed TwinVQ file.

Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-12-17 16:18:51 UTC
Arches, please test and mark stable:
=media-video/mplayer-1.0_rc2_p28058-r1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-17 18:08:10 UTC
Stable for HPPA.
Comment 7 Markus Meier gentoo-dev 2008-12-17 20:10:47 UTC
amd64/x86 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2008-12-18 17:18:58 UTC
ppc64 done
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-18 18:34:51 UTC
ppc stable
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-12-19 17:47:57 UTC
*** Bug 251567 has been marked as a duplicate of this bug. ***
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2008-12-20 15:09:00 UTC
Stable on alpha.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-12-22 20:00:55 UTC
ia64/sparc stable
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-23 12:51:50 UTC
GLSA together with bug 239130 and bug 231836.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-12 19:51:44 UTC
GLSA 200901-07. Thanks everyone, sorry about the delay.