Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 55456 - media-video/mplayer MPlayer GUI filename handling overflow
Summary: media-video/mplayer MPlayer GUI filename handling overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://www.open-security.org/advisori...
Whiteboard: A2 [glsa]
Keywords:
: 55601 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-06-28 11:50 UTC by Sune Kloppenborg Jeppesen
Modified: 2020-03-02 20:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-06-28 11:50:00 UTC
Possible mplayer GUI vulnerability just posted on Bugtraq:

 All versions of MPlayer, including the latest [MPlayer-1.0pre4] when compiled with GUI support are vulnerable to a buffer overflow attack that will provide hostile code execution.

A single post regarding buffer overflow in the GUI posted to MPlayer-dev-eng
http://mplayerhq.hu/pipermail/mplayer-dev-eng/2004-June/026559.html
Comment 1 Jeremy Huddleston (RETIRED) gentoo-dev 2004-06-28 23:47:07 UTC
Unfortunately, there is no fix upstream, and the Gui component for mplayer isn't very well maintained IIRC... maybe that's changed recently and I didn't notice...
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-06-29 11:40:54 UTC
*** Bug 55601 has been marked as a duplicate of this bug. ***
Comment 3 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-06-29 15:05:17 UTC
Updating status whiteboard
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-07-02 11:37:07 UTC
More news from http://mplayerhq.hu/ :

----------------------------------------
Summary
Multiple string vulnerabilities have been found and fixed in the MPlayer GUI code, at least one of which was remotely exploitable.

Severity
High (arbitrary remote code execution under the user ID running the player) if using the GUI to play certain types of playlist files, none when using only the command line. The MPlayer GUI is optional and not built by default.

Solution
A fix for the vulnerability with the known exploit was checked into MPlayer CVS on Wed, 2 June 2004 12:40:41 +0000 (UTC). The result of a thorough code audit that uncovered further potentially exploitable bugs was checked into MPlayer CVS on Fri, 25 June 2004 16:49:52 +0000 (UTC). All of this will be included in MPlayer 1.0pre5. Users of affected MPlayer versions should upgrade to latest CVS or MPlayer 1.0pre5 once it becomes available. Alternatively a patch for the main and 0_90 MPlayer CVS versions is available that can be applied to the MPlayer source tree.

Affected versions
MPlayer 1.0pre4 and beforey
MPlayer 0.92.1 and before

Unaffected versions
none

History
On Tue, 1 June 2004 MPlayer developers were contacted by c0ntex who had found a string handling vulnerability in the MPlayer GUI code complete with an example exploit and a preliminary fix. That fix was checked into MPlayer CVS on Wed, 2 June 2004 12:40:41 +0000 (UTC).

When playing certain types of playlist files with extremely long entries a buffer overflow error occurs. This allows an attacker to overwrite memory with specially crafted playlist files and execute arbitrary code under the user ID running MPlayer.

Richard Felker started a general audit of the GUI code for further string handling problems and uncovered a host of potential bugs, some of which were probably exploitable. Nicholas Kain proceeded to do a full audit of the MPlayer code for insecure string handling, which was finished by Alexander Strasser. The result of this audit was checked into MPlayer CVS on Fri, 25 June 2004 16:49:52 +0000 (UTC).

Since the first quick review of the GUI code immediately revealed several potentially exploitable bugs we have refrained from publishing this advisory until a thorough audit of the whole code was finished.

On Thu, 1 July 2004 11:22:29 (UTC) a simple port of the fixes was committed to the 0_90 stable MPlayer source tree. This was done without a further audit of the 0_90 code base due to lack of resources. We have therefore dropped further support of the 0_90 tree and recommend upgrading to MPlayer 1.0pre5 or latest CVS.

