Ubuntu
mplayer package

[mplayer] Heap overflow causes potential arbitrary code execution

Bug #140891 reported by disabled.user
256
Affects Status Importance Assigned to Milestone
kmplayer (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Edgy
Invalid
Undecided
Unassigned
Feisty
Invalid
Undecided
Unassigned
Gutsy
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
mplayer (Debian)
Fix Released
Unknown
mplayer (Ubuntu)
Fix Released
Medium
Unassigned
Dapper
Invalid
Medium
Unassigned
Edgy
Fix Released
Medium
William Grant
Feisty
Fix Released
Medium
William Grant
Gutsy
Fix Released
Medium
William Grant
Hardy
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: mplayer

Quote:
"one heap overflow was discovered in MPlayer.[...]
Some D.o.S (raise 100% cpu ) were discovred in KMPlayer.

By tricking a user into opening a specially crafted media file,
an attacker who exploit heap overflow in MPlayer or media player classic
could potential execute arbitrary code with the user's privileges."

Affected versions:
- MPlayer 1.0rc1 and prior
- KMPlayer v2.9.3.1210 and prior

References:
http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt

Patch:
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/aviheader.c?r1=23985&r2=24447

Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :
Revision history for this message
Kees Cook (kees) wrote :

Thanks for the report! We will get fixes published shortly.

Changed in mplayer:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Triaged
Changed in kmplayer:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Triaged
assignee: keescook → nobody
Changed in mplayer:
assignee: keescook → nobody
Changed in kmplayer:
assignee: nobody → keescook
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Triaged
Changed in mplayer:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → keescook
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Kees Cook (kees) wrote :

This is not the same kmplayer that is vulnerable. Marking invalid.

Changed in kmplayer:
assignee: keescook → nobody
importance: Medium → Undecided
status: Triaged → Invalid
assignee: keescook → nobody
importance: Medium → Undecided
status: Triaged → Invalid
assignee: keescook → nobody
importance: Medium → Undecided
status: Triaged → Invalid
importance: Medium → Undecided
status: Triaged → Invalid
Changed in mplayer:
assignee: keescook → nobody
assignee: keescook → nobody
assignee: keescook → nobody
Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

Oh sorry, I didn't notice the difference between "our" kmplayer and this one:
www.kmplayer.com

Well, at least this explains the great leap in version numbering... ;-)

Revision history for this message
William Grant (wgrant) wrote :

Fixed in Hardy in 1.0rc2.

Changed in mplayer:
status: Triaged → Fix Released
Revision history for this message
William Grant (wgrant) wrote :
Changed in mplayer:
assignee: nobody → fujitsu
status: Triaged → In Progress
assignee: nobody → fujitsu
status: Triaged → In Progress
Revision history for this message
William Grant (wgrant) wrote :

Sorry about the wait, I've been busy with school stuff lately and wasn't up-to-date with bugmail.

Revision history for this message
William Grant (wgrant) wrote :
Changed in mplayer:
assignee: nobody → fujitsu
status: Triaged → In Progress
Revision history for this message
William Grant (wgrant) wrote :

Neither of those two checks are in Dapper's mplayer at all, which worries me. We probably want to add them, but I'm not sure.

Changed in mplayer:
status: Triaged → Incomplete
Bug Watch Updater (bug-watch-updater)
Changed in mplayer:
status: Unknown → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Sorry for the delay on these; they look great. I've uploaded them to the security queue; they should be published shortly.

Changed in mplayer:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
William Grant (wgrant) wrote :

mplayer (2:1.0~rc1-0ubuntu13.1) gutsy-security; urgency=low

  * SECURITY UPDATE: buffer overrun in mpdemux code (LP: #140891).
  * libmpdemux/aviheader.c: Apply upstream patch.
  * References:
    - CVE-2007-4938

 -- William Grant <email address hidden> Tue, 06 Nov 2007 17:20:30 +1100

Revision history for this message
William Grant (wgrant) wrote :

mplayer (2:1.0~rc1-0ubuntu9.2) feisty-security; urgency=low

  * SECURITY UPDATE: buffer overrun in mpdemux code (LP: #140891).
  * libmpdemux/aviheader.c: Apply upstream patch.
  * References:
    - CVE-2007-4938

 -- William Grant <email address hidden> Tue, 06 Nov 2007 17:11:21 +1100

Changed in mplayer:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Kees Cook (kees)
Changed in mplayer:
status: Fix Committed → Fix Released
William Grant (wgrant)
Changed in mplayer:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.