Executive Summary
Summary | |
---|---|
Title | New mplayer packages fix arbitrary code execution |
Informations | |||
---|---|---|---|
Name | DSA-1496 | First vendor Publication | 2008-02-12 |
Vendor | Debian | Last vendor Modification | 2008-02-12 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-0485 Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files. CVE-2008-0486 Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing. CVE-2008-0629 Adam Bozanich discovered a buffer overflow in the CDDB access code. CVE-2008-0630 Adam Bozanich discovered a buffer overflow in URL parsing. For the stable distribution (etch), these problems have been fixed in version 1.0~rc1-12etch2. The old stable distribution (sarge) doesn't contain mplayer. We recommend that you upgrade your mplayer packages. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1496 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
50 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20363 | |||
Oval ID: | oval:org.mitre.oval:def:20363 | ||
Title: | DSA-1496-1 mplayer - arbitrary code execution | ||
Description: | Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1496-1 CVE-2008-0485 CVE-2008-0486 CVE-2008-0629 CVE-2008-0630 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | mplayer |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6936 | |||
Oval ID: | oval:org.mitre.oval:def:6936 | ||
Title: | DSA-1496 mplayer -- buffer overflows | ||
Description: | Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files. Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing. Adam Bozanich discovered a buffer overflow in the CDDB access code. Adam Bozanich discovered a buffer overflow in URL parsing. The old stable distribution (sarge) doesn't contain mplayer. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1496 CVE-2008-0485 CVE-2008-0486 CVE-2008-0629 CVE-2008-0630 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | mplayer |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-04-09 | Name : Mandriva Update for mplayer MDVSA-2008:045 (mplayer) File : nvt/gb_mandriva_MDVSA_2008_045.nasl |
2009-04-09 | Name : Mandriva Update for xine-lib MDVSA-2008:046 (xine-lib) File : nvt/gb_mandriva_MDVSA_2008_046.nasl |
2009-04-09 | Name : Mandriva Update for xine-lib MDVSA-2008:046-1 (xine-lib) File : nvt/gb_mandriva_MDVSA_2008_046_1.nasl |
2009-03-23 | Name : Ubuntu Update for xine-lib vulnerabilities USN-635-1 File : nvt/gb_ubuntu_USN_635_1.nasl |
2009-02-16 | Name : Fedora Update for xine-lib FEDORA-2008-1543 File : nvt/gb_fedora_2008_1543_xine-lib_fc8.nasl |
2009-02-16 | Name : Fedora Update for xine-lib FEDORA-2008-1581 File : nvt/gb_fedora_2008_1581_xine-lib_fc7.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200802-12 (xine-lib) File : nvt/glsa_200802_12.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200803-16 (mplayer) File : nvt/glsa_200803_16.nasl |
2008-09-04 | Name : FreeBSD Ports: libxine File : nvt/freebsd_libxine8.nasl |
2008-09-04 | Name : mplayer -- multiple vulnerabilities File : nvt/freebsd_mplayer8.nasl |
2008-04-07 | Name : Debian Security Advisory DSA 1536-1 (xine-lib) File : nvt/deb_1536_1.nasl |
2008-02-15 | Name : Debian Security Advisory DSA 1496-1 (mplayer) File : nvt/deb_1496_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42201 | MPlayer libmpdemux/demux_mov.c MOV File stsc Atom Tag Handling Overflow |
42200 | MPlayer stream_cddb.c CDDB Database Album Title Handling Overflow |
42199 | MPlayer url.c IPv6 Parsing Code Crafted URL Overflow |
42197 | MPlayer libmpdemux/demux_audio.c FLAC Tag Processing Memory Corruption |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-045.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2008-046.nasl - Type : ACT_GATHER_INFO |
2008-08-20 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-635-1.nasl - Type : ACT_GATHER_INFO |
2008-04-01 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1536.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200803-16.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote openSUSE host is missing a security update. File : suse_xine-devel-5078.nasl - Type : ACT_GATHER_INFO |
2008-03-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_xine-devel-5080.nasl - Type : ACT_GATHER_INFO |
2008-03-07 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_de4d4110ebce11dcae140016179b2dd5.nasl - Type : ACT_GATHER_INFO |
2008-02-28 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_e8a6a16de49811dcbb89000bcdc1757a.nasl - Type : ACT_GATHER_INFO |
2008-02-27 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200802-12.nasl - Type : ACT_GATHER_INFO |
2008-02-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1496.nasl - Type : ACT_GATHER_INFO |
2008-02-14 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1543.nasl - Type : ACT_GATHER_INFO |
2008-02-14 | Name : The remote Fedora host is missing a security update. File : fedora_2008-1581.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:20 |
|