Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th June 2007, 19:46
Bernard Bernard is offline
Junior Member
 
Join Date: Jun 2007
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default MPlayer security: everything fixed? And... again, which distro?

Falko Timme wrote some gorgeous tutorials on installing Linux and all the multimedia paraphernalia, but I wonder if the codecs that are to be installed have this security flaw fixed:

http://www.mplayerhq.hu/design7/news.html

2006-12-31, Sunday :: buffer overflow in asmrp.c
posted by Roberto
Summary

The code mentioned in DSA 1244-1 is also included in MPlayer. A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a malicious server. Since the attacker cannot write arbitrary data into the buffer, creating an exploit is very hard; but a DoS attack is easily made.

Severity

High (DoS and eventually arbitrary remote code execution under the user ID running the player) when setting up a RTSP session from a malicious server, null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit.

-----------------------------

This is really weird. There are only a few lines to correct before compilation, and still, 5 months after this "High severity" flaw has been reported, it's still uncorrected at MPlayer's site. MPlayer suggests that the corrected files be named differently. Is this the case for the files Fedora, PCLinuxOS and Debian use?

Next, I would need some advice... but I hope this won't start a flame war.


I've used Slaclware for more than 5 years now, but my health is not what it used to be and I don't feel much like reading the fuckin' manual anymore. I need a distro that's easier to maintain, but as safe and as solid.

I was thinking about Debian... but a LiveCD is really nice for proselytizing: newbies aren't too fond of ncurses interfaces for installation. Maybe that Falko's suggestions for installation could work for Knoppix? Has anybody tried this? As a Live-CD, Knoppix 5.1 seems fairly solid and 5.2 should be out.... this summer.

Fedora is not maintained for very long and I don't care about cutting edge. I'd rather not reinstall or even update for at least 3 years. Also, I'm a KDE man.

PCLinuxOS doesn't specify for how long it will be maintained and I wonder if all these borrowings to different distros won't eventually make it flaky. I have no experience with those "nice little Linux distros", but my feeling until now has always been to stay with mainstream distros and stay away from those that might prove fly by night. (Do you remember Yoper?)

What's your experience?

Regards!

Bernard

Last edited by Bernard; 6th June 2007 at 19:49.
Reply With Quote
Sponsored Links
  #2  
Old 6th June 2007, 20:32
volksman volksman is offline
Senior Member
 
Join Date: May 2007
Posts: 124
Thanks: 2
Thanked 16 Times in 14 Posts
Default

Hey Bernard!

Not sure about the mplayer thing. Depends on where the codecs are being installed from.

As for Distro's....Slackware used to be my distro of choice. Still kinda is if I want to take the time to do everything from scratch...But like you time is limited and I just want stuff to work.

Try Kubuntu. Ubuntu is my personal fav right now...It's just TOO easy to use and make things work in.

Knoppix does kick minor ass too...I use it on a USB key to rescue machines at work. Very very handy OS. But not something I would want full time...Plus I'm a bit of a Gnome fan....

It all boils down to personal preference but ubuntu has their stuff together for the most part. I've never had such an easy time on the GNU side as I have with Ubuntu.
Reply With Quote
  #3  
Old 6th June 2007, 21:06
Bernard Bernard is offline
Junior Member
 
Join Date: Jun 2007
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by volksman
Not sure about the mplayer thing. Depends on where the codecs are being installed from.
Indeed. And, since we're on an HOWTOFORGE forum, what I'm wondering is if Falko has checked his sources for this fix.

Thanks for your distro suggestions. I wonder if anybody here with some Debian and/or Slackware experience has installed PCLinuxOS.
Reply With Quote
  #4  
Old 7th June 2007, 16:10
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by Bernard
Indeed. And, since we're on an HOWTOFORGE forum, what I'm wondering is if Falko has checked his sources for this fix.
No, I haven't checked.

Quote:
Originally Posted by Bernard
I wonder if anybody here with some Debian and/or Slackware experience has installed PCLinuxOS.
Yes, I've tried it.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 7th June 2007, 21:44
Bernard Bernard is offline
Junior Member
 
Join Date: Jun 2007
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Which means that since Automatix installs

# Multimedia Codecs

the_perfect_desktop_debian_etch_p5.html

you trust people from Automatix instead of Christian Marillat at debian-multimedia.org to check. I don't know... maybe Automatix also makes installation easier, but adding an outside source for an installer that apparently installs its own sources in sources.list doesn't appeal much to me.

I'm glad to hear you've tried PCLinuxOS
Reply With Quote
  #6  
Old 8th June 2007, 19:01
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by Bernard
you trust people from Automatix instead of Christian Marillat at debian-multimedia.org to check. I don't know... maybe Automatix also makes installation easier, but adding an outside source for an installer that apparently installs its own sources in sources.list doesn't appeal much to me.
Err... Automatix installs the multimedia codecs from debian-multimedia.org. You can check /etc/apt/sources.list afterwards, you'll find the debian-multimedia.org repository there.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 9th June 2007, 01:53
Bernard Bernard is offline
Junior Member
 
Join Date: Jun 2007
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko
Err... Automatix installs the multimedia codecs from debian-multimedia.org. You can check /etc/apt/sources.list afterwards, you'll find the debian-multimedia.org repository there.
I feel better But then, what's the advantage of Automatix over Synaptic. Why not keep Debian all Debian? Then, if any problem occurs, you know where to knock.
Reply With Quote
  #8  
Old 9th June 2007, 12:14
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
 
Default

Automatix doesn't use repositories for all packages it supports, e.g. Google Earth or Picasa. That's why I use Automatix and not the repositories. And it saves you time.
BTW, you can't make windows users convert to Linux if you tell them that htey have to add repositories manually on the command line. Automatix is far better for such users.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 18:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.