[CVE-2008-3827] Multiple integer underflows in MPlayer 1.0_rc2 and earlier allow remote attackers to cause a denial of service

Bug #279030 reported by Stefan Lesicnik on 2008-10-06
264
Affects Status Importance Assigned to Milestone
mplayer (Ubuntu)
Medium
Stefan Lesicnik
Dapper
Medium
Stefan Lesicnik
Gutsy
Medium
Stefan Lesicnik
Hardy
Medium
Stefan Lesicnik
Intrepid
Medium
Stefan Lesicnik

Bug Description

Binary package hint: mplayer

Multiple integer underflows in MPlayer 1.0_rc2 and earlier allow remote attackers to cause a denial of service (process termination) and possibly execute arbitrary code via a crafted video file that causes the stream_read function to read or write arbitrary memory.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3827

Changed in mplayer:
assignee: nobody → stefanlsd
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mplayer - 2:1.0~rc2-0ubuntu17

---------------
mplayer (2:1.0~rc2-0ubuntu17) intrepid; urgency=low

  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
    earlier allow remote attackers to cause a denial of service
    (process termination) and possibly execute arbitrary code via a
    crafted video file that causes the stream_read function to read or
    write arbitrary memory. (LP: #279030)
    - libmpdemux/demux_real.c - patch from oCert.
    - References:
      + CVE-2008-3827
      + http://www.ocert.org/advisories/ocert-2008-013.html

 -- Stefan Lesicnik <email address hidden> Wed, 08 Oct 2008 07:51:18 +0200

Changed in mplayer:
status: In Progress → Fix Released
Stefan Lesicnik (stefanlsd) wrote :

This bug was tested against the publicly available POC in Intrepid / Hardy / Gutsy. In all cases the mplayer crashed.

mplayer realmplayerPOC.rm
MPlayer 1.0rc2-4.3.2 (C) 2000-2007 MPlayer Team
CPU: Intel(R) Core(TM)2 Duo CPU T7500 @ 2.20GHz (Family: 6, Model: 15, Stepping: 11)
CPUflags: MMX: 1 MMX2: 1 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled with runtime CPU detection.
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing realmplayerPOC.rm.
REAL file format detected.
Stream description: Exploit!
Stream mimetype: video/x-pn-realvideo
[real] Video stream found, -vid 1
Stream description: Exploit!
Stream mimetype: audio/X-MP3-draft-00
[real] Audio stream found, -aid 0
VIDEO: [RV20] 1x1 24bpp 30.000 fps 0.0 kbps ( 0.0 kbyte/s)
xscreensaver_disable: Could not find XScreenSaver window.
GNOME screensaver disabled
==========================================================================
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
[rv20 @ 0x896b2d0]unknown header 10
Selected video codec: [ffrv20] vfm: ffmpeg (FFmpeg RV20 decoder)
==========================================================================
==========================================================================
Forced audio codec: mad
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
AUDIO: 24000 Hz, 2 ch, s16le, 48.0 kbit/6.25% (ratio: 6000->96000)
Selected audio codec: [ffmp3adu] afm: ffmpeg (FFmpeg MPEG layer-3 adu audio decoder)
==========================================================================
AO: [pulse] 24000Hz 2ch s16le (2 bytes per sample)
Starting playback...
[rv20 @ 0x896b2d0]error, qscale:0
[rv20 @ 0x896b2d0]HEADER ERROR
[rv20 @ 0x896b2d0]error, qscale:0 0.000 1/ 1 ??% ??% ??,?% 0 0
[rv20 @ 0x896b2d0]HEADER ERROR
[rv20 @ 0x896b2d0]error, qscale:0 -0.003 2/ 2 ??% ??% ??,?% 0 0
[rv20 @ 0x896b2d0]HEADER ERROR
A: -0.2 V: 0.0 A-V: -0.222 ct: -0.010 3/ 3 ??% ??% ??,?% 0 0

Exiting... (End of file)
*** glibc detected *** mplayer: free(): invalid next size (normal): 0x0a132438 ***
======= Backtrace: =========
<snip stackstrace>

After applying the fix, mplayer no longer crashes.
Note to other testers: When testing from within a chroot environment, there is no graphical display and you should execute mplayer with the mplayer -vo null option.

