MPlayer security: everything fixed? And... again, which distro?

[Bernard]

Falko Timme wrote some gorgeous tutorials on installing Linux and all the multimedia paraphernalia, but I wonder if the codecs that are to be installed have this security flaw fixed:

http://www.mplayerhq.hu/design7/news.html

2006-12-31, Sunday :: buffer overflow in asmrp.c
posted by Roberto
Summary

The code mentioned in DSA 1244-1 is also included in MPlayer. A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a malicious server. Since the attacker cannot write arbitrary data into the buffer, creating an exploit is very hard; but a DoS attack is easily made.

Severity

High (DoS and eventually arbitrary remote code execution under the user ID running the player) when setting up a RTSP session from a malicious server, null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit.

-----------------------------

This is really weird. There are only a few lines to correct before compilation, and still, 5 months after this "High severity" flaw has been reported, it's still uncorrected at MPlayer's site. MPlayer suggests that the corrected files be named differently. Is this the case for the files Fedora, PCLinuxOS and Debian use?

Next, I would need some advice... but I hope this won't start a flame war.


I've used Slaclware for more than 5 years now, but my health is not what it used to be and I don't feel much like reading the fuckin' manual anymore. I need a distro that's easier to maintain, but as safe and as solid.

I was thinking about Debian... but a LiveCD is really nice for proselytizing: newbies aren't too fond of ncurses interfaces for installation. Maybe that Falko's suggestions for installation could work for Knoppix? Has anybody tried this? As a Live-CD, Knoppix 5.1 seems fairly solid and 5.2 should be out.... this summer.

Fedora is not maintained for very long and I don't care about cutting edge. I'd rather not reinstall or even update for at least 3 years. Also, I'm a KDE man.

PCLinuxOS doesn't specify for how long it will be maintained and I wonder if all these borrowings to different distros won't eventually make it flaky. I have no experience with those "nice little Linux distros", but my feeling until now has always been to stay with mainstream distros and stay away from those that might prove fly by night. (Do you remember Yoper?)

What's your experience?

Regards!

Bernard

[volksman]

Hey Bernard!

Not sure about the mplayer thing. Depends on where the codecs are being installed from.

As for Distro's....Slackware used to be my distro of choice. Still kinda is if I want to take the time to do everything from scratch...But like you time is limited and I just want stuff to work.

Try Kubuntu. Ubuntu is my personal fav right now...It's just TOO easy to use and make things work in.

Knoppix does kick minor ass too...I use it on a USB key to rescue machines at work. Very very handy OS. But not something I would want full time...Plus I'm a bit of a Gnome fan....

It all boils down to personal preference but ubuntu has their stuff together for the most part. I've never had such an easy time on the GNU side as I have with Ubuntu.

[Bernard]

Quote:

Originally Posted by volksman

Not sure about the mplayer thing. Depends on where the codecs are being installed from.

Indeed. And, since we're on an HOWTOFORGE forum, what I'm wondering is if Falko has checked his sources for this fix.

Thanks for your distro suggestions. I wonder if anybody here with some Debian and/or Slackware experience has installed PCLinuxOS.

[falko]

Quote:

Originally Posted by Bernard

Indeed. And, since we're on an HOWTOFORGE forum, what I'm wondering is if Falko has checked his sources for this fix.

No, I haven't checked.

Quote:

Originally Posted by Bernard

I wonder if anybody here with some Debian and/or Slackware experience has installed PCLinuxOS.

Yes, I've tried it.

[Bernard]

Which means that since Automatix installs

# Multimedia Codecs

the_perfect_desktop_debian_etch_p5.html

you trust people from Automatix instead of Christian Marillat at debian-multimedia.org to check. I don't know... maybe Automatix also makes installation easier, but adding an outside source for an installer that apparently installs its own sources in sources.list doesn't appeal much to me.

I'm glad to hear you've tried PCLinuxOS

[falko]

Quote:

Originally Posted by Bernard

you trust people from Automatix instead of Christian Marillat at debian-multimedia.org to check. I don't know... maybe Automatix also makes installation easier, but adding an outside source for an installer that apparently installs its own sources in sources.list doesn't appeal much to me.

Err... Automatix installs the multimedia codecs from debian-multimedia.org. You can check /etc/apt/sources.list afterwards, you'll find the debian-multimedia.org repository there.

[Bernard]

Quote:

Originally Posted by falko

Err... Automatix installs the multimedia codecs from debian-multimedia.org. You can check /etc/apt/sources.list afterwards, you'll find the debian-multimedia.org repository there.

I feel better But then, what's the advantage of Automatix over Synaptic. Why not keep Debian all Debian? Then, if any problem occurs, you know where to knock.

[falko]

Automatix doesn't use repositories for all packages it supports, e.g. Google Earth or Picasa. That's why I use Automatix and not the repositories. And it saves you time.
BTW, you can't make windows users convert to Linux if you tell them that htey have to add repositories manually on the command line. Automatix is far better for such users.