MPlayer aviheader.c integer overflow
| mplayer-aviheader-integer-overflow (25514) |  High Risk |
Description:
MPlayer is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the libmpdemux/aviheader.c module. By creating a malicious .asf file with a specially-crafted wLongsPerEntry or nEntriesInUse values in the index chunk, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service, once the malicious .asf file is opened.
Platforms Affected:
- Gentoo, Linux
- MandrakeSoft, Mandrake Linux 2006 X86_64
- MandrakeSoft, Mandrake Linux 2006
- MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
- MandrakeSoft, Mandrake Linux Corporate Server 3.0
- MPlayer, MPlayer 1.0 pre7try2
Remedy:
For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-05-01 for patch, upgrade, or suggested workaround information. See References.
Consequences:
Gain Access
References:
- Full-Disclosure Mailing List, Wed Mar 29 2006 - 00:12:52 CST, [xfocus-SD-060329]MPlayer: Multiple integer overflows at http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1746.html.
- MPlayer Web site, MPlayer - The Movie Player at http://www.mplayerhq.hu/homepage/design7/info.html.
- BID-17295: MPlayer Multiple Integer Overflow Vulnerabilities
- CVE-2006-1502: Multiple integer overflows in MPlayer 1.0pre7try2 allow remote attackers to cause a denial of service and trigger heap-based buffer overflows via (1) a certain ASF file handled by asfheader.c that causes the asf_descrambling function to be passed a negative integer after the conversion from a char to an int or (2) an AVI file with a crafted wLongsPerEntry or nEntriesInUse value in the indx chunk, which is handled in aviheader.c.
- GLSA-200605-01: MPlayer: Heap-based buffer overflow
- MDKSA-2006:068: Updated mplayer packages fix integer overflow vulnerabilities
- OSVDB ID: 24246: MPlayer libmpdemux/asfheader.c asf_descrambling() Function ASF Processing Overflow
- OSVDB ID: 24247: MPlayer libmpdemux/aviheader.c AVI indx Chunk Processing Overflow
- SA19418: MPlayer AVI "indx" Chunk and ASF Handling Vulnerabilities
- SECTRACK ID: 1015842: MPlayer Integer Overflows in Processing ASF and AVI Headers Let Remote Users Execute Arbitrary Code
- VUPEN/ADV-2006-1156: MPlayer ASF and AVI File Handling Remote Integer Overflow Vulnerabilities
Reported:
Mar 29, 2006
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net