Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74473 - media-video/mplayer-1.0_pre5: get_header overflows data buffer
Summary: media-video/mplayer-1.0_pre5: get_header overflows data buffer
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] koon
Depends on:
Reported: 2004-12-15 04:55 UTC by Sascha Silbe
Modified: 2020-04-06 20:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

17-s.c from the advisory (bug74473-17-s.c,1.69 KB, text/plain)
2004-12-15 04:56 UTC, Sascha Silbe
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Silbe 2004-12-15 04:55:17 UTC
Advisory from

Date: 15 Dec 2004 08:18:11 -0000
From: "D. J. Bernstein" <>
Subject: [remote] [control] MPlayer 1.0pre5 get_header overflows data buffer
Mailing-List: contact; run by ezmlm
Automatic-Legal-Notices: See

[-- Attachment #1 [details] --]
[-- Type: text/plain, Encoding: 7bit, Size: 1.4K --]

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in MPlayer. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.

You are at risk if you use MPlayer to play an ASF video stream from the
web (or from any other source that could be controlled by an attacker).
Whoever provides that stream then has complete control over your
account: he can read and modify your files, watch the programs you're
running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10 with ucspi-tcp
installed, type

   bunzip2 < MPlayer-1.0pre5.tar.bz2 | tar -xf -
   cd MPlayer-1.0pre5

to download and compile the MPlayer program, version 1.0pre5 (current).
Then save the file 17-s.c attached to this message, and type

   gcc -o 17-s 17-s.c
   tcpserver 0 1755 ./17-s &
   ./mplayer mmst://

with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 538-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In asf_mmst_streaming.c, get_header() uses get_data()
to copy an input-specified amount of data into a 102400-byte data[]

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
Comment 1 Sascha Silbe 2004-12-15 04:56:13 UTC
Created attachment 46027 [details]
17-s.c from the advisory
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-12-15 05:44:28 UTC
chriswhite, pls verify and advise
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-16 03:31:38 UTC
MPlayer 1.0pre5try2 is out :

media-video: please bump
Comment 4 Chris White (RETIRED) gentoo-dev 2004-12-16 08:48:38 UTC
Ugh, lovely...  Unfortunately, I won't be able to get to this until tommorow (finals bleh :( ).  But after my final tommorow, I'll be on this and bumping asanhcph (As soon as non humans can possibly handle).
Comment 5 Chris White (RETIRED) gentoo-dev 2004-12-18 11:59:48 UTC
Mkay, bumped as requested.  New version to use is pre5-r5.  Let's see, keywords targets are:

x86 ppc alpha amd64 hppa sparc ppc64

and ppc64, pre5-r4 was marked stable with no changelog entry.. what's up with that?

x86 was taken careof by yours truly.  More fun :P.  Also removing myself from CC as I already get security and media-video spam as is :P.
Comment 6 Dylan Carlson (RETIRED) gentoo-dev 2004-12-18 15:40:08 UTC
Stable on amd64
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-12-18 16:07:16 UTC
Done on ppc.
Comment 8 Jason Wever (RETIRED) gentoo-dev 2004-12-18 16:49:09 UTC
Stable on sparc
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-19 09:11:05 UTC
Stable on alpha.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2004-12-19 11:02:44 UTC
stable on ppc64.

sorry about the missing changelog entry. I added it manualy.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 13:59:14 UTC
ia64, mips: you should mark _pre5-r5 "~" so that you benefit from GLSA.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 06:10:02 UTC
GLSA 200412-21