Bug 64325 (CVE-2004-1310)

Summary: VUL-0: CVE-2004-1310: MPlayer buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Stanislav Brabec <sbrabec>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: sbrabec, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1310: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 64365    
Attachments: patchinfo for box
patchinfo for SLES

Description Ludwig Nussel 2004-12-16 22:54:07 UTC 
We received the following report via vendor-sec.
The issue is public.

MPlayer apparently is on SLD

From djb@cr.yp.to Wed Dec 15 14:21:17 2004
Date: 15 Dec 2004 08:18:11 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, mplayer-users@mplayerhq.hu
Subject: [remote] [control] MPlayer 1.0pre5 get_header overflows data buffer

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in MPlayer. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.

You are at risk if you use MPlayer to play an ASF video stream from the
web (or from any other source that could be controlled by an attacker).
Whoever provides that stream then has complete control over your
account: he can read and modify your files, watch the programs you're
running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10 with ucspi-tcp
installed, type

   wget http://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre5.tar.bz2
   bunzip2 < MPlayer-1.0pre5.tar.bz2 | tar -xf -
   cd MPlayer-1.0pre5
   ./configure
   gmake

to download and compile the MPlayer program, version 1.0pre5 (current).
Then save the file 17-s.c attached to this message, and type

   gcc -o 17-s 17-s.c
   tcpserver 0 1755 ./17-s &
   ./mplayer mmst://127.0.0.1/new_video.asf

with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 538-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In asf_mmst_streaming.c, get_header() uses get_data()
to copy an input-specified amount of data into a 102400-byte data[]
array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Text/PLAIN  103 lines. ]
    [ Unable to print this part. ]
Comment 1 Stanislav Brabec 2004-12-20 21:26:36 UTC 
Is this exploit covered by official patch
http://www.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff ?
Comment 2 Stanislav Brabec 2004-12-21 00:39:20 UTC 
Not sure, whether this bug is covered by mmst_fix_20041215.diff.

Cummulative patch applied for STABLE and PLUS.

For 8.2 and sles9-slec applied only: bmp_fix_20041215_backport.diff,
mmst_fix_20041215_backport.diff, mp3_fix_20041215.diff, pnm_fix_20041215.diff.
Patch rtsp_fix_20041215.diff not applied, code seems to be completely different.

For 8.1 applied only: bmp_fix_20041215_backport.diff,
mmst_fix_20041215_backport.diff, mp3_fix_20041215.diff. Patches
rtsp_fix_20041215.diff, code seems to be completely different,
pnm_fix_20041215.diff, code is probably net yet there.

Please verify my backports.

For 9.0, 9.1, 9.2 no porting of patch was done! It was never approved for
distribution and never tested, or even not compile. Maybe the code should be
dropped from there.
Comment 3 Stanislav Brabec 2004-12-21 22:42:00 UTC 
Patch submitted altogether with fix of:
bug 64365
bug 64367

Not sure, whether applied patch covers this issue. Reassigning to security team.
Comment 4 Marcus Meissner 2004-12-21 22:45:26 UTC 
======================================================                           
Candidate: CAN-2004-1285                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1285                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/mplayer.txt                 
                                                                                 
Buffer overflow in the get_header function in asf_mmst_streaming.c for           
MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via            
a crafted ASF video stream.
Comment 5 Stanislav Brabec 2004-12-21 22:50:34 UTC 
http://www.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff adds packet_len
checking to asf_mmst_streaming.c. It seems to be the same issue.

Please verify my patch backport.
Comment 6 Sebastian Krahmer 2005-01-18 20:56:03 UTC 
Yes, mmst_fix_20041215.diff seems to be the fix for the bug djb is describing.
For 8.1 and 8.2, mmst_fix_20041215_backport.diff looks the same as
mmst_fix_20041215.diff, only the line-numbers differ. So I assume
its a correct backport.
The BMP fix is really funny, it removes the BMP-handler from mplayer.
However, its the official patch from MPlayer-team, so
bmp_fix_20041215_backport.diff is correct as well. Go ahead with the
patches and the process.
Comment 7 Stanislav Brabec 2005-01-18 21:02:49 UTC 
Fixed packages are waiting in /work/src/done since December 20th.

I do not plan to fix 9.0, 9.1 and 9.2. These version were never released nor
tested and cannot leave SuSE. Maybe it should be dropped and SuSE internal users
should use only version from PLUS.
Comment 8 Sebastian Krahmer 2005-01-18 21:34:15 UTC 
Created attachment 27714 [details]
patchinfo for box

...
Comment 9 Sebastian Krahmer 2005-01-18 21:34:36 UTC 
Created attachment 27715 [details]
patchinfo for SLES

...
Comment 10 Sebastian Krahmer 2005-01-18 21:35:58 UTC 
SM-tracker-161.

Please tell suse-dist to build packages. the patchinfos are in place.
Comment 11 Sebastian Krahmer 2005-01-24 22:33:32 UTC 
*** Bug 64366 has been marked as a duplicate of this bug. ***
Comment 12 Thomas Biege 2005-02-01 19:47:32 UTC 
packages approved
Comment 13 Marcus Meissner 2007-12-02 21:27:49 UTC 
CVE-2004-1310  for mmst problem
Comment 14 Thomas Biege 2009-10-13 20:05:57 UTC 
CVE-2004-1310: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)