[CVE-2008-1558] arbitrary code execution via uncontrolled array index

Bug #212601 reported by William Grant on 2008-04-06
256
Affects Status Importance Assigned to Milestone
mplayer (Debian)
Fix Released
Unknown
mplayer (Ubuntu)
Undecided
William Grant
Dapper
Undecided
Stefan Lesicnik
Edgy
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
Undecided
William Grant

Bug Description

Binary package hint: mplayer

Uncontrolled array index in the sdpplin_parse function in stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to overwrite memory and execute arbitrary code via a large streamid SDP parameter. NOTE: this issue has been referred to as an integer overflow.

William Grant (wgrant) on 2008-04-06
Changed in mplayer:
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
status: New → Confirmed
assignee: nobody → fujitsu
status: New → In Progress
William Grant (wgrant) wrote :

The code is the same all the way to Dapper.

William Grant (wgrant) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mplayer - 2:1.0~rc2-0ubuntu13

---------------
mplayer (2:1.0~rc2-0ubuntu13) hardy; urgency=low

  * SECURITY UPDATE: arbitrary code execution via crafted RTSP stream.
    (LP: #212601)
    - stream/realrtsp/sdpplin.c: Properly check the stream ID. Patch from
      upstream.
    - References:
      + CVE-2008-1558

 -- William Grant <email address hidden> Sun, 06 Apr 2008 10:49:10 +1000

Changed in mplayer:
status: In Progress → Fix Released
Changed in mplayer:
status: Unknown → Fix Released
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in mplayer:
status: Confirmed → Won't Fix
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in mplayer:
status: Confirmed → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mplayer - 2:1.0~rc1-0ubuntu13.3

---------------
mplayer (2:1.0~rc1-0ubuntu13.3) gutsy-security; urgency=low

  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
    earlier allow remote attackers to cause a denial of service
    (process termination) and possibly execute arbitrary code via a
    crafted video file that causes the stream_read function to read or
    write arbitrary memory (LP: #279030)
    - libmpdemux/demux_real.c: Address various integer underflows. Patch
      from oCert.org.
    - http://www.ocert.org/advisories/ocert-2008-013.html
    - CVE-2008-3827
  * SECURITY UPDATE: Uncontrolled array index in the sdpplin_parse function in
    stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to
    overwrite memory and execute arbitrary code via a large streamid SDP
    parameter. (LP: #212601).
    - Cherrypicked rev 80 from lp:~ubuntu-dev/mplayer/ubuntu (William Grant)
      stream/realrtsp/sdpplin.c: Properly check the stream ID. Patch from
      upstream.
    - CVE-2008-1558

 -- Stefan Lesicnik <email address hidden> Fri, 10 Oct 2008 20:55:42 +0200

Changed in mplayer:
status: Confirmed → Fix Released
Kees Cook (kees) on 2009-01-12
Changed in mplayer:
assignee: nobody → stefanlsd
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Patches

Remote bug watches

Bug watches keep track of this bug in other bug trackers.