Critical hole in media players MPlayer and Xine

Linux distributor Mandriva has released an updated version of its MPlayer media player to close a critical hole in Mandriva 2007 and Mandriva Corporate 3.0. Specially prepared video files could allow code to be injected onto PCs and executed. However, victims first have to load a malicious file on their computers and execute it. Given the current popularity of web sites such as YouTube, ClickFish, and the like, attackers should have no trouble getting users to do this. Something similar happened in December of 2006, when phishers got hold of passwords by means of specially prepared Quicktime videos.

The problem in MPlayer is based on a flaw in the DMO_VideoDecoder function in the loader/dmo/DMO_VideoDecoder.c module, which does not check the validity of a variable later used for a memcopy operation. As a result, a buffer overflow may occur, allowing the stack to be overwritten.

Versions up to and including MPlayer 1.0rc1 are affected. For the past two weeks, the flaw has been fixed in their CVS, but the fix had not yet made it into the downloadable version. Other Linux distributors will probably be releasing their own patched versions soon.

As Xine and MPlayer use some of the same code, Xine is also affected. Ubuntu has therefore released new packets for the xine library xinelib. There is not, however, an update for the MPlayer, which stems from the Multiverse repository. The Universe and Multiverse repositories do not fully support security updates, which has already caused problems for Ubuntu users...

Windows user will have to wait for an official release; they can also compile the source from CVS themselves.

Also see:

• MPlayer DMO buffer overflow, Moritz Jodeit's security advisory
• Updated mplayer packages to address buffer overflow vulnerability, Mandriva's security advisory
• xine-lib vulnerability, Ubuntu's security advisory

(ehe)