mplayer security issues

Blind · 2008-02-05 18:17:22

We should update mplayer:
http://www.mplayerhq.hu/design7/news.html
There are several severe security issues in mplayer 1.0RC2.

Cheers,
Blind

Gilneas · 2008-02-05 18:23:21

1.0R2 is in arch. These new bugfixes need yet be put in a source package.

shining · 2008-02-05 18:38:04

This doesn't belong to the forums, but to the bug tracker : http://bugs.archlinux.org

Blind · 2008-02-05 19:29:20

Well, it has been flagged out of date.
Should be enough, hopefully.
Just wanted to point this out.
Cheers,
Blind

shining · 2008-02-05 19:40:02

Out of date, what? It isn't out of date, last release is still 1.0rc2.
And no, it is not enough. If you want to do this correctly, report it on the bug tracker as I already said.

skottish · 2008-02-05 19:43:09

It was flagged by mistake around a month ago. Premonition?

Blind · 2008-02-05 20:11:29

Relax man, I didn't flag it out-of-date...

I assumed that it was flagged because of this security issue, though.
In any case, if the dev hasn't picked it up from there, I have my doubts they will react to a bug report.
In any case, I will file a report later, if I get to it.

Don't jump all over me.
Cheers,
Blind

PS:
http://bugs.archlinux.org/task/9474

Last edited by Blind (2008-02-05 20:15:52)

tomk · 2008-02-05 20:20:38

Blind wrote:

In any case, if the dev hasn't picked it up from there, I have my doubts they will react to a bug report.

Here's the difference - we don't always have time to read the forum. We do, however, make a point of evaluating every bug report posted. The bugtracker also provides a more structured way of communicating, discussing and tracking issues.

Blind · 2008-02-05 20:26:46

Well, I understand, and it sounds alright to me.
I shouldn't have assumed it was flagged out of data today because of the security issues. That assumption was based on:
1. I know the dev gets an email, when things are flagged out of date, thus allowing for a direct notification, maybe quicker action (when the comment says: security problem)?
2. Why wasn't it unflagged, when this happened a moth ago?

Alright, next time I will go right ahead to the bugtracker.

Cheers,
Blind

shining · 2008-02-05 21:50:27

Blind wrote:

http://bugs.archlinux.org/task/9474

Perfect, thanks. Now your task as an user is done, and we let the dev worry about it

yabbadabbadont · 2008-02-05 21:58:28

I would assume that the devs would be subscribed to the security lists for the packages that they maintain. Is this not generally the case with Arch?

(I'm not trolling. I'm genuinely interested in the information.)

Blind · 2008-02-06 00:26:44

I guess they do. On the other hand, they usually have LOTS of packages at their hands...
I give the dev a lot of credit, 'cause mplayer is a b*&ch to compile.
But it is the best player/encoder there is, imho.

Cheers,
Blind

jason · 2008-02-13 05:49:46

There used to be a security group for Archlinux. I wonder what happened. I wouldn't mind helping out if there is a need for a security group again.

yabbadabbadont · 2008-02-18 23:31:53

The mplayer package in Extra has still not been patched with the latest security updates even though they were released almost a month ago.

What is even worse, is that the PKGBUILD in cvs for mplayer uses an ftp url in the source array that requires a non-anonymous login... so makepkg cannot download the sources. Someone dropped the ball on this one.

fwojciec · 2008-02-18 23:54:22

Personally I don't really think it's such a huge issue -- but what do I know... Anyways, I've made a PKGBUILD that should take care of those security issues in case anyone feels really strongly about this.

