[MPlayer-dev-eng] Attack by subtitles - from subtitles to complete takeover
Compn
tempn at mi.rr.com
Mon May 29 17:14:18 EEST 2017
On Mon, 29 May 2017 00:20:09 +0200, Ingo Brückl <ib at wupperonline.de>
wrote:
> Does anyone know or can estimate whether MPlayer is affected by
mplayer is not affected.
wm4 reported that mpv is also not affected
[15:52] <wm4> mpv + subliminal script is apparently not affected
from the blog post:
> http://blog.checkpoint.com/2017/05/23/hacked-in-translation/,
> Some media players download subtitles automatically; these repositories hold extensive potential for attackers.
mplayer does not download subtitles automatically, which is what this
vector targeted.
imo opensubtitles website should sanitize their subtitle repository to
avoid vectors like this in the future.
> particularly by any overflows as mentioned in
> https://news.ycombinator.com/item?id=14408859?
from that post:
>The Kodi issue was a zip archive path traversal (i.e. no protection against zip files extracting files to parent directories).
mplayer does not look for subtitles in zip / archives either , so this
vector is not applicable.
-compn
More information about the MPlayer-dev-eng
mailing list