In association with heise online

07 June 2007, 11:00

Update eliminates two buffer overflows in MPlayer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security service organisation Secunia has reported two vulnerabilities in the media player MPlayer with which a client PC could possibly be compromised. This is made possible by faults in the processing of CDDB data. If a user contacts a malicious CDDB server, any crafted CDDB entries with overlong album or category titles can prompt buffer overflows in the module stream/stream_cddb.c , via which arbitrary code can be injected into the computer and executed in the client context.

The vulnerabilities were found in MPlayer 1.0rc1. It is very probable that previous versions are also affected. A patch eliminates the problem. In addition, Version 1.0rc1try3, in which the vulnerabilities have also been eliminated, is available in the subversion respository. Users are expected to compile the new version themselves, as binaries are not yet available. Alternatively the developers recommend to discontinue using CDDB, redirect statically in the hosts file to the loopback IP address, or to compile MPlayer without CDDB support using the option --disable-cddb .

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit