[MPlayer-users] The djb bughunt
Reimar Döffinger
Reimar.Doeffinger at stud.uni-karlsruhe.de
Fri Dec 24 12:22:07 CET 2004
Hi!
> Djb had a Unix security course in this semester
> (http://cr.yp.to/2004-494.html). For completing the course, students had
> to find security holes in existing Unix sotfware. One of them, Ariel
> Berkman, found a hole in mplayer. It's all described here:
>
> http://tigger.uic.edu/~jlongs2/holes/mplayer.txt
>
> though the "proof of concept" code is not included.
>
> The above doc seems to be a mail sent to this list, however, I couldn't
> find it in the archives (and no previous mention of this bug, at least,
> searching for djb or bernstein gave nothing). I suppose djb is not
> subscribed to this list, and thus his mail was dropped.
Yes, it didn't arrive here - luckily. -users is absolutely the worst
list to send this to, who ever did this didn't do much thinking before.
Instead we got this and others from iDefense in private (actually Diego
got them), just as the xine people (though every one got only half of
the vulnerabilities, so we had to do some "sharing" ;-) ).
These are of course fixed in pre5try2 and pre6 (and rc8 of xine-lib).
Greetings,
Reimar Döffinger
More information about the MPlayer-users
mailing list