From security@linux-mandrake.com Tue Apr 6 03:28:53 2004 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 5 Apr 2004 23:22:43 -0000 Subject: [Full-Disclosure] MDKSA-2004:026 - Updated mplayer packages fix remotely exploitable vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: mplayer Advisory ID: MDKSA-2004:026 Date: April 5th, 2004 Affected versions: 10.0, 9.2 ______________________________________________________________________ Problem Description: A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful HTTP header ("Location:"), and trick MPlayer into executing arbitrary code upon parsing that header. The updated packages contain a patch from the MPlayer development team to correct the problem. _______________________________________________________________________ References: http://www.mplayerhq.hu/homepage/design6/news.html ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 134aa1652ff5325837ee0d1dd7062b2f 10.0/RPMS/libdha0.1-1.0-0.pre3.13.100mdk.i586.rpm 59d793c4ee7906121ad4c5847d8c48e5 10.0/RPMS/libpostproc0-1.0-0.pre3.13.100mdk.i586.rpm 379cfc3fca85254dc9e02e7dcfe3b8a5 10.0/RPMS/libpostproc0-devel-1.0-0.pre3.13.100mdk.i586.rpm 3255b8d6b3c07ab7e850291ccf448be4 10.0/RPMS/mencoder-1.0-0.pre3.13.100mdk.i586.rpm 8d9d2d1acdc13f45bf4145d57d2d8279 10.0/RPMS/mplayer-1.0-0.pre3.13.100mdk.i586.rpm 0326d955c0bd11c1f108c25bd6afec7c 10.0/RPMS/mplayer-gui-1.0-0.pre3.13.100mdk.i586.rpm 911e55e683df88c41df9ef9f2b09493f 10.0/SRPMS/mplayer-1.0-0.pre3.13.100mdk.src.rpm Mandrakelinux 9.2: d2335a0b3a0309a109db619a3c1247cd 9.2/RPMS/libdha0.1-0.91-8.2.92mdk.i586.rpm 3f739b2b8da578eec51d6c470d016861 9.2/RPMS/libpostproc0-0.91-8.2.92mdk.i586.rpm bea49f0df30a6fc90c08ce7de955ad51 9.2/RPMS/libpostproc0-devel-0.91-8.2.92mdk.i586.rpm fc157454aebde5fc4b40688c920987ff 9.2/RPMS/mencoder-0.91-8.2.92mdk.i586.rpm ab6cbd8a28a845d714f5e572dadbd52b 9.2/RPMS/mplayer-0.91-8.2.92mdk.i586.rpm 18f43c4247b164f9c11dd2a70ab707c5 9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.i586.rpm f930e2754ab5d7e284a71f5a9f40cc38 9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm Mandrakelinux 9.2/AMD64: b48538a9d9183d02d57b21b4b4fa1b02 amd64/9.2/RPMS/lib64postproc0-0.91-8.2.92mdk.amd64.rpm 19b0ae1cc45534f2b389059a64fde38c amd64/9.2/RPMS/lib64postproc0-devel-0.91-8.2.92mdk.amd64.rpm ec3be0bf7521721acf91f863d5af8bbc amd64/9.2/RPMS/mencoder-0.91-8.2.92mdk.amd64.rpm 184a24f4121e7999cc650cb99f18e935 amd64/9.2/RPMS/mplayer-0.91-8.2.92mdk.amd64.rpm e75f2c67e14004edaa204968ad92a134 amd64/9.2/RPMS/mplayer-gui-0.91-8.2.92mdk.amd64.rpm f930e2754ab5d7e284a71f5a9f40cc38 amd64/9.2/SRPMS/mplayer-0.91-8.2.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrakelinux at: http://www.mandrakesecure.net/en/advisories/ Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAcepCmqjQ0CJFipgRAhCKAKCi/TErb5NqKNNwb7+TN/c/qIoIRgCgz7RS cs7U2oyUG5RaPnRM2r6wmfw= =a96D -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html