[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Mandriva] Mehrere Schwachstellen im mplayer Mediaplayer bis inkl. Version 1.0rc2 - MDVSA-2008:219
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Advisory von Mandriva Security.Wir
geben diese Informationen unveraendert an Sie weiter.
CVE-2008-0073 - Buffer Overflow in der xine-lib Funktion sdpplin_parse()
Beim Verarbeiten von RTSP-Stroemen durch die Bibliothek xine-lib
laesst sich durch Angabe eines uebergrossen "streamid" SDP Parameters
ein Buffer Overflow in der Funktion sdpplin_parse() ausloesen.
Angreifer koennen diese Schwachstelle ueber das Netz dazu ausnutzen,
beliebigen Code mit den Rechten des Benutzers der Anwendung
auszufuehren, welche die Bibliothek verwendet.
CVE-2008-3827 - Integer Overflow im mplayer Mediaplayer
Mplayer beinhaltet eine Schwachstelle beim Einlesen von Videostreams.
Wird von mplayer ein manipulierter Videostream gelesen kann dies dazu
fuehren, dass Werte ausserhalb des Streambuffers geschrieben oder
gelesen werden. Dies kann zum Absturz von mplayer fuehren oder einem
Angreifer ermoeglichen, beliebige Befehle mit den Rechten des
Benutzers auszufuehren.
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket mplayer
Mandriva Linux 2008.0
Mandriva Linux 2008.0/X86_64
Mandriva Linux 2008.1
Mandriva Linux 2008.1/X86_64
Mandriva Linux 2009.0
Mandriva Linux 2009.0/X86_64
Corporate 3.0
Corporate 3.0/X86_64
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://www.mandriva.com/security/advisories?name=MDVSA-2008:219
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Michael Groening, DFN-CERT
- --
Michael Groening (Incident Response Team), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:219
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mplayer
Date : October 29, 2008
Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0
_______________________________________________________________________
Problem Description:
A vulnerability that was discovered in xine-lib that allowed remote
RTSP servers to execute arbitrary code via a large streamid SDP
parameter also affects MPlayer (CVE-2008-0073).
Several integer overflows were discovered by Felipe Andres Manzano
in MPlayer's Real video stream demuxing code. These vulnerabilities
could allow an attacker to cause a crash or possibly execute arbitrary
code by supplying a malicious crafted video file (CVE-2008-3827).
The updated packages have been patched to fix these issues.
Note that CVE-2008-3827 was already corrected in the Mandriva Linux
2009 packages.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3827
http://www.ocert.org/advisories/ocert-2008-013.html
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
51dc665f4e6c46a8e7d3af31e3f46ef1 2008.0/i586/libdha1.0-1.0-1.rc1.20.5mdv2008.0.i586.rpm
1280ed0edc0d95cc9c7bcbea8638567c 2008.0/i586/mencoder-1.0-1.rc1.20.5mdv2008.0.i586.rpm
b0b57f31b91c6d71262299caa2d2e4d4 2008.0/i586/mplayer-1.0-1.rc1.20.5mdv2008.0.i586.rpm
0fec9a77e3a126e7ee688364b3fa946a 2008.0/i586/mplayer-doc-1.0-1.rc1.20.5mdv2008.0.i586.rpm
aabb1872c10f85a3601fbd10a59b61ad 2008.0/i586/mplayer-gui-1.0-1.rc1.20.5mdv2008.0.i586.rpm
9db331c8ef0344fa6d8619b3aea8885a 2008.0/SRPMS/mplayer-1.0-1.rc1.20.5mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
4bfbbbcfbb168aabb9c9c0f2d235544f 2008.0/x86_64/mencoder-1.0-1.rc1.20.5mdv2008.0.x86_64.rpm
53d2c556b15602598c8ac1030400339c 2008.0/x86_64/mplayer-1.0-1.rc1.20.5mdv2008.0.x86_64.rpm
1b4005cff9e527b203bf14b1dab992f4 2008.0/x86_64/mplayer-doc-1.0-1.rc1.20.5mdv2008.0.x86_64.rpm
1cafef5feb13f271739ea75b6bf4c809 2008.0/x86_64/mplayer-gui-1.0-1.rc1.20.5mdv2008.0.x86_64.rpm
9db331c8ef0344fa6d8619b3aea8885a 2008.0/SRPMS/mplayer-1.0-1.rc1.20.5mdv2008.0.src.rpm
Mandriva Linux 2008.1:
