Mandrake security alert: Updated mplayer packages fix remotely exploitable vulnerability

Posted by dave on Apr 5, 2004 4:40 PM EDT
Mailing list; By Mandrake Linux Security Team
Mail this story
Print this story

A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful HTTP header ("Location:"), and trick MPlayer into executing arbitrary code upon parsing that header.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandrakelinux Security Update Advisory _______________________________________________________________________

Package name: mplayer Advisory ID: MDKSA-2004:026 Date: April 5th, 2004

Affected versions: 10.0, 9.2 ______________________________________________________________________

Problem Description:

A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful HTTP header ("Location:"), and trick MPlayer into executing arbitrary code upon parsing that header. The updated packages contain a patch from the MPlayer development team to correct the problem. _______________________________________________________________________

References:

http://www.mplayerhq.hu/homepage/design6/news.html ______________________________________________________________________

Updated Packages: Mandrakelinux 10.0: 134aa1652ff5325837ee0d1dd7062b2f 10.0/RPMS/libdha0.1-1.0-0.pre3.13.100mdk.i586.rpm 59d793c4ee7906121ad4c5847d8c48e5 10.0/RPMS/libpostproc0-1.0-0.pre3.13.100mdk.i586.rpm 379cfc3fca85254dc9e02e7dcfe3b8a5 10.0/RPMS/libpostproc0-devel-1.0-0.pre3.13.100mdk.i586.rpm 3255b8d6b3c07ab7e850291ccf448be4 10.0/RPMS/mencoder-1.0-0.pre3.13.100mdk.i586.rpm 8d9d2d1acdc13f45bf4145d57d2d8279 10.0/RPMS/mplayer-1.0-0.pre3.13.100mdk.i586.rpm 0326d955c0bd11c1f108c25bd6afec7c 10.0/RPMS/mplayer-gui-1.0-0.pre3.13.100mdk.i586.rpm 911e55e683df88c41df9ef9f2b09493f 10.0/SRPMS/mplayer-1.0-0.pre3.13.100mdk.src.rpm

Mandrakelinux 9.2: d2335a0b3a0309a109db619a3c1247cd 9.2/RPMS/libdha0.1-0.91-8.2.92mdk.i586.rpm 3f739b2b8da578eec51d6c470d016861 9.2/RPMS/libpostproc0-0.91-8.2.92mdk.i586.rpm bea49f0df30a6fc90c08ce7de955ad51 9.2/RPMS/libpostproc0-devel-0.91-8.2.92mdk.i586.rpm fc157454aebde5fc4b40688c920987ff 9.2/RPMS/mencoder-0.91-8.2.92mdk.i586.rpm ab6cbd8a28a845d714f5e572dadbd52b 9.2/RPMS/mplayer-0.91-8.2.92mdk.i586.rpm 18f43c4247b164f9c11dd2a70ab707c5 9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.i586.rpm f930e2754ab5d7e284a71f5a9f40cc38 9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64: b48538a9d9183d02d57b21b4b4fa1b02 amd64/9.2/RPMS/lib64postproc0-0.91-8.2.92mdk.amd64.rpm 19b0ae1cc45534f2b389059a64fde38c amd64/9.2/RPMS/lib64postproc0-devel-0.91-8.2.92mdk.amd64.rpm ec3be0bf7521721acf91f863d5af8bbc amd64/9.2/RPMS/mencoder-0.91-8.2.92mdk.amd64.rpm 184a24f4121e7999cc650cb99f18e935 amd64/9.2/RPMS/mplayer-0.91-8.2.92mdk.amd64.rpm e75f2c67e14004edaa204968ad92a134 amd64/9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.amd64.rpm f930e2754ab5d7e284a71f5a9f40cc38 amd64/9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm _______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAcepCmqjQ0CJFipgRAhCKAKCi/TErb5NqKNNwb7+TN/c/qIoIRgCgz7RS cs7U2oyUG5RaPnRM2r6wmfw= =a96D -----END PGP SIGNATURE-----

[PARSEASHTML]

  Nav
» Read more about: Story Type: Security; Groups: Mandriva

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.