[MPlayer-dev-eng] buffer overflow of the month
Diego Biurrun
diego at biurrun.de
Thu Aug 25 20:12:51 CEST 2005
On Thu, Aug 25, 2005 at 01:24:18PM -0400, The Wanderer wrote:
> Diego Biurrun wrote:
>
> >On Thu, Aug 25, 2005 at 06:04:33PM +0200, Attila Kinali wrote:
> >
> >>Sascha just posted the "advisory" of a german one man security
> >>company on IRC:
> >>http://www.sven-tantau.de/public_files/mplayer/mplayer_20050824.txt
>
> >>Can someone confirm whether this is a normal sig11 or something
> >>more serious ? If it's just a sig11 i would like to post a news
> >>entry on the webpage as soon as possible to
> >>1) Tell people that it is not exploitable
> >>2) Tell people that we haven't been contacted
> >
> >You barely beat me to posting to dev-eng and this is exactly what I
> >had planned. I assume this guy contacted /dev/null, otherwise we
> >would have reacted quickly as usual. If he is really lying about
> >contacting any of us he deserves to be flamed to a cinder on the
> >homepage.
>
> On the date cited in that text file for 'vendor contacted', there is a
> post by someone with the name cited in 'issue found by' on -users which
> appears at a glance to contain the same information as the text file. I
> don't know why there was no reaction (people were busy and didn't notice
> it?), but he does not appear to be lying.
That's not what I understand by the term "vendor contacted" (what's a vendor
anyway in this context). I expect him to contact some developer _privately_
before posting to a public place like -users.
I think it's time we made some sort of security policy available, so this
does not happen again (or at least we get to flame them harder for extra
stupidity).
Diego
More information about the MPlayer-dev-eng
mailing list