[packman] Mplayer Buffer Overflow

maps0can at tampabay.rr.com maps0can at tampabay.rr.com
Mon Jan 15 18:17:15 CET 2007


http://www3.mplayerhq.hu/design7/news.html

A potential buffer overflow was found in the code used to handle RealMedia 
RTSP streams. When checking for matching asm rules, the code stores the 
results in a fixed-size array, but no boundary checks are performed. This may 
lead to a buffer overflow if the user is tricked into connecting to a 
malicious server. Since the attacker cannot write arbitrary data into the 
buffer, creating an exploit is very hard; but a DoS attack is easily made.
Severity

High (DoS and eventually arbitrary remote code execution under the user ID 
running the player) when setting up a RTSP session from a malicious server, 
null if you do not use this feature. At the time the buffer overflow was 
fixed there was no known exploit.
Solution

A fix for this problem was committed to SVN on Sun Dec 31 13:27:53 2006 UTC as 
r21799. The fix involves three files: stream/realrtsp/asmrp.c, 
stream/realrtsp/asmrp.h and stream/realrtsp/real.c. Users of affected MPlayer 
versions should download a patch for MPlayer 1.0rc1 or update to the latest 
version if they're using SVN.

Please note that we are not releasing an updated tarball with this fix at this 
moment, since MPlayer 1.0rc2 is already in process.
If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball, apply the 
patch with the fix and recompile MPlayer; else upgrade to SVN.
If you mantain a binary package for MPlayer, please name the updated version 
MPlayer 1.0rc1try2.
Affected versions

MPlayer 1.0rc1 and SVN before r21799 (Sun Dec 31 13:27:53 2006 UTC). Older 
versions are probably affected, too, but they were not checked.




More information about the Packman mailing list