Download
MPlayer 1.0pre5, 0.93 and CVS snapshots can be downloaded from the MPlayer homepage or one of its many mirrors as soon as they become available. Go to the MPlayer download page to get MPlayer 1.0pre5 source code or a CVS snapshot.
-------------------------------------------
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-07-10 03:20:43 UTC
0.93 is out, but "The 0.90 branch is long obsolete, there will be no further releases, probably not even security fix releases. Therefore we strongly recommend upgrading to MPlayer 1.0pre5 once it becomes available or a current CVS snapshot."

There are multiple issues here :

Since the sparc has no 1.0_pre* stable, we either need a 0.93 ebuild for them or that sparc has reasonable confidence they will be able to mark a 1.0_pre5 ebuild stable.

The 1.0_pre5 release is not out yet, but the fix is in mplayer CVS, so we can wait a little more or try to apply a patch to a 1.0_pre4-r5.

Cc: sparc and media-video to get their opinion on this.
Comment 6 Jason Wever (RETIRED) gentoo-dev 2004-07-10 13:32:12 UTC
I guess unless the mplayer-1.05 release comes out in the next day or so, we should probably go with 0.93
Comment 7 Chris White (RETIRED) gentoo-dev 2004-07-14 19:01:52 UTC
ebuild in cvs, please mark stable.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-07-15 01:25:56 UTC
Target keywords for media-video/mplayer-1.0_pre5: "alpha amd64 ~hppa ~ia64 ~mips ppc sparc x86"
Arches: please test and adjust keywords accordingly.
Comment 9 Daniel Ostrow (RETIRED) gentoo-dev 2004-07-15 19:24:15 UTC
Stable on ppc.
Comment 10 Jason Wever (RETIRED) gentoo-dev 2004-07-15 19:30:59 UTC
Stable on sparc.
Comment 11 Travis Tilley (RETIRED) gentoo-dev 2004-07-15 21:01:38 UTC
this still has a few issues on amd64... nothing massive, but issues none the less. chriswhite - i've given you a shell like you asked for, i officially delegate fixing those to you. feel free to keyword the ebuild stable on amd64 afterward ;)
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2004-07-16 02:54:15 UTC
Stable on alpha.
Comment 13 SpanKY gentoo-dev 2004-07-16 15:57:58 UTC
hppa done
Comment 14 Travis Tilley (RETIRED) gentoo-dev 2004-07-16 21:07:38 UTC
i just checked out mplayer CVS and it seems that they're making some progress on fixing things for amd64. mplayer can now use multiple shades of blue instead of just a single solid shade. the error "cast from pointer to integer of different size" also shows up only 37 times while compiling.

would it be possible to just shove this security fix into a revision of pre4? otherwise it will take a pretty long time for amd64 to be ready. :/
Comment 15 Chris White (RETIRED) gentoo-dev 2004-07-17 23:49:26 UTC
Myself and lv worked hard on it, mplayer 1.0 pre4-r5 is now in cvs with the appropriate security fixes and is marked stable by him as well.  So, as the line goes:

Stable on amd64.

security: amd64 will use pre4-r5 as its stable release version while everyone else will use pre5 (unless mips and ia64 need pre4-r5 as well).
Comment 16 Travis Tilley (RETIRED) gentoo-dev 2004-07-18 15:41:51 UTC
chris - some time between when you fixed mplayer and the morning mplayer broke. i'm going to remove it from stable, as it doesnt even compile now.
Comment 17 Travis Tilley (RETIRED) gentoo-dev 2004-07-18 21:37:21 UTC
ok, -now- it's fixed. pre4-r5 stable on amd64 :)
hopefully pre5 will be fixed at some point, but that's pretty unrealistic at the moment. for now though, pre4-r5 has the security fix. moo
Comment 18 Chris White (RETIRED) gentoo-dev 2004-07-18 23:49:57 UTC
In talking with upstream, I've found the ebuild to be very garbled for mplayer, I'm halting the stable checks until I make sure the ebuild is as clean as possible.  This cleanup may help to make pre5 a globally stable version for all archs to utilize.  Sorry about any delays this may cause, but I want the ebuild to be as efficient as possible before stable markings occur.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2004-07-20 05:29:02 UTC
Back to ebuild status until maintainer provides an ebuild that is satisfactory to him.
Comment 20 Chris White (RETIRED) gentoo-dev 2004-07-22 12:36:39 UTC
Updated ebuilds in cvs.
Comment 21 Chris White (RETIRED) gentoo-dev 2004-07-22 20:56:01 UTC
After the commit, there were a couple more cleanup issues.  As was such, they were taken care of and it should be as follows:

