From owner-freebsd-ports-bugs@FreeBSD.ORG Sun Feb 3 00:00:05 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 396AF16A41B for ; Sun, 3 Feb 2008 00:00:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 15A9D13C46A for ; Sun, 3 Feb 2008 00:00:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m13004CY045604 for ; Sun, 3 Feb 2008 00:00:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m13004Kw045603; Sun, 3 Feb 2008 00:00:04 GMT (envelope-from gnats) Resent-Date: Sun, 3 Feb 2008 00:00:04 GMT Resent-Message-Id: <200802030000.m13004Kw045603@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Thomas Zander Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D76916A418 for ; Sat, 2 Feb 2008 23:57:39 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 7393813C461 for ; Sat, 2 Feb 2008 23:57:39 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m12NthBg082358 for ; Sat, 2 Feb 2008 23:55:43 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m12Nth8b082357; Sat, 2 Feb 2008 23:55:43 GMT (envelope-from nobody) Message-Id: <200802022355.m12Nth8b082357@www.freebsd.org> Date: Sat, 2 Feb 2008 23:55:43 GMT From: Thomas Zander To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/120230: Fix remote vulnerabilities of multimedia/mplayer and multimedia/mencoder X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Feb 2008 00:00:05 -0000 >Number: 120230 >Category: ports >Synopsis: Fix remote vulnerabilities of multimedia/mplayer and multimedia/mencoder >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sun Feb 03 00:00:04 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Thomas Zander >Release: 6.3-STABLE >Organization: >Environment: >Description: Since the release of 1.0rc2, so far 4 security bugs have been identified and patches have been made available. Some of them fix remote attack vulnerabilities. >How-To-Repeat: >Fix: The attached patch is a cumulative update to multimedia/mplayer and multimedia/mencoder that o introduces a new file, files/patch-overflows-20080202 , that contains fixes for all currently known holes o bumps PORTREVISION on both mplayer and mencoder Patch attached with submission follows: diff -ruN /usr/ports/multimedia/mplayer/Makefile mplayer/Makefile --- /usr/ports/multimedia/mplayer/Makefile 2008-01-23 18:47:02.000000000 +0800 +++ mplayer/Makefile 2008-02-02 21:06:36.000000000 +0800 @@ -7,7 +7,7 @@ PORTNAME= mplayer PORTVERSION= ${MPLAYER_PORT_VERSION} -PORTREVISION= 1 +PORTREVISION= 2 COMMENT= High performance media player supporting many formats diff -ruN /usr/ports/multimedia/mplayer/files/patch-overflows-20080202 mplayer/files/patch-overflows-20080202 --- /usr/ports/multimedia/mplayer/files/patch-overflows-20080202 1970-01-01 08:00:00.000000000 +0800 +++ mplayer/files/patch-overflows-20080202 2008-02-02 21:04:53.000000000 +0800 @@ -0,0 +1,98 @@ +--- libmpdemux/demux_audio.c.orig 2007-10-08 03:49:33.000000000 +0800 ++++ libmpdemux/demux_audio.c 2008-02-02 21:01:44.000000000 +0800 +@@ -229,6 +229,8 @@ + ptr += 4; + + comment = ptr; ++ if (&comment[length] < comments || &comment[length] >= &comments[blk_len]) ++ return; + c = comment[length]; + comment[length] = 0; + +--- libmpdemux/demux_mov.c.orig 2007-10-08 03:49:33.000000000 +0800 ++++ libmpdemux/demux_mov.c 2008-02-02 21:01:48.000000000 +0800 +@@ -173,11 +173,12 @@ + i=trak->chunkmap_size; + while(i>0){ + --i; +- for(j=trak->chunkmap[i].first;jchunkmap[i].first, 0); ++ for(;jchunks[j].desc=trak->chunkmap[i].sdid; + trak->chunks[j].size=trak->chunkmap[i].spc; + } +- last=trak->chunkmap[i].first; ++ last=FFMIN(trak->chunkmap[i].first, trak->chunks_size); + } + + #if 0 +@@ -235,6 +236,8 @@ + s=0; + for(j=0;jdurmap_size;j++){ + for(i=0;idurmap[j].num;i++){ ++ if (s >= trak->samples_size) ++ break; + trak->samples[s].pts=pts; + ++s; + pts+=trak->durmap[j].dur; +@@ -246,6 +249,8 @@ + for(j=0;jchunks_size;j++){ + off_t pos=trak->chunks[j].pos; + for(i=0;ichunks[j].size;i++){ ++ if (s >= trak->samples_size) ++ break; + trak->samples[s].pos=pos; + mp_msg(MSGT_DEMUX, MSGL_DBG3, "Sample %5d: pts=%8d off=0x%08X size=%d\n",s, + trak->samples[s].pts, +@@ -1568,8 +1573,7 @@ + if( udta_len>udta_size) + udta_len=udta_size; + { +- char dump[udta_len-4]; +- stream_read(demuxer->stream, (char *)&dump, udta_len-4-4); ++ stream_skip(demuxer->stream, udta_len-4-4); + udta_size -= udta_len; + } + } +--- stream/url.c.orig 2007-10-08 03:49:26.000000000 +0800 ++++ stream/url.c 2008-02-02 21:00:22.000000000 +0800 +@@ -328,6 +328,7 @@ + } + } + ++ tmp = NULL; + while(i < len) { + // look for the next char that must be kept + for (j=i;jRelease-Note: >Audit-Trail: >Unformatted: