Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 581952 (CVE-2016-4352) - <media-video/mplayer-1.3.0-r3: integer overflow
Summary: <media-video/mplayer-1.3.0-r3: integer overflow
Alias: CVE-2016-4352
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2016-05-03 09:10 UTC by Agostino Sarubbo
Modified: 2018-01-25 00:19 UTC (History)
1 user (show)

See Also:
Package list:
media-video/mplayer-1.3.0-r3 media-sound/toolame-02l-r4 arm
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-05-03 09:10:21 UTC
From ${URL} :

A crash caused by an integer overflow parsing a gif was found in the last
revision of mplayer. It seems to affect older versions too. It was recently
fixed (r37857). Technical details and a reproducer are available here:

I verified that this issue affects mencoder, so you should check if you are
using it for conversion of gif files. This crash was found by QuickFuzz.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2017-06-17 20:09:23 UTC
Comment 2 Alexis Ballier gentoo-dev 2017-10-08 12:24:20 UTC
this has been merged long ago in mplayer-1.3.0-r3.ebuild; cc'ing arches
Comment 3 Stabilization helper bot gentoo-dev 2017-10-08 13:01:10 UTC
An automated check of this bug failed - repoman reported dependency errors: 

> dependency.bad media-video/mplayer/mplayer-1.3.0-r3.ebuild: DEPEND: arm(default/linux/arm/13.0) ['media-sound/toolame']
> dependency.bad media-video/mplayer/mplayer-1.3.0-r3.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['media-sound/toolame']
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2017-10-11 17:44:44 UTC
Stable on amd64
Comment 5 Thomas Deutschmann gentoo-dev 2017-10-12 21:19:33 UTC
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 00:15:26 UTC
ia64 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 09:50:48 UTC
ppc/ppc64 stable
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-13 19:20:36 UTC
hppa stable
Comment 9 Markus Meier gentoo-dev 2017-10-14 06:15:50 UTC
arm stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:51:14 UTC
Stable on alpha.
Comment 11 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-22 23:59:11 UTC
Downgraded to B3. No PoC for ACE/RCE.

@maintainers, please clean the vulnerable versions.

GLSA Vote: No
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-11-11 20:30:45 UTC
please clean.