| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Feb 2008 02:20:51 +0000 (GMT) From: noreply@...ecurity.com To: full-disclosure@...ts.grok.org.uk Subject: [MU-200802-01] Multiple Remote Arbitrary Execution Vulnerabilities in Mplayer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Multiple Remote Arbitrary Execution Vulnerabilities in Mplayer [MU-200802-01] February 14, 2008 http://labs.musecurity.com/advisories.html Affected Products/Versions: MPlayer 1.0rc2 and SVN before r25824 (Sun Jan 20 20:58:02 2008 UTC). Older versions are probably affected, but they were not checked. Product Overview: http://www.mplayerhq.hu "MPlayer is a movie player which runs on many systems (see the documentation). It plays most MPEG/VOB, AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, RealMedia, Matroska, NUT, NuppelVideo, FLI, YUV4MPEG, FILM, RoQ, PVA files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5 and even WMV movies.." Vulnerability Details: URL IPv6 Address Parsing Remote Heap Overflow: A heap overflow condition exists in the parsing of IPv6 addresses, allowing for arbitrary code execution. CDDB Remote Stack Overflow: A remote attacker may execute arbitrary code on a client machine by causing a specially crafted CDDB response to be sent to the client. Vendor Response / Solution: Fixed in MPlayer SVN on Sun Jan 20 20:43:46 2008 UTC. History: <10/07/07> - First contact with vendor <10/08/07> - Vendor acknowledges vulnerability <02/14/08> - Advisory released Credit: This vulnerability was discovered by Adam Bozanich of the Mu Security research team. http://labs.musecurity.com/pgpkey.txt Mu Security offers a new class of security analysis system, delivering a rigorous and streamlined methodology for verifying the robustness and security readiness of any IP-based product or application. Founded by the pioneers of intrusion detection and prevention technology, Mu Security is backed by preeminent venture capital firms that include Accel Partners, Benchmark Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For more information, visit the company's website at http://www.musecurity.com. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAke0jDwACgkQ+aa9jJz2VeBK/gCfR7YTapJ82v0NVA663Mc/s6IY uUYAnjZR6jRff7AcHGORGInzoyBRtLdc =fKx0 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists