Debian Bug report logs -
#1021013
mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1021013; Package src:mplayer.
(Fri, 30 Sep 2022 14:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Fri, 30 Sep 2022 14:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mplayer
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mplayer.
CVE-2022-38600[0]:
| Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and
| vf_vo.c.
https://trac.mplayerhq.hu/ticket/2390#comment:2
https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e (r38380)
Followup: https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 (r38392)
CVE-2022-38856[1]:
| Certain The MPlayer Project products are vulnerable to Buffer Overflow
| via function mov_build_index() of libmpdemux/demux_mov.c. This affects
| mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.
https://trac.mplayerhq.hu/ticket/2395
CVE-2022-38861[2]:
| The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory
| corruption via function free_mp_image() of libmpcodecs/mp_image.c.
https://trac.mplayerhq.hu/ticket/2407
https://git.ffmpeg.org/gitweb/mplayer.git/commit/2622e7fbe3605a2f3b4f74900197fefeedc0d2e1 (r38402)
CVE-2022-38862[3]:
| Certain The MPlayer Project products are vulnerable to Buffer Overflow
| via function play() of libaf/af.c:639. This affects mplayer
| SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.
https://trac.mplayerhq.hu/ticket/2400
https://trac.mplayerhq.hu/ticket/2404
CVE-2022-38864[4]:
| Certain The MPlayer Project products are vulnerable to Buffer Overflow
| via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This
| affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1.
https://trac.mplayerhq.hu/ticket/2406
https://git.ffmpeg.org/gitweb/mplayer.git/commit/36546389ef9fb6b0e0540c5c3f212534c34b0e94 (r38391)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-38600
https://www.cve.org/CVERecord?id=CVE-2022-38600
[1] https://security-tracker.debian.org/tracker/CVE-2022-38856
https://www.cve.org/CVERecord?id=CVE-2022-38856
[2] https://security-tracker.debian.org/tracker/CVE-2022-38861
https://www.cve.org/CVERecord?id=CVE-2022-38861
[3] https://security-tracker.debian.org/tracker/CVE-2022-38862
https://www.cve.org/CVERecord?id=CVE-2022-38862
[4] https://security-tracker.debian.org/tracker/CVE-2022-38864
https://www.cve.org/CVERecord?id=CVE-2022-38864
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 30 Sep 2022 15:24:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1021013; Package src:mplayer.
(Fri, 30 Sep 2022 17:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Reimar Döffinger <Reimar.Doeffinger@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Fri, 30 Sep 2022 17:57:02 GMT) (full text, mbox, link).
Message #12 received at 1021013@bugs.debian.org (full text, mbox, reply):
Hi!
> CVE-2022-38600[0]:
> | Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and
> | vf_vo.c.
>
> https://trac.mplayerhq.hu/ticket/2390#comment:2
> https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e (r38380)
> Followup: https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 (r38392)
I would advise consideration on whether this should be considered relevant for Debian security.
This is a minor memory leak that happens for files that cannot be played properly (and the leak is linear with number of files played), and MPlayer is rarely used to play many broken videos (i.e. ones that will not show any video) in sequence.
I.e. worst case this is a hard (as in, takes a long time and many files) to trigger DoS for a tiny, tiny percentage of users.
> CVE-2022-38862[3]:
> | Certain The MPlayer Project products are vulnerable to Buffer Overflow
> | via function play() of libaf/af.c:639. This affects mplayer
> | SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.
>
> https://trac.mplayerhq.hu/ticket/2400
> https://trac.mplayerhq.hu/ticket/2404
These have not been reproduced, even the reporter could not reproduce using valgrind, and I could reproduce with neither valgrind nor ASAN.
It could simply be a bug in the specific ASAN version used by the reporter.
Code review has not left me 100% confident whether there might be a real issue in this code or not.
Even if it is a real issue it is possible it affects only MEncoder, not MPlayer.
Best regards,
Reimar
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Oct 1 13:21:56 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon