MPlayer demux_real.c 整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1185115 漏洞类型 数字错误
发布时间 2008-09-29 更新时间 2009-01-12
CVE编号 CVE-2008-3827 CNNVD-ID CNNVD-200809-399
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/31473
https://cxsecurity.com/issue/WLB-2008100093
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-399
|漏洞详情
MPlayer是一款开源的多媒体播放器,以GNU通用公共许可证发布。MPlayer1.0_rc2及其早期版本的Realdemuxer(demux_real.c)中存在多个整数溢出漏洞。远程攻击者可以通过一个精心设计的可以引起stream_read函数读取或写入任意内存的视频文件来造成拒绝服务(程序终止)并可能执行任意代码。
|漏洞EXP

2008/09/29 #2008-013 MPlayer Real demuxer heap overflow

Description:

The MPlayer multimedia player suffers from a vulnerability which could result
in arbitrary code execution and at the least, in unexpected process
termination.

Three integer underflows located in the Real demuxer code can be used to
exploit a heap overflow, a specific video file can be crafted in order to make
the stream_read function reading or writing arbitrary amounts of memory.

The following patch fixes the issue:
http://www.ocert.org/patches/2008-013/mplayer_demux_real.patch

Affected version:

MPlayer <= 1.0_rc2

Fixed version:

MPlayer, N/A

Credit: vulnerability report, patch and PoC code received from Felipe Andres
Manzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>.

CVE: CVE-2008-3827

Timeline:
2008-08-12: vulnerability report received
2008-08-24: contacted mplayer maintainers
2008-08-25: maintainer provides patch
2008-08-28: reporter indicates that the patch is incomplete and sends new PoC
2008-09-15: maintainer provides updated patch
2008-09-16: reporter confirms patch
2008-09-29: advisory release

References:

Links:
http://www.mplayerhq.hu

Permalink:
http://www.ocert.org/advisories/ocert-2008-013.html

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars (at) ocert (dot) org [email concealed]>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"
|受影响的产品
Webmin Webmin 0.1 Pardus Linux 2008 0 MPlayer MPlayer 1.0.20060329 MPlayer MPlayer 1.0 pre6-r4 MPlayer MPlayer 1.0 pre6-3.3.5-20050130 MPlayer MPlayer 1.0 pre6
|参考资料

来源:MISC
链接:http://www.ocert.org/advisories/ocert-2008-013.html
来源:SECTRACK
名称:1020952
链接:http://www.securitytracker.com/id?1020952
来源:BID
名称:31473
链接:http://www.securityfocus.com/bid/31473
来源:BUGTRAQ
名称:20080929[oCERT-2008-013]MPlayerRealdemuxerheapoverflow
链接:http://www.securityfocus.com/archive/1/archive/1/496806/100/0/threaded
来源:MANDRIVA
名称:MDVSA-2008:219
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:219
来源:VUPEN
名称:ADV-2008-2703
链接:http://www.frsirt.com/english/advisories/2008/2703
来源:DEBIAN
名称:DSA-1644
链接:http://www.debian.org/security/2008/dsa-1644
来源:svn.mplayerhq.hu
链接:http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_real.c?r1=27314&r2=27675
来源:SREASON
名称:4326
链接:http://securityreason.com/securityalert/4326
来源:SECUNIA
名称:32153
链接:http://secunia.com/advisories/32153
来源:SECUNIA
名称:32045
链接:http://secunia.com/advisories/32045