[Debian] Schwachstelle in MPlayer - DSA-2044-1

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Mi Mai 12 09:16:51 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung des Debian-Teams. Wir geben
diese Informationen unveraendert an Sie weiter.

Schwachstelle in der RDT Implementierung von VLC und MPlayer

  Die Implementierung des Real Data Transport (RDT) Protokolls in VLC
  und MPlayer enthaelt einen Fehler, durch den ein Integer Underflow
  ausgeloest werden kann. Ein entfernter Angreifer kann diese
  Schwachstelle dazu ausnutzen, beliebigen Code mit den Rechten des
  Benutzers auszufuehren, wenn er ihn dazu bringt, einen entsprechend
  aufgebauten RDT Stream abzuspielen.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket mplayer in der stable Distribution (lenny) vor Version
  1.0~rc2-17+lenny3.2 

  Stable Distribution (lenny)

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://www.debian.org/security/2010/dsa-2044


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT

- -- 
Dipl. Inform. Klaus Moeller (Project Development Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de/, Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - ------------------------------------------------------------------------
Debian Security Advisory DSA-2044-1                  security at debian.org
http://www.debian.org/security/                           Devin Carraway
May 11, 2010                          http://www.debian.org/security/faq
- - ------------------------------------------------------------------------

Package        : mplayer
Vulnerability  : integer overflow
Problem type   : local (remote)
Debian-specific: no

tixxDZ (DZCORE labs) discovered a vulnerability in the mplayer movie
player.  Missing data validation in mplayer's real data transport (RDT)
implementation enable an integer underflow and consequently an unbounded
buffer operation.  A maliciously crafted stream could thus enable an
attacker to execute arbitrary code.

No Common Vulnerabilities and Exposures project identifier is available for
this issue.

For the stable distribution (lenny), this problem has been fixed in version
1.0~rc2-17+lenny3.2.

We recommend that you upgrade your mplayer packages.

Upgrade instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- - --------------------------------

Debian (stable)
- - ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2.dsc
    Size/MD5 checksum:     2108 9ca97232aaa217afe30aef9800fdde5b
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2.diff.gz
    Size/MD5 checksum:   360178 0cc960471e6ec0348456c014c774d941
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2.orig.tar.gz
    Size/MD5 checksum: 11727998 f1da15bc4accee0a5551928e31d7b779

Architecture independent packages:

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-doc_1.0~rc2-17+lenny3.2_all.deb
    Size/MD5 checksum:  2462986 7cc9feae37dfc8b1be944894a9891689

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_alpha.deb
    Size/MD5 checksum:  3236612 5481602134b6af1771014eb7421de776
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_alpha.deb
    Size/MD5 checksum:  2233470 f033d746bfcd34cd209881b0331ef76f

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_amd64.deb
    Size/MD5 checksum:  3034790 7a9f3b0f603f127a59d9b0f1809b824f
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_amd64.deb
    Size/MD5 checksum:  2281646 44731cb89ba3b80811d38cebc1172a5c

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_arm.deb
    Size/MD5 checksum:  2705438 76a8e88ec753cebda6fb72b6906b5a14
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_arm.deb
    Size/MD5 checksum:  1977840 e6911242b55c4b5e906f433509491f99

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_hppa.deb
    Size/MD5 checksum:  2052866 ca07a7fa2a1d81132457b3a2ae2f8223
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_hppa.deb
    Size/MD5 checksum:  2896686 a47fda1190c2460980aef76ea297f0bd

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_i386.deb
    Size/MD5 checksum:  2370060 38e7272ca5582496be4a2f60f627f4b0
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_i386.deb
    Size/MD5 checksum:  3032114 fa1a9d2c47430dadc81bd41ab6620cd2

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_ia64.deb
    Size/MD5 checksum:  2056822 333d96f89bdf9d180c411501d952299e
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_ia64.deb
    Size/MD5 checksum:  3580016 ea7ae7ac0e7837cec6b1bc4be405eef0

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_mips.deb
    Size/MD5 checksum:  2847092 9b8f943f84c5c60eea7d20ad0ebf0826
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_mips.deb
    Size/MD5 checksum:  2120824 00788d698af99aad978503ea23bdd8b3

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_mipsel.deb
    Size/MD5 checksum:  2064680 ff215968a214023be4dbb3875554c72b
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_mipsel.deb
    Size/MD5 checksum:  2840214 003e55d7e3c6b127a41b16ab99f09c43

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_powerpc.deb
    Size/MD5 checksum:  1991722 a94b911fecf6f37d14d5de2d1fe9a0ed
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_powerpc.deb
    Size/MD5 checksum:  2867096 b6e68c0ff32e3974b0c84726ce57e215

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_s390.deb
    Size/MD5 checksum:  2128050 b4075e1fb1350e32061cf5635b9b9556
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_s390.deb
    Size/MD5 checksum:  2779844 b14c2c35e7287400b7c92f83b957061d

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/m/mplayer/mplayer-dbg_1.0~rc2-17+lenny3.2_sparc.deb
    Size/MD5 checksum:  1898760 cbb824eafc9af867275f4abffbc89cd7
  http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc2-17+lenny3.2_sparc.deb
    Size/MD5 checksum:  2688394 52c4508095e92e4e30b8a3d5da56b1fe


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce at lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFL6Q+hU5XKDemr/NIRAp5dAJ9PauQ0/WeBgXNJpVtPf2sxGBBQ2ACginkV
SAjGKRJUglkpaGDBOS3EyhM=
=KkLv
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFL6lXjWmhIvjFb90URAnuhAJ4kjnmhlD/pmkHr87Uc7EKeiQu6KgCgiv0M
AvU7aC2ep8iJHEYFX2HEa4w=
=71zm
-----END PGP SIGNATURE-----