(Mandrake Issues Fix) MPlayer Buffer Overflow in Parsing HTTP Location Header Lets Remote Servers Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1009669 |
|
SecurityTracker URL: http://securitytracker.com/id/1009669
|
|
CVE Reference:
CAN-2004-0386
(Links to External Site)
|
Updated: Apr 7 2004
|
Original Entry Date: Apr 6 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.0pre3 and prior versions
|
Description:
A heap overflow vulnerability was reported in MPlayer. A remote server can execute arbitrary code on a connected MPlayer client.
blexim reported that MPlayer does not allocate sufficient buffer memory to hold an encoded URL returned by the web server as the 'Location' HTTP header value. A remote server can return a specially crafted value to trigger a buffer overflow on the target user's MPlayer and execute arbitrary code with the privileges of the target user.
The report indicates that you can use the following command to determine if your system is affected (a segmentation fault indicates the system is vulnerable):
$ mplayer http://`perl -e 'print "\""x1024;'`
The vendor indicates that they were notified on March 29, 2004.
|
Impact:
A remote server can execute arbitrary code on a connected client. The code will run with the privileges of the user running MPlayer.
|
Solution:
Mandrake has released a fix.
Mandrakelinux 10.0:
134aa1652ff5325837ee0d1dd7062b2f 10.0/RPMS/libdha0.1-1.0-0.pre3.13.100mdk.i586.rpm
59d793c4ee7906121ad4c5847d8c48e5 10.0/RPMS/libpostproc0-1.0-0.pre3.13.100mdk.i586.rpm
379cfc3fca85254dc9e02e7dcfe3b8a5 10.0/RPMS/libpostproc0-devel-1.0-0.pre3.13.100mdk.i586.rpm
3255b8d6b3c07ab7e850291ccf448be4 10.0/RPMS/mencoder-1.0-0.pre3.13.100mdk.i586.rpm
8d9d2d1acdc13f45bf4145d57d2d8279 10.0/RPMS/mplayer-1.0-0.pre3.13.100mdk.i586.rpm
0326d955c0bd11c1f108c25bd6afec7c 10.0/RPMS/mplayer-gui-1.0-0.pre3.13.100mdk.i586.rpm
911e55e683df88c41df9ef9f2b09493f 10.0/SRPMS/mplayer-1.0-0.pre3.13.100mdk.src.rpm
Mandrakelinux 9.2:
d2335a0b3a0309a109db619a3c1247cd 9.2/RPMS/libdha0.1-0.91-8.2.92mdk.i586.rpm
3f739b2b8da578eec51d6c470d016861 9.2/RPMS/libpostproc0-0.91-8.2.92mdk.i586.rpm
bea49f0df30a6fc90c08ce7de955ad51 9.2/RPMS/libpostproc0-devel-0.91-8.2.92mdk.i586.rpm
fc157454aebde5fc4b40688c920987ff 9.2/RPMS/mencoder-0.91-8.2.92mdk.i586.rpm
ab6cbd8a28a845d714f5e572dadbd52b 9.2/RPMS/mplayer-0.91-8.2.92mdk.i586.rpm
18f43c4247b164f9c11dd2a70ab707c5 9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.i586.rpm
f930e2754ab5d7e284a71f5a9f40cc38 9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
b48538a9d9183d02d57b21b4b4fa1b02 amd64/9.2/RPMS/lib64postproc0-0.91-8.2.92mdk.amd64.rpm
19b0ae1cc45534f2b389059a64fde38c amd64/9.2/RPMS/lib64postproc0-devel-0.91-8.2.92mdk.amd64.rpm
ec3be0bf7521721acf91f863d5af8bbc amd64/9.2/RPMS/mencoder-0.91-8.2.92mdk.amd64.rpm
184a24f4121e7999cc650cb99f18e935 amd64/9.2/RPMS/mplayer-0.91-8.2.92mdk.amd64.rpm
e75f2c67e14004edaa204968ad92a134 amd64/9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.amd64.rpm
f930e2754ab5d7e284a71f5a9f40cc38 amd64/9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm
|
Vendor URL: www.mplayerhq.hu/homepage/design6/news.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Mandriva/Mandrake)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: 5 Apr 2004 23:22:43 -0000
Subject: MDKSA-2004:026 - Updated mplayer packages fix remotely exploitable vulnerability
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: mplayer
Advisory ID: MDKSA-2004:026
Date: April 5th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful HTTP header
("Location:"), and trick MPlayer into executing arbitrary code upon
parsing that header.
