Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379297 (CVE-2011-3625) - <media-video/mplayer-1.0_rc4_p20110322-r1: SAMI Subtitle Parsing Buffer Overflow Vulnerability (CVE-2011-3625)
Summary: <media-video/mplayer-1.0_rc4_p20110322-r1: SAMI Subtitle Parsing Buffer Overf...
Status: RESOLVED FIXED
Alias: CVE-2011-3625
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/45598/
Whiteboard: B2 [glsa]
Keywords:
: 385743 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-08-15 17:12 UTC by Agostino Sarubbo
Modified: 2013-10-25 19:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-15 17:12:32 UTC
The vulnerability is caused due to a boundary error within the "sub_read_line_sami()" function in subreader.c and can be exploited to cause a stack-based buffer overflow via a specially crafted SAMI subtitle file.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-08-20 02:55:23 UTC
The trivial change looks to be listed at: http://mplayerhq.hu/pipermail/mplayer-cvslog/2011-May/042075.html
Comment 2 Samuli Suominen gentoo-dev 2011-10-06 13:02:12 UTC
*** Bug 385743 has been marked as a duplicate of this bug. ***
Comment 3 Samuli Suominen gentoo-dev 2011-10-06 13:05:18 UTC
+*mplayer-1.0_rc4_p20110322-r1 (06 Oct 2011)
+
+  06 Oct 2011; Samuli Suominen <ssuominen@gentoo.org>
+  +mplayer-1.0_rc4_p20110322-r1.ebuild,
+  +files/mplayer-1.0_rc4_p20110322-sami_subtitle_parsing.patch:
+  Fix security bug (SAMI Subtitle Parsing Buffer Overflow) #379297 by Agostino
+  Sarubbo
Comment 4 Samuli Suominen gentoo-dev 2011-10-06 13:06:01 UTC
And blocking bug 384701 because this version is required also for libpng15 compability.
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-06 13:18:54 UTC
Thanks Samuli,

Arches, please test and mark stable:

=mplayer-1.0_rc4_p20110322-r1

target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 6 Agostino Sarubbo gentoo-dev 2011-10-06 18:50:12 UTC
amd64 ok
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2011-10-06 19:14:34 UTC
+  06 Oct 2011; Steve Dibb <beandog@gentoo.org>
+  mplayer-1.0_rc4_p20110322-r1.ebuild:
+  amd64 stable, security bug 379297
Comment 8 Ian Delaney (RETIRED) gentoo-dev 2011-10-06 19:19:51 UTC
amd64:

ok
Comment 9 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-08 18:48:01 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2011-10-09 16:37:46 UTC
arm stable
Comment 11 Jeroen Roovers gentoo-dev 2011-10-09 17:05:49 UTC
Stable for HPPA.
Comment 12 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-09 17:17:13 UTC
ppc/ppc64 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2011-10-12 15:24:14 UTC
alpha/ia64/sparc stable
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-10-12 15:31:43 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 15 Samuli Suominen gentoo-dev 2011-10-12 15:48:25 UTC
(In reply to comment #4)
> And blocking bug 384701 because this version is required also for libpng15
> compability.

And removing now, since this is stable everywhere so it doesn't "show up" in the blockers list anymore.    Sort of useless bugspam, sorry about that.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-10-25 19:17:10 UTC
This issue was resolved and addressed in
 GLSA 201310-13 at http://security.gentoo.org/glsa/glsa-201310-13.xml
by GLSA coordinator Sean Amoss (ackle).