# $Id: PKGBUILD,v 1.15 2008/01/01 12:18:31 andyrtr Exp $
# Maintainer: Thomas Bächler <thomas@archlinux.org>
pkgname=mplayer
pkgver=1.0rc2
pkgrel=3
pkgdesc="A movie player for linux"
arch=(i686 x86_64)
depends=('libxxf86dga' 'libxv' 'libmad' 'libungif' 'cdparanoia' 'gtk2'
         'sdl' 'lame' 'libtheora' 'xvidcore'
         'libgl' 'smbclient' 'aalib' 'jack-audio-connection-kit'
         'x264>=20070616' 'faac' 'lirc-utils')
license=('GPL')
url="http://www.mplayerhq.hu/"
makedepends=('libcaca' 'unzip' 'live-media' 'libdca')
backup=('etc/mplayer/codecs.conf' 'etc/mplayer/input.conf')
source=(http://www.mplayerhq.hu/MPlayer/releases/MPlayer-${pkgver}.tar.bz2
        ftp://ftp1.mplayerhq.hu/MPlayer/skins/Blue-1.7.tar.bz2
        http://www.mplayerhq.hu/MPlayer/patches/stream_cddb_fix_20080120.diff
        http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff
        http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff
        http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff)
        #MPlayer-1.0rc1-gnome-screensaver.patch)
md5sums=('7e27e535c2d267637df34898f1b91707'
         'e4e2020d11b681aac898103b3ba723c4'
         'c7d1bcdd61fcceb7598d61fe2213c587'
         '6a2c124586e1e6c44ae4ca1b4be9b6e4'
         'ce999929155f509a3e6bee41d9d613ed'
         '320af7daa1b248ee8e8c15d34d7923e3')

build() {
  cd $startdir/src/MPlayer-${pkgver}

  # Custom CFLAGS break the mplayer build
  unset CFLAGS

  # Add support for gnome screensaver
  #patch -p1 -i ../MPlayer-1.0rc1-gnome-screensaver.patch || return 1
  patch -Np0 -i ../stream_cddb_fix_20080120.diff || return 1
  patch -Np0 -i ../url_fix_20080120.diff || return 1
  patch -Np0 -i ../demux_mov_fix_20080129.diff || return 1
  patch -Np0 -i ../demux_audio_fix_20080129.diff || return 1

  cd $startdir/src/MPlayer-${pkgver}

  ./configure --prefix=/usr --enable-gui --disable-arts --enable-x11 \
      --enable-runtime-cpudetection --confdir=/etc/mplayer --disable-nas \
      --enable-gl --enable-tv-v4l1 --enable-tv-v4l2 --enable-largefiles \
      --disable-liblzo --disable-speex --disable-openal \
      --disable-fribidi --disable-libdv --disable-musepack \
      --language=all --disable-dvdnav --disable-esd --disable-mga \
      --with-extraincdir=/usr/lib/live-media

  [ "$CARCH" = "i686" ] &&  sed 's|-march=i486|-march=i686|g' -i config.mak

  make || return 1
  make -j1 DESTDIR=${startdir}/pkg install
  cp etc/{codecs.conf,input.conf,example.conf} ${startdir}/pkg/etc/mplayer/
  ln -s /usr/share/fonts/TTF/Vera.ttf ${startdir}/pkg/usr/share/mplayer/subfont.ttf
  rm -rf ${startdir}/pkg/usr/share/mplayer/font
  mv ${startdir}/src/Blue ${startdir}/pkg/usr/share/mplayer/skins/default
}

yabbadabbadont · 2008-02-18 23:58:48

Looks almost identical to the one I have building now... great minds I guess.

I added more error checking and some informative messages. I didn't include the "-N" option with patch, just "-p0". I guess it is safer to include it.

Arch Linux

#1 2008-02-05 18:17:22

mplayer security issues

#2 2008-02-05 18:23:21

Re: mplayer security issues

#3 2008-02-05 18:38:04

Re: mplayer security issues

#4 2008-02-05 19:29:20

Re: mplayer security issues

#5 2008-02-05 19:40:02

Re: mplayer security issues

#6 2008-02-05 19:43:09

Re: mplayer security issues

#7 2008-02-05 20:11:29

Re: mplayer security issues

#8 2008-02-05 20:20:38

Re: mplayer security issues

#9 2008-02-05 20:26:46

Re: mplayer security issues

#10 2008-02-05 21:50:27

Re: mplayer security issues

#11 2008-02-05 21:58:28

Re: mplayer security issues

#12 2008-02-06 00:26:44

Re: mplayer security issues

#13 2008-02-13 05:49:46

Re: mplayer security issues

#14 2008-02-18 23:31:53

Re: mplayer security issues

#15 2008-02-18 23:54:22

Re: mplayer security issues

#16 2008-02-18 23:58:48

Re: mplayer security issues

Board footer