Date: Mon, 29 Sep 2008 16:00:52 +0000
From: Andrea Barisani <lcars@ocert.org.>
To: [email protected], [email protected],
Subject: [oCERT-2008-013] MPlayer Real demuxer heap overflow
Message-ID: <20080929160052.GX23089@fuse.inversepath.com.>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-GPG-Key: 0x864C9B9E
X-GPG-Fingerprint: 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
User-Agent: Mutt/1.5.16 (2007-06-09)
X-Virus-Scanned: antivirus-gw at tyumen.ru
2008/09/29 #2008-013 MPlayer Real demuxer heap overflow
Description:
The MPlayer multimedia player suffers from a vulnerability which could result
in arbitrary code execution and at the least, in unexpected process
termination.
Three integer underflows located in the Real demuxer code can be used to
exploit a heap overflow, a specific video file can be crafted in order to make
the stream_read function reading or writing arbitrary amounts of memory.
The following patch fixes the issue:
http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch
Affected version:
MPlayer <= 1.0_rc2
Fixed version:
MPlayer, N/A
Credit: vulnerability report, patch and PoC code received from Felipe Andres
Manzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>.
CVE: CVE-2008-3827
Timeline:
2008-08-12: vulnerability report received
2008-08-24: contacted mplayer maintainers
2008-08-25: maintainer provides patch
2008-08-28: reporter indicates that the patch is incomplete and sends new PoC
2008-09-15: maintainer provides updated patch
2008-09-16: reporter confirms patch
2008-09-29: advisory release
References:
Links:
http://www.mplayerhq.hu
Permalink:
http://www.ocert.org/advisories/ocert-2008-013.html
--
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
<lcars@ocert.org.> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
