Date: Sat, 2 Feb 2008 23:55:43 GMT From: Thomas Zander <riggs@rrr.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/120230: Fix remote vulnerabilities of multimedia/mplayer and multimedia/mencoder Message-ID: <200802022355.m12Nth8b082357@www.freebsd.org> Resent-Message-ID: <200802030000.m13004Kw045603@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 120230
>Category: ports
>Synopsis: Fix remote vulnerabilities of multimedia/mplayer and multimedia/mencoder
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 03 00:00:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Thomas Zander
>Release: 6.3-STABLE
>Organization:
>Environment:
>Description:
Since the release of 1.0rc2, so far 4 security bugs have been identified and patches have been made available. Some of them fix remote attack vulnerabilities.
>How-To-Repeat:
>Fix:
The attached patch is a cumulative update to multimedia/mplayer and multimedia/mencoder that
o introduces a new file, files/patch-overflows-20080202 , that contains fixes for all currently known holes
o bumps PORTREVISION on both mplayer and mencoder
Patch attached with submission follows:
diff -ruN /usr/ports/multimedia/mplayer/Makefile mplayer/Makefile
--- /usr/ports/multimedia/mplayer/Makefile 2008-01-23 18:47:02.000000000 +0800
+++ mplayer/Makefile 2008-02-02 21:06:36.000000000 +0800
@@ -7,7 +7,7 @@
PORTNAME= mplayer
PORTVERSION= ${MPLAYER_PORT_VERSION}
-PORTREVISION= 1
+PORTREVISION= 2
COMMENT= High performance media player supporting many formats
diff -ruN /usr/ports/multimedia/mplayer/files/patch-overflows-20080202 mplayer/files/patch-overflows-20080202
--- /usr/ports/multimedia/mplayer/files/patch-overflows-20080202 1970-01-01 08:00:00.000000000 +0800
+++ mplayer/files/patch-overflows-20080202 2008-02-02 21:04:53.000000000 +0800
@@ -0,0 +1,98 @@
+--- libmpdemux/demux_audio.c.orig 2007-10-08 03:49:33.000000000 +0800
++++ libmpdemux/demux_audio.c 2008-02-02 21:01:44.000000000 +0800
+@@ -229,6 +229,8 @@
+ ptr += 4;
+
+ comment = ptr;
++ if (&comment[length] < comments || &comment[length] >= &comments[blk_len])
++ return;
+ c = comment[length];
+ comment[length] = 0;
+
+--- libmpdemux/demux_mov.c.orig 2007-10-08 03:49:33.000000000 +0800
++++ libmpdemux/demux_mov.c 2008-02-02 21:01:48.000000000 +0800
+@@ -173,11 +173,12 @@
+ i=trak->chunkmap_size;
+ while(i>0){
+ --i;
+- for(j=trak->chunkmap[i].first;j<last;j++){
++ j=FFMAX(trak->chunkmap[i].first, 0);
++ for(;j<last;j++){
+ trak->chunks[j].desc=trak->chunkmap[i].sdid;
+ trak->chunks[j].size=trak->chunkmap[i].spc;
+ }
+- last=trak->chunkmap[i].first;
++ last=FFMIN(trak->chunkmap[i].first, trak->chunks_size);
+ }
+
+ #if 0
+@@ -235,6 +236,8 @@
+ s=0;
+ for(j=0;j<trak->durmap_size;j++){
+ for(i=0;i<trak->durmap[j].num;i++){
++ if (s >= trak->samples_size)
++ break;
+ trak->samples[s].pts=pts;
+ ++s;
+ pts+=trak->durmap[j].dur;
+@@ -246,6 +249,8 @@
+ for(j=0;j<trak->chunks_size;j++){
+ off_t pos=trak->chunks[j].pos;
+ for(i=0;i<trak->chunks[j].size;i++){
++ if (s >= trak->samples_size)
++ break;
+ trak->samples[s].pos=pos;
+ mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d off=0x%08X size=%d\n",s,
+ trak->samples[s].pts,
+@@ -1568,8 +1573,7 @@
+ if( udta_len>udta_size)
+ udta_len=udta_size;
+ {
+- char dump[udta_len-4];
+- stream_read(demuxer->stream, (char *)&dump, udta_len-4-4);
++ stream_skip(demuxer->stream, udta_len-4-4);
+ udta_size -= udta_len;
+ }
+ }
+--- stream/url.c.orig 2007-10-08 03:49:26.000000000 +0800
++++ stream/url.c 2008-02-02 21:00:22.000000000 +0800
+@@ -328,6 +328,7 @@
+ }
+ }
+
++ tmp = NULL;
+ while(i < len) {
+ // look for the next char that must be kept
+ for (j=i;j<len;j++) {
+--- stream/stream_cddb.c.orig 2007-10-08 03:49:26.000000000 +0800
++++ stream/stream_cddb.c 2008-02-02 21:02:51.000000000 +0800
+@@ -53,6 +53,7 @@
+ #include "version.h"
+ #include "stream.h"
+ #include "network.h"
++#include "libavutil/intreadwrite.h"
+
+ #define DEFAULT_FREEDB_SERVER "freedb.freedb.org"
+ #define DEFAULT_CACHE_DIR "/.cddb/"
+@@ -453,8 +454,9 @@
+ } else {
+ len = ptr2-ptr+1;
+ }
++ len = FFMIN(sizeof(album_title) - 1, len);
+ strncpy(album_title, ptr, len);
+- album_title[len-2]='\0';
++ album_title[len]='\0';
+ }
+ mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title);
+ return 0;
+@@ -490,8 +492,9 @@
+ } else {
+ len = ptr2-ptr+1;
+ }
++ len = FFMIN(sizeof(album_title) - 1, len);
+ strncpy(album_title, ptr, len);
+- album_title[len-2]='\0';
++ album_title[len]='\0';
+ }
+ mp_msg(MSGT_DEMUX, MSGL_STATUS, MSGTR_MPDEMUX_CDDB_ParseOKFoundAlbumTitle, album_title);
+ return cddb_request_titles(cddb_data);
diff -ruN /usr/ports/multimedia/mencoder/Makefile mencoder/Makefile
--- /usr/ports/multimedia/mencoder/Makefile 2007-12-16 13:05:09.000000000 +0800
+++ mencoder/Makefile 2008-02-02 21:06:56.000000000 +0800
@@ -6,6 +6,7 @@
PORTNAME= mencoder
PORTVERSION= ${MPLAYER_PORT_VERSION}
+PORTREVISION= 1
COMMENT= Convenient video file and movie encoder
RESTRICTED= Port has restricted dependencies
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802022355.m12Nth8b082357>