发布日期：2008-02-04
更新日期：2008-02-06

受影响系统：

MPlayer MPlayer 1.0 rc2

描述：

---

BUGTRAQ  ID: 27441
CVE(CAN) ID: CVE-2008-0486

MPlayer是一款基于Linux的媒体播放程序，支持多种媒体格式。

MPlayer的libmpdemux/demux_audio.c文件在解析FLAC标注时存在栈溢出漏洞：

/-----------

libmpdemux/demux_audio.c
    
206 case FLAC_VORBIS_COMMENT:
207     {
208        /* For a description of the format please have a look at */
209        /* http://www.xiph.org/vorbis/doc/v-comment.html */
210
211        uint32_t length, comment_list_len;
212 (1)    char comments[blk_len];
213        uint8_t *ptr = comments;
214        char *comment;
215        int cn;
216        char c;
217
218        if (stream_read (s, comments, blk_len) == blk_len)
219        {
220 (2)       length = AV_RL32(ptr);
221            ptr += 4 + length;
222
223            comment_list_len = AV_RL32(ptr);
224            ptr += 4;
225
226            cn = 0;
227            for (; cn < comment_list_len; cn++)
228            {
229               length = AV_RL32(ptr);
230               ptr += 4;
231
232               comment = ptr;
233 (3)           c = comment[length];
234               comment[length] = 0;                            ...

- -----------/

可见在(2)处length参数是从文件流中的位置加载的，然后未经任何验证便在comment缓冲区索引中使用，这可能触发栈溢出，导致执行任意代码。

<*来源：Damian Frizza
        Alfredo Ortega
  
  链接：http://secunia.com/advisories/28779/
        http://marc.info/?l=bugtraq&m=120216014314681&w=2
        http://www.mplayerhq.hu/design7/news.html
        http://security.gentoo.org/glsa/glsa-200802-12.xml
        http://www.debian.org/security/2008/dsa-1496
        http://security.gentoo.org/glsa/glsa-200803-16.xml
*>

建议：

---

厂商补丁：

Debian
------
Debian已经为此发布了一个安全公告（DSA-1496-1）以及相应补丁:
DSA-1496-1：New mplayer packages fix arbitrary code execution
链接：http://www.debian.org/security/2008/dsa-1496

补丁下载：
Source archives:

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1.orig.tar.gz
Size/MD5 checksum: 10286260 815482129b79cb9390904b145c5def6c
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2.dsc
Size/MD5 checksum:     1265 e247c07b25f52ae90c66d1147ed2dad3
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2.diff.gz
Size/MD5 checksum:    82320 4fbe0a18dad58eb0fde6388bfa0fd6fe

Architecture independent packages:

http://security.debian.org/pool/updates/main/m/mplayer/mplayer-doc_1.0~rc1-12etch2_all.deb
Size/MD5 checksum:  2042982 dcae457fc598d095481ae958b4b2be33

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_alpha.deb
Size/MD5 checksum:  4705092 f8a36452c703da05dda73b88b10574d5

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_amd64.deb
Size/MD5 checksum:  4371682 ea9e372fbc21656a37833f7a48caaa84

arm architecture (ARM)

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_arm.deb
Size/MD5 checksum:  4325240 841828bbc45a01d1ced4baffa54e4c82

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_hppa.deb
Size/MD5 checksum:  4383526 a5a37e479515be1eacbb3eb801f558b0

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_i386.deb
Size/MD5 checksum:  4556720 fc9d62d80284dcb7501d4aa46d90705f

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_ia64.deb
Size/MD5 checksum:  5842148 8e554b82c704849813e3bcbdf979d276

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_mips.deb
Size/MD5 checksum:  4274610 ba330371c3a4a476fc592e260fe9b928

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_mipsel.deb
Size/MD5 checksum:  4278942 56998d94712efad908d30bc068ce2a57

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_powerpc.deb
Size/MD5 checksum:  4342144 18e70bd86fdab75e181ff9a53976c7e4

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch2_s390.deb
Size/MD5 checksum:  4163034 58e5f78fea7e16ee261c371c9a5c1ac6

补丁安装方法：

1. 手工安装补丁包：

  首先，使用下面的命令来下载补丁软件：
  # wget url  (url是补丁下载链接地址)

  然后，使用下面的命令来安装补丁：  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包：

   首先，使用下面的命令更新内部数据库：
   # apt-get update
  
   然后，使用下面的命令安装更新软件包：
   # apt-get upgrade

Gentoo
------
Gentoo已经为此发布了一个安全公告（GLSA-200803-16）以及相应补丁:
GLSA-200803-16：MPlayer: Multiple buffer overflows
链接：http://security.gentoo.org/glsa/glsa-200803-16.xml

所有MPlayer用户都应升级到最新版本：

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_rc2_p25993"

MPlayer
-------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff
http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff
http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff

浏览次数：3306
严重程度：0（网友投票）