Overview
MPlayer fails to properly allocate a memory buffer for URL strings containing characters that need to be escaped.
Description
MPlayer is a movie player for Linux and other Unix-based operating systems. MPlayer fails to properly allocate a memory buffer for URL strings containing characters that need to be escaped. When escaping characters in a URL, a single character may be replaced by three. For instance, the space character may be replaced by %20. There is a vulnerability in the way MPlayer allocates memory to store the escaped representation of the URL. By sending a "Location" HTTP header containing an overly long URL with many un-escaped characters, an attacker can trigger a buffer overflow. According to the MPlayer Advisory, the following versions are affected:
|
Impact
By convincing a user to play a media file containing a specially crafted "Location" HTTP header, an attacker could cause MPlayer to crash or potentially execute code of the attacker's choice with privileges of the victim. |
Solution
UpgradeAccording to the MPlayer Advisory, users of MPlayer 1.0pre3 should upgrade to the latest CVS. MPlayer 0.92 (and below) users should upgrade to 0.92.1 or the latest CVS. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:--/AC:--/Au:--/C:--/I:--/A:-- |
| Temporal | 0 | E:ND/RL:ND/RC:ND |
| Environmental | 0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
This vulnerability was reported by blexim.
This document was written by Damon Morda.
Other Information
| CVE IDs: | None |
| Severity Metric: | 1.35 |
| Date Public: | 2004-03-31 |
| Date First Published: | 2004-04-09 |
| Date Last Updated: | 2004-04-09 13:48 UTC |
| Document Revision: | 19 |