The updated packages contain a patch from the MPlayer development team
to correct the problem.
_______________________________________________________________________
References:
http://www.mplayerhq.hu/homepage/design6/news.html
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
134aa1652ff5325837ee0d1dd7062b2f 10.0/RPMS/libdha0.1-1.0-0.pre3.13.100mdk.i586.rpm
59d793c4ee7906121ad4c5847d8c48e5 10.0/RPMS/libpostproc0-1.0-0.pre3.13.100mdk.i586.rpm
379cfc3fca85254dc9e02e7dcfe3b8a5 10.0/RPMS/libpostproc0-devel-1.0-0.pre3.13.100mdk.i586.rpm
3255b8d6b3c07ab7e850291ccf448be4 10.0/RPMS/mencoder-1.0-0.pre3.13.100mdk.i586.rpm
8d9d2d1acdc13f45bf4145d57d2d8279 10.0/RPMS/mplayer-1.0-0.pre3.13.100mdk.i586.rpm
0326d955c0bd11c1f108c25bd6afec7c 10.0/RPMS/mplayer-gui-1.0-0.pre3.13.100mdk.i586.rpm
911e55e683df88c41df9ef9f2b09493f 10.0/SRPMS/mplayer-1.0-0.pre3.13.100mdk.src.rpm
Mandrakelinux 9.2:
d2335a0b3a0309a109db619a3c1247cd 9.2/RPMS/libdha0.1-0.91-8.2.92mdk.i586.rpm
3f739b2b8da578eec51d6c470d016861 9.2/RPMS/libpostproc0-0.91-8.2.92mdk.i586.rpm
bea49f0df30a6fc90c08ce7de955ad51 9.2/RPMS/libpostproc0-devel-0.91-8.2.92mdk.i586.rpm
fc157454aebde5fc4b40688c920987ff 9.2/RPMS/mencoder-0.91-8.2.92mdk.i586.rpm
ab6cbd8a28a845d714f5e572dadbd52b 9.2/RPMS/mplayer-0.91-8.2.92mdk.i586.rpm
18f43c4247b164f9c11dd2a70ab707c5 9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.i586.rpm
f930e2754ab5d7e284a71f5a9f40cc38 9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
b48538a9d9183d02d57b21b4b4fa1b02 amd64/9.2/RPMS/lib64postproc0-0.91-8.2.92mdk.amd64.rpm
19b0ae1cc45534f2b389059a64fde38c amd64/9.2/RPMS/lib64postproc0-devel-0.91-8.2.92mdk.amd64.rpm
ec3be0bf7521721acf91f863d5af8bbc amd64/9.2/RPMS/mencoder-0.91-8.2.92mdk.amd64.rpm
184a24f4121e7999cc650cb99f18e935 amd64/9.2/RPMS/mplayer-0.91-8.2.92mdk.amd64.rpm
e75f2c67e14004edaa204968ad92a134 amd64/9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.amd64.rpm
f930e2754ab5d7e284a71f5a9f40cc38 amd64/9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesecure.net/en/advisories/
Mandrakesoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAcepCmqjQ0CJFipgRAhCKAKCi/TErb5NqKNNwb7+TN/c/qIoIRgCgz7RS
cs7U2oyUG5RaPnRM2r6wmfw=
=a96D
-----END PGP SIGNATURE-----
|
|
