mplayer: CVE-2008-0073 remote code execution via crafted rtsp stream

Debian Bug report logs - #473056
mplayer: CVE-2008-0073 remote code execution via crafted rtsp stream

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: mplayer: CVE-2008-0073 remote code execution via crafted rtsp stream

Date: Fri, 28 Mar 2008 02:07:22 +0100

[Message part 1 (text/plain, inline)]

Package: mplayer
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for mplayer.

CVE-2008-0073CVE-2008-0073[0]:
| Array index error in the sdpplin_parse function in
| input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP
| servers to execute arbitrary code via a large streamid SDP parameter.

This also affects mplayer since it also uses this code.
A patch is available on:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=12cb075fba8ea09813fc35e0c731d2a64265b637;style=raw

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073CVE-2008-0073

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 473056@bugs.debian.org (full text, mbox, reply):

From: A Mennucc <mennucc1@debian.org>

To: Nico Golde <nion@debian.org>, 473056@bugs.debian.org

Cc: Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de>

Subject: Re: Bug#473056: mplayer: CVE-2008-0073 remote code execution via crafted rtsp stream

Date: Fri, 28 Mar 2008 22:46:39 +0100

[Message part 1 (text/plain, inline)]

Nico Golde ha scritto:
> Package: mplayer
> Severity: grave
> Tags: security patch
> 
> This also affects mplayer since it also uses this code.
> A patch is available on:
> http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=12cb075fba8ea09813fc35e0c731d2a64265b637;style=raw

I saw a comment of  Reimar (that I am CC-ing); he wrote in the mplayer
dev list, saying that mplayer is not affected as badly as xine; anyway
Reimar wrote a short patch, that I will apply tomorrow

a.

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 473056-close@bugs.debian.org (full text, mbox, reply):

From: A Mennucc1 <mennucc1@debian.org>

To: 473056-close@bugs.debian.org

Subject: Bug#473056: fixed in mplayer 1.0~rc2-10

Date: Sat, 29 Mar 2008 10:03:06 +0000

Source: mplayer
Source-Version: 1.0~rc2-10

We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:

mplayer-doc_1.0~rc2-10_all.deb
  to pool/main/m/mplayer/mplayer-doc_1.0~rc2-10_all.deb
mplayer_1.0~rc2-10.diff.gz
  to pool/main/m/mplayer/mplayer_1.0~rc2-10.diff.gz
mplayer_1.0~rc2-10.dsc
  to pool/main/m/mplayer/mplayer_1.0~rc2-10.dsc
mplayer_1.0~rc2-10_i386.deb
  to pool/main/m/mplayer/mplayer_1.0~rc2-10_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
A Mennucc1 <mennucc1@debian.org> (supplier of updated mplayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Mar 2008 09:40:09 +0100
Source: mplayer
Binary: mplayer mplayer-doc
Architecture: source all i386
Version: 1.0~rc2-10
Distribution: unstable
Urgency: high
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: A Mennucc1 <mennucc1@debian.org>
Description: 
 mplayer    - movie player for Unix-like systems
 mplayer-doc - documentation for MPlayer
Closes: 470617 473056
Changes: 
 mplayer (1.0~rc2-10) unstable; urgency=high
 .
   * fix: CVE-2008-0073 remote code execution via crafted rtsp stream,
     thanks to Nico Golde and  Reimar Döffinger (Closes: #473056).
   * use ALSA by default, thanks to Sam Morris (Closes: #470617).
Files: 
 a12de016896b120834b996ae71c528ae 1420 graphics optional mplayer_1.0~rc2-10.dsc
 d8eb1c1efe14d8bc4e89d0732196251f 72662 graphics optional mplayer_1.0~rc2-10.diff.gz
 d09861e57b036ea1725d00b54a572924 2457424 graphics optional mplayer-doc_1.0~rc2-10_all.deb
 ad745020fdfb955bef6b3c0dc4d62ce0 5078394 graphics optional mplayer_1.0~rc2-10_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7glv9B/tjjP8QKQRAnfoAJ9VfkIq5wRobM8nLWr7qh/ymfR5bQCgovqa
GL0bMQAfzVLIQMjFheW1XAY=
=1g6+
-----END PGP SIGNATURE-----

Message #20 received at 473056@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: A Mennucc <mennucc1@debian.org>

Cc: 473056@bugs.debian.org

Subject: Re: Bug#473056: mplayer: CVE-2008-0073 remote code execution via crafted rtsp stream

Date: Sat, 29 Mar 2008 14:10:27 +0100

[Message part 1 (text/plain, inline)]

Hi A Mennucc,
* A Mennucc <mennucc1@debian.org> [2008-03-29 14:00]:
> Nico Golde ha scritto:
> > Package: mplayer
> > Severity: grave
> > Tags: security patch
> > 
> > This also affects mplayer since it also uses this code.
> > A patch is available on:
> > http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=12cb075fba8ea09813fc35e0c731d2a64265b637;style=raw
> 
> I saw a comment of  Reimar (that I am CC-ing); he wrote in the mplayer
> dev list, saying that mplayer is not affected as badly as xine; anyway
> Reimar wrote a short patch, that I will apply tomorrow

