ports/57296: Update port: multimedia/mplayer 0.90.x -> 0.92, fix the exploitable remote buffer overflow vulnerability
Jeremy Messenger
mezz7 at cox.net
Sat Sep 27 22:00:42 UTC 2003
>Number: 57296
>Category: ports
>Synopsis: Update port: multimedia/mplayer 0.90.x -> 0.92, fix the exploitable remote buffer overflow vulnerability
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sat Sep 27 15:00:36 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Mezz
>Release: FreeBSD 5.1-CURRENT i386
>Organization:
>Environment:
System: FreeBSD ns1.mezzweb.com 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Wed Aug 13 22:39:47 CDT 2003 mezz at mezz.mezzweb.com:/usr/obj/usr/src/sys/BSDROCKS i386
>Description:
Severity:
HIGH (if playing ASX streaming content)
LOW (if playing only normal files)
Description:
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick
MPlayer into executing arbitrary code upon parsing that header.
MPlayer versions affected:
MPlayer 0.90pre series
MPlayer 0.90rc series
MPlayer 0.90
MPlayer 0.91
MPlayer 1.0pre1
MPlayer versions unaffected:
MPlayer releases before 0.90pre1
MPlayer 0.92
MPlayer HEAD CVS
Url: http://www.mplayerhq.hu/homepage/design6/news.html
>How-To-Repeat:
n/a
>Fix:
-Upgrade to 0.92 to plug the exploitable.
-Add RUN_DEPENDS of mplayer-skins in the WITH_GUI define. Remove the message of
tell user to go MPlayer website and download the skins. I think, it's silly
and should be add RUN_DEPENDS since we have multimedia/mplayer-skins.
On another note: Please do the double check on the
mplayer-0.9.1-v6-20030825.diff.gz in case. I didn't find anything wrong with
it thought to apply it with 0.92 and play mplayer.
--- mplayer.diff begins here ---
diff -ur mplayer.orig/Makefile mplayer/Makefile
--- mplayer.orig/Makefile Sun Sep 14 00:26:15 2003
+++ mplayer/Makefile Sat Sep 27 15:58:07 2003
@@ -165,8 +165,7 @@
# to be installed.
PORTNAME= mplayer
-PORTVERSION= 0.90.0.110
-PORTREVISION= 4
+PORTVERSION= 0.92
CATEGORIES= multimedia audio ipv6
MASTER_SITES= http://www1.mplayerhq.hu/MPlayer/releases/ \
http://www2.mplayerhq.hu/MPlayer/releases/ \
@@ -178,10 +177,10 @@
ftp://ftp.lug.udel.edu/MPlayer/releases/ \
ftp://mirrors.xmission.com/MPlayer/releases/ \
http://www.rrr.de/~riggs/mplayer/
-DISTNAME= MPlayer-0.90
+DISTNAME= MPlayer-${PORTVERSION}
PATCH_SITES= ${MASTER_SITE_RINGSERVER:S,%SUBDIR%,net/kame/misc/&,}
-PATCHFILES= mplayer-0.9.0-v6-20030430.diff.gz
+PATCHFILES= mplayer-0.9.1-v6-20030825.diff.gz
PATCH_DIST_STRIP= -p1
MAINTAINER= riggs at rrr.de
@@ -318,6 +317,7 @@
.endif
.if defined(WITH_GUI)
+RUN_DEPENDS+= ${LOCALBASE}/share/mplayer/Skin:${PORTSDIR}/multimedia/mplayer-skins
USE_GNOME+= gtk12
.if defined(PKGNAMESUFFIX)
PKGNAMESUFFIX:= ${PKGNAMESUFFIX}-gtk
@@ -515,11 +515,6 @@
@${ECHO_MSG} "For example,"
@${ECHO_MSG} "make WITH_GUI=yes"
@${ECHO_MSG} "builds MPlayer with GUI support."
