From ee7ba3f484bde2777169eeebf842a27e59df99af Mon Sep 17 00:00:00 2001 From: Dominik Mierzejewski Date: Sun, 12 Oct 2008 20:52:05 +0000 Subject: [PATCH] - security fix for CVE-2008-3827 - sync with devel for F-9 --- mplayer-CVE-2008-3827.patch | 28 ++++++++++++++++++++++++++++ mplayer.spec | 7 ++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 mplayer-CVE-2008-3827.patch diff --git a/mplayer-CVE-2008-3827.patch b/mplayer-CVE-2008-3827.patch new file mode 100644 index 0000000..3816add --- /dev/null +++ b/mplayer-CVE-2008-3827.patch @@ -0,0 +1,28 @@ +Index: libmpdemux/demux_real.c +=================================================================== +--- libmpdemux/demux_real.c (revision 27674) ++++ libmpdemux/demux_real.c (revision 27675) +@@ -947,6 +947,7 @@ + // last fragment! + if(dp_hdr->len!=vpkg_length-vpkg_offset) + mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,vpkg_length-vpkg_offset); ++ if (vpkg_offset > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) vpkg_offset = dp->len - sizeof(dp_hdr_t) - dp_hdr->len; + stream_read(demuxer->stream, dp_data+dp_hdr->len, vpkg_offset); + if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else + dp_hdr->len+=vpkg_offset; +@@ -970,6 +971,7 @@ + // non-last fragment: + if(dp_hdr->len!=vpkg_offset) + mp_msg(MSGT_DEMUX,MSGL_V,"warning! assembled.len=%d offset=%d frag.len=%d total.len=%d \n",dp->len,vpkg_offset,len,vpkg_length); ++ if (len > dp->len - sizeof(dp_hdr_t) - dp_hdr->len) len = dp->len - sizeof(dp_hdr_t) - dp_hdr->len; + stream_read(demuxer->stream, dp_data+dp_hdr->len, len); + if((dp_data[dp_hdr->len]&0x20) && (sh_video->format==0x30335652)) --dp_hdr->chunks; else + dp_hdr->len+=len; +@@ -992,6 +994,7 @@ + extra[0]=1; extra[1]=0; // offset of the first chunk + if(0x00==(vpkg_header&0xc0)){ + // first fragment: ++ if (len > dp->len - sizeof(dp_hdr_t)) len = dp->len - sizeof(dp_hdr_t); + dp_hdr->len=len; + stream_read(demuxer->stream, dp_data, len); + ds->asf_packet=dp; diff --git a/mplayer.spec b/mplayer.spec index b030de6..5adc0c4 100644 --- a/mplayer.spec +++ b/mplayer.spec @@ -6,7 +6,7 @@ Name: mplayer Version: 1.0 -Release: 0.99.%{pre}%{?dist} +Release: 0.100.%{pre}%{?dist} Summary: Movie player playing most video formats and DVDs Group: Applications/Multimedia @@ -25,6 +25,7 @@ Patch5: %{name}-x86_32-compile.patch Patch8: %{name}-manlinks.patch Patch10: %{name}-qcelp.patch Patch12: %{name}-man-zh_CN.patch +Patch13: %{name}-CVE-2008-3827.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: SDL-devel @@ -145,6 +146,7 @@ MPlayer documentation in various languages. %patch8 -p1 -b .manlinks %patch10 -p1 -b .qclp %patch12 -p1 -b .man-zh_CN +%patch13 -p0 -b .cve doconv() { iconv -f $1 -t $2 -o DOCS/man/$3/mplayer.1.utf8 DOCS/man/$3/mplayer.1 && \ @@ -386,6 +388,9 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sun Oct 12 2008 Dominik Mierzejewski - 1.0-0.100.20080903svn +- backport the fix for CVE-2008-3827 + * Tue Sep 09 2008 Dominik Mierzejewski - 1.0-0.99.20080903svn - updated to 20080903 SVN snapshot - added snapshot creation script