[MPlayer-DOCS] [homepage]: r2955 - trunk/src/news.src.en

The Wanderer inverseparadox at comcast.net
Tue Jun 5 23:59:12 CEST 2007


rtogni wrote:

> Author: rtogni
> Date: Tue Jun  5 23:08:58 2007
> New Revision: 2955
> 
> Log:
> Security advisory for cddb bug

A bit of proofreading, some of it duplicate...

> +<h3>Summary</h3>
> +
> +<p>
> +A stack overflow was found and reported by Stefan Cornelius of Secunia
> +Researchin in the code used to handle cddb queries. Two other similar issues

"Research in"

> +<h3>Severity</h3>
> +
> +<p>
> +High (arbitrary remote code execution under the user ID running the player)
> +when getting disk information from a malicious cddb entry, null if you do not
> +use this feature. Please note that is possible to overwrite entries in the cddb
> +database, so an attack can be performed also via a non-compromised server.

"can also be performed"

> +<p>
> +If case you can't upgrade or apply the suggested patch, these are some possible
> +workarounds:

"In case"

> +<ul>
> +	<li>Don't use cddb:// urls (be careful also with playlists)</li>

"URLs"

Might want to rephrase the parenthetical part, but since this is
transient news rather than permanent documentation I think it's
ignorable.

> +<p>
> +Please note that we are not releasing an updated tarball with this fix at this
> +moment.<br>

Either "at the moment" or "at this time" is more common and so would
probably sound better.

> +If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball,
> +apply the patch with the fix and recompile MPlayer; else upgrade to SVN.<br>

"else" -> "otherwise,"

Alternately, we could say something like "If possible, however, we
recommend that you upgrade to SVN."


There is an odd flow issue in the first sentence resulting from the fact
that commas are being used both to separate the list of steps from the
first part of the sentence and to separate the different steps in the
list; I don't see an easy way to fix it offhand.

> +If you decide to stay with rc1, don't forget to apply also this
> +<a href="http://www.mplayerhq.hu/MPlayer/patches/asmrules_fix_20061231.diff">older fix.</a>

"also apply"

-- 
       The Wanderer

Warning: Simply because I argue an issue does not mean I agree with any
side of it.

Secrecy is the beginning of tyranny.



More information about the MPlayer-DOCS mailing list