-
-.if defined(WITH_GUI)
- @${ECHO_MSG} "You can download official skin collections from"
- @${ECHO_MSG} "http://www.mplayerhq.hu/homepage/dload.html"
-.endif
post-patch:
@${REINPLACE_CMD} -e \
diff -ur mplayer.orig/distinfo mplayer/distinfo
--- mplayer.orig/distinfo Thu May 15 00:04:59 2003
+++ mplayer/distinfo Sat Sep 27 15:17:17 2003
@@ -1,2 +1,2 @@
-MD5 (MPlayer-0.90.tar.bz2) = 9a9f294bbaab2071ecbc327f4e870be8
-MD5 (mplayer-0.9.0-v6-20030430.diff.gz) = 6a20e965b297389fa0b471032a06dac1
+MD5 (MPlayer-0.92.tar.bz2) = c4e003fc6c6f82c1cae96a95eb9b2d28
+MD5 (mplayer-0.9.1-v6-20030825.diff.gz) = b99f40b5e1ee9fd467246e0c627794eb
diff -ur mplayer.orig/files/patch-ad mplayer/files/patch-ad
--- mplayer.orig/files/patch-ad Mon Feb 10 13:28:06 2003
+++ mplayer/files/patch-ad Sat Sep 27 16:34:29 2003
@@ -1,6 +1,6 @@
---- configure.orig Sun Feb 9 06:29:05 2003
-+++ configure Mon Feb 10 23:20:25 2003
-@@ -294,7 +294,7 @@
+--- configure.orig Sat Sep 27 16:27:23 2003
++++ configure Sat Sep 27 16:34:14 2003
+@@ -300,7 +300,7 @@
# 1st pass checking for vital options
@@ -9,7 +9,7 @@
_ranlib=ranlib
_cc=gcc
test "$CC" && _cc="$CC"
-@@ -530,19 +530,10 @@
+@@ -539,19 +539,10 @@
# Try to find the available options for the current CPU
if x86 || ppc; then
@@ -29,7 +29,7 @@
pname=`$_cpuinfo | grep 'model name' | cut -d ':' -f 2 | head -1`
pvendor=`$_cpuinfo | grep 'vendor_id' | cut -d ':' -f 2 | cut -d ' ' -f 2 | head -1`
-@@ -1394,8 +1385,8 @@
+@@ -1423,8 +1414,8 @@
;;
*)
@@ -40,7 +40,7 @@
;;
esac
-@@ -1405,7 +1396,7 @@
+@@ -1434,7 +1425,7 @@
test -z "$_bindir" && _bindir="$_prefix/bin"
test -z "$_datadir" && _datadir="$_prefix/share/mplayer"
test -z "$_mandir" && _mandir="$_prefix/man"
@@ -49,7 +49,7 @@
test -z "$_libdir" && _libdir="$_prefix/lib"
test -z "$_mlibdir" && _mlibdir="$MLIBHOME"
-@@ -1836,13 +1827,7 @@
+@@ -1866,13 +1857,7 @@
echocheck "memalign()"
@@ -63,7 +63,7 @@
if test "$_memalign" = yes ; then
_def_memalign='#define HAVE_MEMALIGN 1'
else
-@@ -1931,31 +1916,7 @@
+@@ -1961,31 +1946,7 @@
echocheck "pthread"
@@ -96,7 +96,7 @@
echores "yes (using $_ld_pthread)"
-@@ -4694,7 +4655,7 @@
+@@ -4848,7 +4809,7 @@
CFLAGS="$CFLAGS -D_REENTRANT"
elif bsd ; then
# FIXME bsd needs this so maybe other OS'es
diff -ur mplayer.orig/files/patch-ae mplayer/files/patch-ae
--- mplayer.orig/files/patch-ae Fri Jan 10 14:12:50 2003
+++ mplayer/files/patch-ae Sat Sep 27 15:30:11 2003
@@ -1,6 +1,6 @@
---- Makefile.orig Thu Dec 5 07:29:26 2002
-+++ Makefile Tue Dec 17 09:53:32 2002
-@@ -241,49 +241,11 @@
