Opened 3 months ago

Closed 3 months ago

#2426 closed defect (fixed)

Security Vulnerability Report for Mplayer v1.5

Reported by: RedTeamTIM Owned by: beastd
Priority: high Component: undetermined
Version: HEAD Severity: major
Keywords: CWE-690, MPlayer Cc: RedTeamTIM
Blocked By: Blocking:
Reproduced by developer: yes Analyzed by developer: yes

Description

To Whom It May Concern,

we are writing to inform you that during our analysis we found some vulnerabilities which affects the Mplayer product.

Vulnerability details:

Product Line: Mplayer
Vulnerable Version: 1.5
CWE-690: Unchecked Return Value to NULL Pointer Dereference
A detailed report is attached.

Credits and Research Team Info:
(1) First Name: Massimiliano - Last Name: Ferraresi
(2) First Name: Massimiliano - Last Name: Brolli
Research Firm: TIM Security Red Team Research
Organization Name: TIM S.p.A

Disclosure Policy

We strongly believe that a coordinated disclosure is the best approach to properly and efficiently address the risk related to security vulnerabilities (i.e. Coordinated Vulnerability Disclosure – CVD).
If everything goes as intended, after your confirmations and, eventually, the CVE ID publication, we will proceed with a full disclosure on our Web page. If you do not agree with a full disclosure for the vulnerabilities, please let us know by responding to this communication. In this case we will just publish the CVE details.
However, if no response is provided or you do not intend to take any action to assess the security issue, we will proceed as follows:
After the first communication with no response within a week, it is resent. If no response is provided at all, we will proceed with a disclosure of the vulnerability on our public Web Site after 90 days.
After the acknowledgement of the security issues, if no status updates are provided within the next month, we will send you a final communication warning that the vulnerability information will be published after 90 days.

As a security research team, we will be glad to support you in the evaluation and remediation processes.

Best regards
TIM Security Red Team Research

Attachments (2)

Disclosure_report_MPlayer.pdf (273.9 KB ) - added by RedTeamTIM 3 months ago.
Disclosure Report
crash86 (1.6 KB ) - added by RedTeamTIM 3 months ago.
Fuzzed playlist example to crash Mplayer

Download all attachments as: .zip

Change History (5)

by RedTeamTIM, 3 months ago

Disclosure Report

by RedTeamTIM, 3 months ago

Attachment: crash86 added

Fuzzed playlist example to crash Mplayer

comment:1 by ib, 3 months ago

Status: newopen

Vulnerability is confirmed and can be fixed with:

--- a/asxparser.c
+++ b/asxparser.c
@@ -118,6 +118,7 @@
       }
     }
     attrib = malloc(ptr2-ptr1+2);
+    if(!attrib) return -1;
     strncpy(attrib,ptr1,ptr2-ptr1+1);
     attrib[ptr2-ptr1+1] = '\0';
 

Is there a CVE ID or do we need one to mention it in our commit?

comment:2 by plorenzo, 3 months ago

Hi,

Is there a CVE ID or do we need one to mention it in our commit?

it looks like for this kind of issues there is not going to be a CVE, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083029

comment:3 by ib, 3 months ago

Resolution: fixed
Status: openclosed

Fixed in svn r38664.

Note: See TracTickets for help on using tickets.