Stefan Lesicnik (stefanlsd) wrote :

Tested Gutsy mplayer-rc1 in Gutsy VM. mplayer worked as expected and no regressesion or problems were found.

Stefan Lesicnik (stefanlsd) wrote :

Dapper debdiff attached. Incorporated CVE-2008-1558 and CVE-2008-3827. Dapper is actually missing the realplayer codecs to test exploit against, but codebase is the same.

Changed in mplayer:
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

Thanks Stefan! The dapper debdiff contains a lot of changes to autoconf files. Can you clean up the debdiff, test and resubmit and mark the bug back to In Progress? Are you planning to supply debdiffs for gutsy and hardy too?

Changed in mplayer:
status: In Progress → Incomplete
Stefan Lesicnik (stefanlsd) wrote :

Hi. I have uploaded the gutsy changes to bzr and I need to get the hardy mplayer bzr back up to upload my changes in there.

Stefan Lesicnik (stefanlsd) wrote :

Gutsy Debdiff Attached

Stefan Lesicnik (stefanlsd) wrote :

Cleaned debdiff for Dapper attached. I test built without the config.sub and config.guess changes and build was successful.

Changed in mplayer:
assignee: nobody → stefanlsd
status: Incomplete → In Progress
assignee: nobody → stefanlsd
status: New → In Progress
Stefan Lesicnik (stefanlsd) wrote :

Hardy debdiff attached. Same codebase as Intrepid.

Changed in mplayer:
assignee: nobody → stefanlsd
status: New → In Progress
Kees Cook (kees) wrote :

Thanks for the patches and testing, I've uploaded these for building in the security queue, they should be published shortly.

Kees Cook (kees) on 2009-01-08
Changed in mplayer:
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
status: In Progress → Fix Committed
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mplayer - 2:1.0~rc1-0ubuntu13.3

---------------
mplayer (2:1.0~rc1-0ubuntu13.3) gutsy-security; urgency=low

  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
    earlier allow remote attackers to cause a denial of service
    (process termination) and possibly execute arbitrary code via a
    crafted video file that causes the stream_read function to read or
    write arbitrary memory (LP: #279030)
    - libmpdemux/demux_real.c: Address various integer underflows. Patch
      from oCert.org.
    - http://www.ocert.org/advisories/ocert-2008-013.html
    - CVE-2008-3827
  * SECURITY UPDATE: Uncontrolled array index in the sdpplin_parse function in
    stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to
    overwrite memory and execute arbitrary code via a large streamid SDP
    parameter. (LP: #212601).
    - Cherrypicked rev 80 from lp:~ubuntu-dev/mplayer/ubuntu (William Grant)
      stream/realrtsp/sdpplin.c: Properly check the stream ID. Patch from
      upstream.
    - CVE-2008-1558

 -- Stefan Lesicnik <email address hidden> Fri, 10 Oct 2008 20:55:42 +0200

Changed in mplayer:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mplayer - 2:1.0~rc2-0ubuntu13.1

---------------
mplayer (2:1.0~rc2-0ubuntu13.1) hardy-security; urgency=low

  * SECURITY UPDATE: Multiple integer underflows in MPlayer 1.0_rc2 and
    earlier allow remote attackers to cause a denial of service
    (process termination) and possibly execute arbitrary code via a
    crafted video file that causes the stream_read function to read or
    write arbitrary memory. (LP: #279030)
    - libmpdemux/demux_real.c - patch from oCert.
    - References:
      + CVE-2008-3827
      + http://www.ocert.org/advisories/ocert-2008-013.html

 -- Stefan Lesicnik <email address hidden> Wed, 08 Oct 2008 07:51:18 +0200

Changed in mplayer:
status: Fix Committed → Fix Released
Kees Cook (kees) on 2009-01-10
Changed in mplayer:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers