[NEWS] MPlayer "ASF" File Handling Multiple Integer Overflows

From: SecuriTeam <support@xxxxxxxxxxxxxx>
Date: 26 Feb 2006 13:42:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

MPlayer "ASF" File Handling Multiple Integer Overflows
------------------------------------------------------------------------

SUMMARY

" <http://www.mplayerhq.hu/> MPlayer is a movie player which runs on many
systems"

Improper handling of ASF files allows attackers to DoS MPlayer.

DETAILS

Vulnerable Systems:
* MPlayer version 1.0pre7
* MPlayer version 1.0pre7try2

Immune Systems:
* MPlayer version 1.89
* MPlayer version 1.90

Multiple Integer overflow exists with the way that MPlayer works with ASF.
The problem exists in libmpdemux/demuxer.h header file with the function
new_demux_packet().
And with the C file of libmpdemux/demux_asf.c the function
demux_asf_read_packet().
The problem happen when allocating memory to copy data from an .asf file.

An attacker can exploit this vulnerability to DoS MPlayer by using a
crafted .ASF file with a large value in the packet length field.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0579>
CVE-2006-0579

ADDITIONAL INFORMATION

The information has been provided by <mailto:jaervosz@xxxxxxxxxx> Sune
Kloppenborg Jeppesen.
The original article can be found at:
<http://bugs.gentoo.org/show_bug.cgi?id=122029>
http://bugs.gentoo.org/show_bug.cgi?id=122029

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Prev by Date: [NT] NJStar Word Processor Font Names Buffer Overflow
Next by Date: [EXPL] ArGoSoft FTP Server Remote Buffer Overflow Exploit
Previous by thread: [NT] NJStar Word Processor Font Names Buffer Overflow
Next by thread: [EXPL] ArGoSoft FTP Server Remote Buffer Overflow Exploit
Index(es):
- Date
- Thread

Relevant Pages

[UNIX] Remote Buffer Overflow Vulnerabilities in Real RTSP Streaming
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... joint advisory by the MPlayer and xine teams as the code in question is ... RTSP input plugin, ...
(Securiteam)
[NEWS] MPlayer Buffer Overflow (asf_streaming)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... and trick MPlayer into executing arbitrary code upon parsing ... fully controllable EIP buffer overflow. ...
(Securiteam)
[UNIX] MPlayer Encoded URL Heap Overflow
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remotely exploitable buffer overflow vulnerability was found in ... and trick MPlayer into executing arbitrary code ... Whilst requesting a file from a web server, MPlayer allocates a buffer to ...
(Securiteam)
problem with mplayer and asf file
... I usually use mplayer for playing my video files. ... MPlayer 1.0pre3-3.3.1 2000-2003 MPlayer Team ... Reading config file /home/solog/.mplayer/gui.conf ... ASF file format detected. ...
(alt.os.linux)