+--- Makefile.orig Sat Sep 27 15:26:46 2003
++++ Makefile Sat Sep 27 15:29:55 2003
+@@ -254,47 +254,11 @@
ifeq ($(SHARED_PP),yes)
$(MAKE) install -C postproc
endif
@@ -30,9 +30,7 @@
- @echo "*** for GUI, and extract to $(DATADIR)/Skin/"
-endif
- @if test ! -d $(CONFDIR) ; then mkdir -p $(CONFDIR) ; fi
-- @if test -f $(CONFDIR)/codecs.conf.old ; then mv -f $(CONFDIR)/codecs.conf.old $(CONFDIR)/codecs.conf.older ; fi
- @if test -f $(CONFDIR)/codecs.conf ; then mv -f $(CONFDIR)/codecs.conf $(CONFDIR)/codecs.conf.old ; fi
-- $(INSTALL) -c -m 644 etc/codecs.conf $(CONFDIR)/codecs.conf
-ifeq ($(DVDKIT_SHARED),yes)
-ifeq ($(DVDKIT2),yes)
- if test ! -d $(LIBDIR) ; then mkdir -p $(LIBDIR) ; fi
diff -ur mplayer.orig/pkg-plist mplayer/pkg-plist
--- mplayer.orig/pkg-plist Wed Mar 26 10:17:59 2003
+++ mplayer/pkg-plist Sat Sep 27 15:51:45 2003
@@ -1,6 +1,15 @@
-bin/mplayer
-%%MENCODER%%bin/mencoder
%%GMPLAYER%%bin/gmplayer
+%%MENCODER%%bin/mencoder
+bin/mplayer
+lib/libdha-0.so.1
+lib/libdha.so.0
+lib/mplayer/vidix/cyberblade_vid.so
+lib/mplayer/vidix/mach64_vid.so
+lib/mplayer/vidix/mga_crtc2_vid.so
+lib/mplayer/vidix/mga_vid.so
+lib/mplayer/vidix/pm3_vid.so
+lib/mplayer/vidix/radeon_vid.so
+lib/mplayer/vidix/rage128_vid.so
%%PORTDOCS%%share/doc/mplayer/bugreports.html
%%PORTDOCS%%share/doc/mplayer/cd-dvd.html
%%PORTDOCS%%share/doc/mplayer/codecs-in.html
@@ -11,17 +20,12 @@
%%PORTDOCS%%share/doc/mplayer/formats.html
%%PORTDOCS%%share/doc/mplayer/skin.html
%%PORTDOCS%%share/doc/mplayer/sound.html
-%%PORTDOCS%%share/doc/mplayer/video.html
%%PORTDOCS%%share/doc/mplayer/users_against_developers.html
-lib/libdha.so.0
-lib/libdha-0.so.1
-lib/mplayer/vidix/cyberblade_vid.so
-lib/mplayer/vidix/mach64_vid.so
-lib/mplayer/vidix/mga_crtc2_vid.so
-lib/mplayer/vidix/mga_vid.so
-lib/mplayer/vidix/pm3_vid.so
-lib/mplayer/vidix/radeon_vid.so
-lib/mplayer/vidix/rage128_vid.so
+%%PORTDOCS%%share/doc/mplayer/video.html
+share/mplayer/codecs.conf
+share/mplayer/example.conf
+share/mplayer/input.conf
+share/mplayer/menu.conf
share/mplayer/tools/calcbpp.pl
share/mplayer/tools/countquant.pl
share/mplayer/tools/dvd2divxscript.pl
@@ -31,10 +35,6 @@
share/mplayer/tools/sws-test
share/mplayer/tools/w32codec_dl.pl
share/mplayer/tools/x2mpsub.sh
-share/mplayer/codecs.conf
-share/mplayer/example.conf
-share/mplayer/input.conf
-share/mplayer/menu.conf
@dirrm share/mplayer/tools
@unexec rmdir %D/share/mplayer 2>/dev/null || true
%%PORTDOCS%%@dirrm share/doc/mplayer
--- mplayer.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list