69b752937c0b6d6f0d6a2f8d9d97038f 2008.1/i586/mencoder-1.0-1.rc2.10.4mdv2008.1.i586.rpm
3e665f6eb39e9edfce4997d5307fe2e8 2008.1/i586/mplayer-1.0-1.rc2.10.4mdv2008.1.i586.rpm
95194876362039bd4e97208e24f79f6b 2008.1/i586/mplayer-doc-1.0-1.rc2.10.4mdv2008.1.i586.rpm
8f71502b3943e4549cdf544650113f43 2008.1/i586/mplayer-gui-1.0-1.rc2.10.4mdv2008.1.i586.rpm
a154696596b1cda1988ecc95a1c4ba87 2008.1/SRPMS/mplayer-1.0-1.rc2.10.4mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
e359c3798640174bc3e81f6e8c266930 2008.1/x86_64/mencoder-1.0-1.rc2.10.4mdv2008.1.x86_64.rpm
2c19ff0f70d461470c098e2bdf27aa31 2008.1/x86_64/mplayer-1.0-1.rc2.10.4mdv2008.1.x86_64.rpm
f0a56b1b742ea8f34dfe4fa6eb7ae80f 2008.1/x86_64/mplayer-doc-1.0-1.rc2.10.4mdv2008.1.x86_64.rpm
a1acd0e41fb4313c420b7cff3760a5b2 2008.1/x86_64/mplayer-gui-1.0-1.rc2.10.4mdv2008.1.x86_64.rpm
a154696596b1cda1988ecc95a1c4ba87 2008.1/SRPMS/mplayer-1.0-1.rc2.10.4mdv2008.1.src.rpm
Mandriva Linux 2009.0:
6a22452cc4c6ff51ee7405771e84ecf2 2009.0/i586/mencoder-1.0-1.rc2.18.1mdv2009.0.i586.rpm
88e08e27ff6768a2fd6293f642ad79f4 2009.0/i586/mplayer-1.0-1.rc2.18.1mdv2009.0.i586.rpm
e7d7d2660992f17113b15b7920aa5513 2009.0/i586/mplayer-doc-1.0-1.rc2.18.1mdv2009.0.i586.rpm
77c749336b795767e890aa35ee6a2422 2009.0/i586/mplayer-gui-1.0-1.rc2.18.1mdv2009.0.i586.rpm
03294c164da39856a04c0962f687b1f6 2009.0/SRPMS/mplayer-1.0-1.rc2.18.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
7810ac4e7341376361e905fa9ee794d0 2009.0/x86_64/mencoder-1.0-1.rc2.18.1mdv2009.0.x86_64.rpm
605a3d14860548d2b746a97e5b361840 2009.0/x86_64/mplayer-1.0-1.rc2.18.1mdv2009.0.x86_64.rpm
989c07ab807f905e3503352f4c463d40 2009.0/x86_64/mplayer-doc-1.0-1.rc2.18.1mdv2009.0.x86_64.rpm
5ef94d6df57d0112265a36e186106aa8 2009.0/x86_64/mplayer-gui-1.0-1.rc2.18.1mdv2009.0.x86_64.rpm
03294c164da39856a04c0962f687b1f6 2009.0/SRPMS/mplayer-1.0-1.rc2.18.1mdv2009.0.src.rpm
Corporate 3.0:
7aba7c8c6ae90b9340414f7923f22d81 corporate/3.0/i586/libdha0.1-1.0-0.pre3.14.17.C30mdk.i586.rpm
6a71bfd88f1ca36312586e92bd0ee400 corporate/3.0/i586/libpostproc0-1.0-0.pre3.14.17.C30mdk.i586.rpm
243e93dc1c3070fb06475d66250a2b3c corporate/3.0/i586/libpostproc0-devel-1.0-0.pre3.14.17.C30mdk.i586.rpm
c1c6bb9988b5faab6ee4b4385e595e37 corporate/3.0/i586/mencoder-1.0-0.pre3.14.17.C30mdk.i586.rpm
3a5cd649c516e06839924ad9e38d8c57 corporate/3.0/i586/mplayer-1.0-0.pre3.14.17.C30mdk.i586.rpm
c3c12dbbddf11db8c49a6e95f167b4c8 corporate/3.0/i586/mplayer-gui-1.0-0.pre3.14.17.C30mdk.i586.rpm
787610bc369fdf37e73722692b59bca0 corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.17.C30mdk.src.rpm
Corporate 3.0/X86_64:
13323f1bfdddcb7df1137cc0bcd3c80f corporate/3.0/x86_64/lib64postproc0-1.0-0.pre3.14.17.C30mdk.x86_64.rpm
6239bc27da1d94a1f177017d3bf4b45f corporate/3.0/x86_64/lib64postproc0-devel-1.0-0.pre3.14.17.C30mdk.x86_64.rpm
c6675375ce4aa469014a2585a0edf858 corporate/3.0/x86_64/mencoder-1.0-0.pre3.14.17.C30mdk.x86_64.rpm
f64d577f9a3e039099bb42d27ec5ed13 corporate/3.0/x86_64/mplayer-1.0-0.pre3.14.17.C30mdk.x86_64.rpm
b2c2434b16586f99b3f763b95c03a7bb corporate/3.0/x86_64/mplayer-gui-1.0-0.pre3.14.17.C30mdk.x86_64.rpm
787610bc369fdf37e73722692b59bca0 corporate/3.0/SRPMS/mplayer-1.0-0.pre3.14.17.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJCMHgmqjQ0CJFipgRAmX+AJwLsKQc1fc+9Y4avLKLzZ2bVxxA9QCg8l5Y
mQkReUt94C36vrQKOaLfuZA=
=YKx7
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBSQm7ykhXCWfrVVdXAQHhsQf/Y4atZAZ2ejm8hyntCUJw8VGWxq2SA2qD
8RYX94yDuyH5YLweX9uIxBVf9E9gLn9IZq2hZ4QXlFzRjhML3s7NpaeifsNP2LkG
e5K3eTWr6aB+k9QiqVZQIK38pzM2HYqIY4HhpLd9VVSZXhd5JF/29L60xRfY378/
x/vmhDuK5jkYrcudiRA5vKX8TcigzYF1HhRC52L3CYlRL/FEYq9mlad/rkv+GvwF
hOe821FqQ0bTLdQlLSaI5JDUtgX69VnbEJRcLGe7o04M1YB6RrrBfojk2JZw/eIA
GUcddBQb6SrbQNmfysVokvxs85/FptV2qBmmmQEJV0LSwI9iASeWXA==
=hSNj
-----END PGP SIGNATURE-----