Not sure what is meant with as badly but if you mean
http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/2008-March/056938.html
the patch fixes the same problem in a different way like the 
diff from the xine-lib repository.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 473056@bugs.debian.org (full text, mbox, reply):

From: Reimar Döffinger <Reimar.Doeffinger@stud.uni-karlsruhe.de>

To: Nico Golde <nion@debian.org>, 473056@bugs.debian.org

Subject: Re: Bug#473056: mplayer: CVE-2008-0073 remote code execution via crafted rtsp stream

Date: Sun, 30 Mar 2008 10:50:55 +0200

On Sat, Mar 29, 2008 at 02:10:27PM +0100, Nico Golde wrote:
> Hi A Mennucc,
> * A Mennucc <mennucc1@debian.org> [2008-03-29 14:00]:
> > Nico Golde ha scritto:
> > > Package: mplayer
> > > Severity: grave
> > > Tags: security patch
> > > 
> > > This also affects mplayer since it also uses this code.
> > > A patch is available on:
> > > http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=12cb075fba8ea09813fc35e0c731d2a64265b637;style=raw
> > 
> > I saw a comment of  Reimar (that I am CC-ing); he wrote in the mplayer
> > dev list, saying that mplayer is not affected as badly as xine; anyway
> > Reimar wrote a short patch, that I will apply tomorrow
> 
> Not sure what is meant with as badly but if you mean
> http://lists.mplayerhq.hu/pipermail/mplayer-dev-eng/2008-March/056938.html
> the patch fixes the same problem in a different way like the 
> diff from the xine-lib repository.

I did not check myself I admit, I just assumed from explanations
elsewhere that the xine version was missing some checks on stream_id as
well.
Sorry if I misunderstood (and thus misrepresented) the issue.

Greetings,
Reimar Döffinger

Message #30 received at 473056-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 473056-close@bugs.debian.org

Subject: Bug#473056: fixed in mplayer 1.0~rc2-8+lenny1

Date: Wed, 09 Apr 2008 19:02:37 +0000

Source: mplayer
Source-Version: 1.0~rc2-8+lenny1

We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:

mplayer-doc_1.0~rc2-8+lenny1_all.deb
  to pool/main/m/mplayer/mplayer-doc_1.0~rc2-8+lenny1_all.deb
mplayer_1.0~rc2-8+lenny1.diff.gz
  to pool/main/m/mplayer/mplayer_1.0~rc2-8+lenny1.diff.gz
mplayer_1.0~rc2-8+lenny1.dsc
  to pool/main/m/mplayer/mplayer_1.0~rc2-8+lenny1.dsc
mplayer_1.0~rc2-8+lenny1_amd64.deb
  to pool/main/m/mplayer/mplayer_1.0~rc2-8+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated mplayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 09 Apr 2008 14:52:01 +0200
Source: mplayer
Binary: mplayer mplayer-doc
Architecture: source all amd64
Version: 1.0~rc2-8+lenny1
Distribution: testing-security
Urgency: high
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 mplayer    - movie player for Unix-like systems
 mplayer-doc - documentation for MPlayer
Closes: 473056
Changes: 
 mplayer (1.0~rc2-8+lenny1) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issue:
     - CVE-2008-0073: Array index error in sddpplin_parse function
       allows remote RTSP server to execute arbitrary code via crafted
       streams (Closes: #473056).
Files: 
 b5b2e635931e4a0f9e280371fb6e8844 1435 graphics optional mplayer_1.0~rc2-8+lenny1.dsc
 2ef6a0e14fefc2098823d22f809043a8 71966 graphics optional mplayer_1.0~rc2-8+lenny1.diff.gz
 9049764eeabb8413ae39ec82fb8f1c18 2459392 graphics optional mplayer-doc_1.0~rc2-8+lenny1_all.deb
 d69dd0d147a98ec23bb26e6cbf976bde 4984596 graphics optional mplayer_1.0~rc2-8+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH/MMcHYflSXNkfP8RAnATAJ93BCKELfvvQVbOb8zk5wX+AvzWawCfUAiR
1SGJkN0KQS5fcpI5TupdIfs=
=PsKC
-----END PGP SIGNATURE-----

Message #35 received at 473056-close@bugs.debian.org (full text, mbox, reply):

From: A Mennucc1 <mennucc1@debian.org>

To: 473056-close@bugs.debian.org

Subject: Bug#473056: fixed in mplayer 1.0~rc1-12etch4

Date: Sat, 31 May 2008 19:52:20 +0000

Source: mplayer
Source-Version: 1.0~rc1-12etch4

We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:

mplayer-doc_1.0~rc1-12etch4_all.deb
  to pool/main/m/mplayer/mplayer-doc_1.0~rc1-12etch4_all.deb
mplayer_1.0~rc1-12etch4.diff.gz
  to pool/main/m/mplayer/mplayer_1.0~rc1-12etch4.diff.gz
mplayer_1.0~rc1-12etch4.dsc
  to pool/main/m/mplayer/mplayer_1.0~rc1-12etch4.dsc
mplayer_1.0~rc1-12etch4_amd64.deb
  to pool/main/m/mplayer/mplayer_1.0~rc1-12etch4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
A Mennucc1 <mennucc1@debian.org> (supplier of updated mplayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Mar 2008 07:53:32 +0100
Source: mplayer
Binary: mplayer-doc mplayer
Architecture: source amd64 all
Version: 1.0~rc1-12etch4
Distribution: stable-security
Urgency: low
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: A Mennucc1 <mennucc1@debian.org>
Description: 
 mplayer    - The Movie Player
 mplayer-doc - documentation for MPlayer
Closes: 473056
Changes: 
 mplayer (1.0~rc1-12etch4) stable-security; urgency=low
 .
   * fix CVE-2008-0073, remote code execution via crafted rtsp stream,
     thanks to Nico Golde and Reimar Döffinger (Closes: #473056).
Files: 
 6ccb62e72b94fa4c797975a36766bb45 1265 graphics optional mplayer_1.0~rc1-12etch4.dsc
 54e2210e0f0eaa596acf6210b050fb50 81742 graphics optional mplayer_1.0~rc1-12etch4.diff.gz
 2a88c44b4fa0e754660948ea7e42b8e4 2053074 graphics optional mplayer-doc_1.0~rc1-12etch4_all.deb
 8f8fb89d21cfc0d8eb028451208f6fb9 4372894 graphics optional mplayer_1.0~rc1-12etch4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7fdu9B/tjjP8QKQRAn9TAJ9EbUIgCWvHLYnu2K7aSnYCNwnddACgiaIB
I4Kuou4VoJwVClF/uxPe9sI=
=Hpdt
-----END PGP SIGNATURE-----

Message #40 received at 473056-close@bugs.debian.org (full text, mbox, reply):

From: A Mennucc1 <mennucc1@debian.org>

To: 473056-close@bugs.debian.org

Subject: Bug#473056: fixed in mplayer 1.0~rc1-12etch4

Date: Sat, 26 Jul 2008 09:57:42 +0000

Source: mplayer
Source-Version: 1.0~rc1-12etch4

We believe that the bug you reported is fixed in the latest version of
mplayer, which is due to be installed in the Debian FTP archive:

mplayer-doc_1.0~rc1-12etch4_all.deb
  to pool/main/m/mplayer/mplayer-doc_1.0~rc1-12etch4_all.deb
mplayer_1.0~rc1-12etch4.diff.gz
  to pool/main/m/mplayer/mplayer_1.0~rc1-12etch4.diff.gz
mplayer_1.0~rc1-12etch4.dsc
  to pool/main/m/mplayer/mplayer_1.0~rc1-12etch4.dsc
mplayer_1.0~rc1-12etch4_amd64.deb
  to pool/main/m/mplayer/mplayer_1.0~rc1-12etch4_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
A Mennucc1 <mennucc1@debian.org> (supplier of updated mplayer package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Mar 2008 07:53:32 +0100
Source: mplayer
Binary: mplayer-doc mplayer
Architecture: source amd64 all
Version: 1.0~rc1-12etch4
Distribution: stable-security
Urgency: low
Maintainer: A Mennucc1 <mennucc1@debian.org>
Changed-By: A Mennucc1 <mennucc1@debian.org>
Description: 
 mplayer    - The Movie Player
 mplayer-doc - documentation for MPlayer
Closes: 473056
Changes: 
 mplayer (1.0~rc1-12etch4) stable-security; urgency=low
 .
   * fix CVE-2008-0073, remote code execution via crafted rtsp stream,
     thanks to Nico Golde and Reimar Döffinger (Closes: #473056).
Files: 
 6ccb62e72b94fa4c797975a36766bb45 1265 graphics optional mplayer_1.0~rc1-12etch4.dsc
 54e2210e0f0eaa596acf6210b050fb50 81742 graphics optional mplayer_1.0~rc1-12etch4.diff.gz
 2a88c44b4fa0e754660948ea7e42b8e4 2053074 graphics optional mplayer-doc_1.0~rc1-12etch4_all.deb
 8f8fb89d21cfc0d8eb028451208f6fb9 4372894 graphics optional mplayer_1.0~rc1-12etch4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7fdu9B/tjjP8QKQRAn9TAJ9EbUIgCWvHLYnu2K7aSnYCNwnddACgiaIB
I4Kuou4VoJwVClF/uxPe9sI=
=Hpdt
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.