__________________________________________________________
 
                       The U.S. Department of Energy
                    Cyber Incident Response Capability
                  __   __   __       ___ __ __ ___    ___
                 |  \ |  | |_   __  /      |   |__|  /
                 |__/ |__| |__      \___ __|__ |   \ \___
        __________________________________________________________


                             INFORMATION BULLETIN

                             MPlayer Vulnerability
                     [Debian Security Advisory DSA-1644-1]

October 15, 2008 20:00 GMT                                        Number T-012
______________________________________________________________________________
PROBLEM:       MPlayer, a multimedia player, is vulnerable to several integer 
               overflows in the Real video stream demuxing code. These flaws 
               could allow an attacker to cause a denial of service or 
               potentially execution of arbitrary code by supplying a 
               maliciously crafted video file. 
PLATFORM:      Debian GNU/Linux 4.0 (etch) 
DAMAGE:        Integer overflow. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. These flaws could allow an atacker to cause 
ASSESSMENT:    a DoS or potentially execution of arbitrary code by supplying a 
               maliciously crafted video file. 
______________________________________________________________________________
CVSS 2 BASE SCORE: 5.1 
 TEMPORAL SCORE:   4.0 
 VECTOR:           (AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) 
______________________________________________________________________________
LINKS: 
 DOE-CIRC BULLETIN:  http://doecirc.energy.gov/ciac/bulletins/t-012.shtml 
 ORIGINAL BULLETIN:  http://www.debian.org/security/2008/dsa-1644 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2008-3827 
______________________________________________________________________________
[***** Start Debian Security Advisory DSA-1644-1 *****]

Debian Security Advisory
DSA-1644-1 mplayer -- integer overflow
Date Reported: 
05 Oct 2008 
Affected Packages: 
mplayer 
Vulnerable: 
Yes 
Security database references: 
In the Debian bugtracking system: Bug 500683.
In Mitre's CVE dictionary: CVE-2008-3827.

More information: 
Felipe Andres Manzano discovered that mplayer, a multimedia player, is vulnerable 
to several integer overflows in the Real video stream demuxing code. These flaws 
could allow an attacker to cause a denial of service (a crash) or potentially 
execution of arbitrary code by supplying a maliciously crafted video file.

For the stable distribution (etch), these problems have been fixed in version 1.0~rc1-12etch5.

For the unstable distribution (sid), these problems have been fixed in version 1.0~rc2-18.

We recommend that you upgrade your mplayer packages.

Fixed in: 
Debian GNU/Linux 4.0 (etch)
Source: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5.diff.gz

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1.orig.tar.gz

http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5.dsc

Architecture-independent component: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer-doc_1.0~rc1-12etch5_all.deb

Alpha: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_alpha.deb

AMD64: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_amd64.deb

ARM: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_arm.deb

HP Precision: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_hppa.deb

Intel IA-32: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_i386.deb

Intel IA-64: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_ia64.deb

Big-endian MIPS: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_mips.deb

Little-endian MIPS: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_mipsel.deb

PowerPC: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_powerpc.deb

IBM S/390: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_s390.deb

Sun Sparc: 
http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch5_sparc.deb

MD5 checksums of the listed files are available in the original advisory.


[***** End Debian Security Advisory DSA-1644-1 *****]
_______________________________________________________________________________

DOE-CIRC wishes to acknowledge the contributions of Debian for the 
information contained in this bulletin.
_______________________________________________________________________________


DOE-CIRC provides the U.S. Department of Energy with incident response, 
reporting, and tracking, along with other computer security support. 
DOE-CIRC is a member of GFIRST, the Government Forum of Incident 
Responders and Security Teams and FIRST an international incident 
response and security organization. 

DOE-CIRC services are available to DOE and DOE contractors. DOE-CIRC
can be contacted at:
    Voice:    +1 866-941-2472 (7x24)
    FAX:      +1 702-932-0189
    STU-III:  Call the voice number.
    E-mail:   doecirc@doecirc.energy.gov

Previous DOE-CIRC notices, anti-virus software, and other information are
available from the DOE-CIRC Computer Security Archive.

   World Wide Web:      http://doecirc.energy.gov/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive DOE-CIRC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with DOE-CIRC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor any agency thereof, nor any of their employees, 
makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or
any agency thereof. The views and opinions of originators expressed
herein do not necessarily state or reflect those of the United States
Government or any agency thereof.

LAST 10 DOE-CIRC Bulletins

S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update