Date: Sat, 27 Sep 2003 16:31:00 -0500 (CDT) From: Jeremy Messenger <mezz7@cox.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: riggs@rrr.de Subject: ports/57296: Update port: multimedia/mplayer 0.90.x -> 0.92, fix the exploitable remote buffer overflow vulnerability Message-ID: <200309272131.h8RLV00J028093@ns1.mezzweb.com> Resent-Message-ID: <200309272200.h8RM0bNA021473@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 57296 >Category: ports >Synopsis: Update port: multimedia/mplayer 0.90.x -> 0.92, fix the exploitable remote buffer overflow vulnerability >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat Sep 27 15:00:36 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Mezz >Release: FreeBSD 5.1-CURRENT i386 >Organization: >Environment: System: FreeBSD ns1.mezzweb.com 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Wed Aug 13 22:39:47 CDT 2003 mezz@mezz.mezzweb.com:/usr/obj/usr/src/sys/BSDROCKS i386 >Description: Severity: HIGH (if playing ASX streaming content) LOW (if playing only normal files) Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header. MPlayer versions affected: MPlayer 0.90pre series MPlayer 0.90rc series MPlayer 0.90 MPlayer 0.91 MPlayer 1.0pre1 MPlayer versions unaffected: MPlayer releases before 0.90pre1 MPlayer 0.92 MPlayer HEAD CVS Url: http://www.mplayerhq.hu/homepage/design6/news.html >How-To-Repeat: n/a >Fix: -Upgrade to 0.92 to plug the exploitable. -Add RUN_DEPENDS of mplayer-skins in the WITH_GUI define. Remove the message of tell user to go MPlayer website and download the skins. I think, it's silly and should be add RUN_DEPENDS since we have multimedia/mplayer-skins. On another note: Please do the double check on the mplayer-0.9.1-v6-20030825.diff.gz in case. I didn't find anything wrong with it thought to apply it with 0.92 and play mplayer. --- mplayer.diff begins here --- diff -ur mplayer.orig/Makefile mplayer/Makefile --- mplayer.orig/Makefile Sun Sep 14 00:26:15 2003 +++ mplayer/Makefile Sat Sep 27 15:58:07 2003 @@ -165,8 +165,7 @@ # to be installed. PORTNAME= mplayer -PORTVERSION= 0.90.0.110 -PORTREVISION= 4 +PORTVERSION= 0.92 CATEGORIES= multimedia audio ipv6 MASTER_SITES= http://www1.mplayerhq.hu/MPlayer/releases/ \ http://www2.mplayerhq.hu/MPlayer/releases/ \ @@ -178,10 +177,10 @@ ftp://ftp.lug.udel.edu/MPlayer/releases/ \ ftp://mirrors.xmission.com/MPlayer/releases/ \ http://www.rrr.de/~riggs/mplayer/ -DISTNAME= MPlayer-0.90 +DISTNAME= MPlayer-${PORTVERSION} PATCH_SITES= ${MASTER_SITE_RINGSERVER:S,%SUBDIR%,net/kame/misc/&,} -PATCHFILES= mplayer-0.9.0-v6-20030430.diff.gz +PATCHFILES= mplayer-0.9.1-v6-20030825.diff.gz PATCH_DIST_STRIP= -p1 MAINTAINER= riggs@rrr.de @@ -318,6 +317,7 @@ .endif .if defined(WITH_GUI) +RUN_DEPENDS+= ${LOCALBASE}/share/mplayer/Skin:${PORTSDIR}/multimedia/mplayer-skins USE_GNOME+= gtk12 .if defined(PKGNAMESUFFIX) PKGNAMESUFFIX:= ${PKGNAMESUFFIX}-gtk @@ -515,11 +515,6 @@ @${ECHO_MSG} "For example," @${ECHO_MSG} "make WITH_GUI=yes" @${ECHO_MSG} "builds MPlayer with GUI support." - -.if defined(WITH_GUI) - @${ECHO_MSG} "You can download official skin collections from" - @${ECHO_MSG} "http://www.mplayerhq.hu/homepage/dload.html" -.endif post-patch: @${REINPLACE_CMD} -e \ diff -ur mplayer.orig/distinfo mplayer/distinfo --- mplayer.orig/distinfo Thu May 15 00:04:59 2003 +++ mplayer/distinfo Sat Sep 27 15:17:17 2003 @@ -1,2 +1,2 @@ -MD5 (MPlayer-0.90.tar.bz2) = 9a9f294bbaab2071ecbc327f4e870be8 -MD5 (mplayer-0.9.0-v6-20030430.diff.gz) = 6a20e965b297389fa0b471032a06dac1 +MD5 (MPlayer-0.92.tar.bz2) = c4e003fc6c6f82c1cae96a95eb9b2d28 +MD5 (mplayer-0.9.1-v6-20030825.diff.gz) = b99f40b5e1ee9fd467246e0c627794eb diff -ur mplayer.orig/files/patch-ad mplayer/files/patch-ad --- mplayer.orig/files/patch-ad Mon Feb 10 13:28:06 2003 +++ mplayer/files/patch-ad Sat Sep 27 16:34:29 2003 @@ -1,6 +1,6 @@ ---- configure.orig Sun Feb 9 06:29:05 2003 -+++ configure Mon Feb 10 23:20:25 2003 -@@ -294,7 +294,7 @@ +--- configure.orig Sat Sep 27 16:27:23 2003 ++++ configure Sat Sep 27 16:34:14 2003 +@@ -300,7 +300,7 @@ # 1st pass checking for vital options @@ -9,7 +9,7 @@ _ranlib=ranlib _cc=gcc test "$CC" && _cc="$CC" -@@ -530,19 +530,10 @@ +@@ -539,19 +539,10 @@ # Try to find the available options for the current CPU if x86 || ppc; then @@ -29,7 +29,7 @@ pname=`$_cpuinfo | grep 'model name' | cut -d ':' -f 2 | head -1` pvendor=`$_cpuinfo | grep 'vendor_id' | cut -d ':' -f 2 | cut -d ' ' -f 2 | head -1` -@@ -1394,8 +1385,8 @@ +@@ -1423,8 +1414,8 @@ ;; *) @@ -40,7 +40,7 @@ ;; esac -@@ -1405,7 +1396,7 @@ +@@ -1434,7 +1425,7 @@ test -z "$_bindir" && _bindir="$_prefix/bin" test -z "$_datadir" && _datadir="$_prefix/share/mplayer" test -z "$_mandir" && _mandir="$_prefix/man" @@ -49,7 +49,7 @@ test -z "$_libdir" && _libdir="$_prefix/lib" test -z "$_mlibdir" && _mlibdir="$MLIBHOME" -@@ -1836,13 +1827,7 @@ +@@ -1866,13 +1857,7 @@ echocheck "memalign()" @@ -63,7 +63,7 @@ if test "$_memalign" = yes ; then _def_memalign='#define HAVE_MEMALIGN 1' else -@@ -1931,31 +1916,7 @@ +@@ -1961,31 +1946,7 @@ echocheck "pthread" @@ -96,7 +96,7 @@ echores "yes (using $_ld_pthread)" -@@ -4694,7 +4655,7 @@ +@@ -4848,7 +4809,7 @@ CFLAGS="$CFLAGS -D_REENTRANT" elif bsd ; then # FIXME bsd needs this so maybe other OS'es diff -ur mplayer.orig/files/patch-ae mplayer/files/patch-ae --- mplayer.orig/files/patch-ae Fri Jan 10 14:12:50 2003 +++ mplayer/files/patch-ae Sat Sep 27 15:30:11 2003 @@ -1,6 +1,6 @@ ---- Makefile.orig Thu Dec 5 07:29:26 2002 -+++ Makefile Tue Dec 17 09:53:32 2002 -@@ -241,49 +241,11 @@ +--- Makefile.orig Sat Sep 27 15:26:46 2003 ++++ Makefile Sat Sep 27 15:29:55 2003 +@@ -254,47 +254,11 @@ ifeq ($(SHARED_PP),yes) $(MAKE) install -C postproc endif @@ -30,9 +30,7 @@ - @echo "*** for GUI, and extract to $(DATADIR)/Skin/" -endif - @if test ! -d $(CONFDIR) ; then mkdir -p $(CONFDIR) ; fi -- @if test -f $(CONFDIR)/codecs.conf.old ; then mv -f $(CONFDIR)/codecs.conf.old $(CONFDIR)/codecs.conf.older ; fi - @if test -f $(CONFDIR)/codecs.conf ; then mv -f $(CONFDIR)/codecs.conf $(CONFDIR)/codecs.conf.old ; fi -- $(INSTALL) -c -m 644 etc/codecs.conf $(CONFDIR)/codecs.conf -ifeq ($(DVDKIT_SHARED),yes) -ifeq ($(DVDKIT2),yes) - if test ! -d $(LIBDIR) ; then mkdir -p $(LIBDIR) ; fi diff -ur mplayer.orig/pkg-plist mplayer/pkg-plist --- mplayer.orig/pkg-plist Wed Mar 26 10:17:59 2003 +++ mplayer/pkg-plist Sat Sep 27 15:51:45 2003 @@ -1,6 +1,15 @@ -bin/mplayer -%%MENCODER%%bin/mencoder %%GMPLAYER%%bin/gmplayer +%%MENCODER%%bin/mencoder +bin/mplayer +lib/libdha-0.so.1 +lib/libdha.so.0 +lib/mplayer/vidix/cyberblade_vid.so +lib/mplayer/vidix/mach64_vid.so +lib/mplayer/vidix/mga_crtc2_vid.so +lib/mplayer/vidix/mga_vid.so +lib/mplayer/vidix/pm3_vid.so +lib/mplayer/vidix/radeon_vid.so +lib/mplayer/vidix/rage128_vid.so %%PORTDOCS%%share/doc/mplayer/bugreports.html %%PORTDOCS%%share/doc/mplayer/cd-dvd.html %%PORTDOCS%%share/doc/mplayer/codecs-in.html @@ -11,17 +20,12 @@ %%PORTDOCS%%share/doc/mplayer/formats.html %%PORTDOCS%%share/doc/mplayer/skin.html %%PORTDOCS%%share/doc/mplayer/sound.html -%%PORTDOCS%%share/doc/mplayer/video.html %%PORTDOCS%%share/doc/mplayer/users_against_developers.html -lib/libdha.so.0 -lib/libdha-0.so.1 -lib/mplayer/vidix/cyberblade_vid.so -lib/mplayer/vidix/mach64_vid.so -lib/mplayer/vidix/mga_crtc2_vid.so -lib/mplayer/vidix/mga_vid.so -lib/mplayer/vidix/pm3_vid.so -lib/mplayer/vidix/radeon_vid.so -lib/mplayer/vidix/rage128_vid.so +%%PORTDOCS%%share/doc/mplayer/video.html +share/mplayer/codecs.conf +share/mplayer/example.conf +share/mplayer/input.conf +share/mplayer/menu.conf share/mplayer/tools/calcbpp.pl share/mplayer/tools/countquant.pl share/mplayer/tools/dvd2divxscript.pl @@ -31,10 +35,6 @@ share/mplayer/tools/sws-test share/mplayer/tools/w32codec_dl.pl share/mplayer/tools/x2mpsub.sh -share/mplayer/codecs.conf -share/mplayer/example.conf -share/mplayer/input.conf -share/mplayer/menu.conf @dirrm share/mplayer/tools @unexec rmdir %D/share/mplayer 2>/dev/null || true %%PORTDOCS%%@dirrm share/doc/mplayer --- mplayer.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309272131.h8RLV00J028093>