FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mplayer -- multiple vulnerabilities

Affected packages
mplayer < 0.99.11_2
mplayer-esound < 0.99.11_2
mplayer-gtk < 0.99.11_2
mplayer-gtk-esound < 0.99.11_2
mplayer-gtk2 < 0.99.11_2
mplayer-gtk2-esound < 0.99.11_2

Details

VuXML ID de4d4110-ebce-11dc-ae14-0016179b2dd5
Discovery 2008-02-05
Entry 2008-03-06

The Mplayer team reports:

A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.

A buffer overflow was found in the code used to escape URL strings. The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer.

A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.

References

CVE Name CVE-2008-0485
CVE Name CVE-2008-0486
CVE Name CVE-2008-0629
CVE Name CVE-2008-0630
URL http://secunia.com/advisories/28779