[MPlayer-users] When do I *have to* update MPlayer?

Jonathan Isom jeisom at gmail.com
Thu Nov 24 19:25:43 CET 2011


On Thu, Nov 24, 2011 at 10:01 AM, Manuel Reimer
<Manuel.Spam at nurfuerspam.de> wrote:
> Carl Eugen Hoyos wrote:
>>>
>>> Is this version vulnerable to serious security holes?
>>
>> At least one such exploit is known, yes.
>> (Search for "assisted discovery of vulnerabilities yamaguchi")
>
> Seems to be:
> http://www.usenix.org/events/woot11/tech/final_files/Yamaguchi.pdf
>
> But this (in my opinion) has a few restrictions if it gets to code
> execution. Is this really a dangerous hole which could be exploited from web
> if MPlayer is used inside the browser?
>
>> It is said not to be reproducible with current MPlayer svn.
>
> So anything but the current SVN is vulnerable to a security hole where it is
> known that code execution will work?
>
>>> When do I *have to* update my MPlayer? I'm using MPlayer inside my
>>> browser!
>>
>> I think you are the only one who can answer that.
>
> I only want to update if there is a reason for that. My idea was to trust
> the distributor (Slackware in this case) but as updates are really rare on
> Slackware, I feared to be actually vulnerable to something, so I asked here.
>
> Is it possible to harden MPlayer? I don't need a player which plays anything
> but the kitchen sink. It would be enough to be able to play the common
> formats used on websites.
>
>> I may misunderstand the question: Whenever you update MPlayer, FFmpeg is
>> also
>> updated. So whenever FFmpeg receives (for you) important updates, you
>> should
>> update MPlayer.
>
> Is it possible to separate both and have FFMPEG as separate dynamically
> linked library?

Yeah, I believe most distros package it this way.  However it isn't recommended
by the developers.  It is easier for all features that you want/need
to just compile
MPlayer statically with FFMPEG.


> Why was there no announcement about the possible security problem on the
> "announce" list? Why don't you roll a new release if the old one has a known
> hole?

Most projects/people call svn bleeding edge.  MPlayer developers calls
svn  stable :)

>
> Yours
>
> Manuel
>
> _______________________________________________
> MPlayer-users mailing list
> MPlayer-users at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/mplayer-users
>


More information about the MPlayer-users mailing list