amd64 uses mplayer-1.0_pre4-r6
everyone else mplayer-1.0_pre5-r1

These 2 ebuilds such fix some issues with the previous ones.  Thanks for your patience!
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2004-07-23 00:45:48 UTC
OK, so we are back in the stable-ize game.

amd64 : please mark mplayer-1.0_pre4-r6 stable.
alpha, ppc, sparc, x86 : please mark mplayer-1.0_pre5-r1 stable.
mips : please mark one of those two "~mips"
Comment 23 Ciaran McCreesh 2004-07-23 09:28:25 UTC
Are you done changing these ebuilds or should we leave it a week or so before stabling them?
Comment 24 Jeremy Huddleston (RETIRED) gentoo-dev 2004-07-24 09:29:23 UTC
amd64, x86: Tested and marked stable.

sparc: I've always had some trouble with mplayer on sparc (video is distorted a bit half the time I play something)... but with this version, the distortion seems to be much more apparent.  It might be related to my recent changes in toolchain, but I'm not sure.  Can another sparc dev please test out the ebuild.

Comment 25 Chris White (RETIRED) gentoo-dev 2004-07-25 20:45:07 UTC
Under eradicator's suggesstion:

all archs mark mplayer-1.0_pre4-r7 stable

final answer.  Updating glsa with that info.
Comment 26 Daniel Ostrow (RETIRED) gentoo-dev 2004-07-27 09:48:26 UTC
Stable on ppc for _pre4-r7.
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2004-07-30 08:18:22 UTC
sparc: please mark a version >=mplayer-1.0_pre4-r7 stable so that the GLSA can go out.

alpha : mark >=mplayer-1.0_pre4-r7 stable to benefit from the GLSA
mips : mark >=mplayer-1.0_pre4-r7 "~mips" to benefit from the GLSA
Comment 28 Gustavo Zacarias (RETIRED) gentoo-dev 2004-07-30 13:08:36 UTC
Tested with a couple of vids: dance monkey, creamedgates and the like ;)
Marked stable on sparc.
Comment 29 Bryan Østergaard (RETIRED) gentoo-dev 2004-07-30 14:40:08 UTC
1.0_pre4-r7 marked stable on alpha.
Comment 30 Chris White (RETIRED) gentoo-dev 2004-07-30 23:12:40 UTC
I'm marking pre5-r2 to unstable.  I'm still sorting through a few here and
there issues (some upstream related) and am not confident enough to call it
stable on x86. Pre4-r7 will definately be the stable choice for x86.
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2004-07-31 09:49:53 UTC
Then we still need pre4-r7 marked stable on x86 before releasing the GLSA.
Comment 32 Chris White (RETIRED) gentoo-dev 2004-07-31 10:12:56 UTC
This package should have been marked stable before.  I'm guessing it wasn't
because of the pre5-r2 stable questioning.  Now that it's patched though
and works just fine, it should have been x86.  It wasn't, and now is.  Sorry
for any confusion this may have caused.
Comment 33 Thierry Carrez (RETIRED) gentoo-dev 2004-08-01 02:33:00 UTC
Now we're ready... Will be sent as soon as cfengine or infra corrects ownership of GLSAMaker August data directory.
Comment 34 Thierry Carrez (RETIRED) gentoo-dev 2004-08-01 03:05:59 UTC
GLSA 200408-01
mips : don't forget to mark "~mips" pre4-r7 to benefit from the GLSA.