The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier, as used in xine-lib, does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code, a different vulnerability than CVE-2007-1387.

Several local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content.
The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-1246 / CVE-2007-1387     The DMO_VideoDecoder_Open function does not set the     biSize before use in a memcpy, which allows     user-assisted remote attackers to cause a buffer     overflow and possibly execute arbitrary code (applies to     sarge only).

  - CVE-2008-0073     Array index error in the sdpplin_parse function allows     remote RTSP servers to execute arbitrary code via a     large streamid SDP parameter.

  - CVE-2008-0486     Array index vulnerability in libmpdemux/demux_audio.c     might allow remote attackers to execute arbitrary code     via a crafted FLAC tag, which triggers a buffer overflow     (applies to etch only).

  - CVE-2008-1161     Buffer overflow in the Matroska demuxer allows remote     attackers to cause a denial of service (crash) and     possibly execute arbitrary code via a Matroska file with     invalid frame sizes.

The DirectShow loader uses wrong parameters in the memcpy function call which leads to a buffer overflow. CVE-2007-1246 has been assigned to this issue.

Moritz Jodeit discovered that the DMO loader of Xine did not correctly validate the size of an allocated buffer. By tricking a user into opening a specially crafted media file, an attacker could execute arbitrary code with the user's privileges.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200705-21 (MPlayer: Two buffer overflows)

    A buffer overflow has been reported in the DMO_VideoDecoder_Open()     function in file loader/dmo/DMO_VideoDecoder.c. Another buffer overflow     has been reported in the DS_VideoDecoder_Open() function in file     loader/dshow/DS_VideoDecoder.c.
  Impact :

    A remote attacker could entice a user to open a specially crafted video     file, potentially resulting in the execution of arbitrary code with the     privileges of the user running MPlayer.
  Workaround :

    There is no known workaround at this time.

New xine-lib packages are available for Slackware 10.0, 10.1, 10.2, 11.0, and -current to fix security issues.

The remote host is affected by the vulnerability described in GLSA-200704-09 (xine-lib: Heap-based buffer overflow)

    xine-lib does not check boundaries on data being read into buffers from     DMO video files in code that is shared with MPlayer     (DMO_VideoDecoder.c).
  Impact :

    An attacker could entice a user to play a specially crafted DMO video     file with a player using xine-lib, potentially resulting in the     execution of arbitrary code with the privileges of the user running the     player.
  Workaround :

    There is no known workaround at this time.

The DMO_VideoDecoder_Open function in dmo/DMO_VideoDecoder.c in xine-lib does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code.

Updated packages have been patched to address this issue.

The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code.

Updated packages have been patched to address this issue.

'Moritz Jodeit reports :

There's an exploitable buffer overflow in the current version of MPlayer (v1.0rc1) which can be exploited with a maliciously crafted video file. It is hidden in the DMO_VideoDecoder() function of `loader/dmo/DMO_VideoDecoder.c' file.

ID	Name	Product	Family	Severity
31721	Debian DSA-1536-1 : libxine - several vulnerabilities	Nessus	Debian Local Security Checks	high
29601	SuSE 10 Security Update : xine-lib (ZYPP Patch Number 2988)	Nessus	SuSE Local Security Checks	high
28028	Ubuntu 5.10 / 6.06 LTS / 6.10 : xine-lib vulnerability (USN-433-1)	Nessus	Ubuntu Local Security Checks	high
27489	openSUSE 10 Security Update : xine-lib (xine-lib-2989)	Nessus	SuSE Local Security Checks	high
25360	GLSA-200705-21 : MPlayer: Two buffer overflows	Nessus	Gentoo Local Security Checks	high
25093	Slackware 10.0 / 10.1 / 10.2 / 11.0 / current : xine-lib (SSA:2007-109-02)	Nessus	Slackware Local Security Checks	high
25054	GLSA-200704-09 : xine-lib: Heap-based buffer overflow	Nessus	Gentoo Local Security Checks	high
24807	Mandrake Linux Security Advisory : xine-lib (MDKSA-2007:057)	Nessus	Mandriva Local Security Checks	high
24805	Mandrake Linux Security Advisory : mplayer (MDKSA-2007:055)	Nessus	Mandriva Local Security Checks	high
24798	FreeBSD : mplayer -- DMO File Parsing Buffer Overflow Vulnerability (abeb9b64-ce50-11db-bc24-0016179b2dd5)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2007-1246

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high

high