Falko Timme wrote some gorgeous tutorials on installing Linux and all the multimedia paraphernalia, but I wonder if the codecs that are to be installed have this security flaw fixed:
2006-12-31, Sunday :: buffer overflow in asmrp.c
posted by Roberto
The code mentioned in DSA 1244-1 is also included in MPlayer. A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a malicious server. Since the attacker cannot write arbitrary data into the buffer, creating an exploit is very hard; but a DoS attack is easily made.
High (DoS and eventually arbitrary remote code execution under the user ID running the player) when setting up a RTSP session from a malicious server, null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit.
This is really weird. There are only a few lines to correct before compilation, and still, 5 months after this "High severity" flaw has been reported, it's still uncorrected at MPlayer's site. MPlayer suggests that the corrected files be named differently. Is this the case for the files Fedora, PCLinuxOS and Debian use?
Next, I would need some advice... but I hope this won't start a flame war.
I've used Slaclware for more than 5 years now, but my health is not what it used to be and I don't feel much like reading the fuckin' manual anymore. I need a distro that's easier to maintain, but as safe and as solid.
I was thinking about Debian... but a LiveCD is really nice for proselytizing: newbies aren't too fond of ncurses interfaces for installation. Maybe that Falko's suggestions for installation could work for Knoppix? Has anybody tried this? As a Live-CD, Knoppix 5.1 seems fairly solid and 5.2 should be out.... this summer.
Fedora is not maintained for very long and I don't care about cutting edge. I'd rather not reinstall or even update for at least 3 years. Also, I'm a KDE man.
PCLinuxOS doesn't specify for how long it will be maintained and I wonder if all these borrowings to different distros won't eventually make it flaky. I have no experience with those "nice little Linux distros", but my feeling until now has always been to stay with mainstream distros and stay away from those that might prove fly by night. (Do you remember Yoper?)
What's your experience?