[MPlayer-dev-eng] VIA Mplayer fork
Amaury Jacquot
sxpert at esitcom.org
Mon Feb 7 11:22:19 CET 2005
Jiri Svoboda wrote:
> Hi,
> just for info - VIA forked MPlayer for they CLE266 architecture...
>
> http://sourceforge.net/projects/vemp
yeah, and as Ivor Hewitt already said in the Unichrome mailing list...
Begin Quote
-----
So now they've forked MPlayer. Smart. Super super smart.
Pity it not only relies on the insecure via binaries..... but since
they've taken a snapshot of MPlayer1pre5 it also contains these
vulnerabilities:-
* potential heap overflow in Real RTSP streaming code
* potential stack overflow in MMST streaming code
* multiple buffer overflows in BMP demuxer
* potential heap overflow in pnm streaming code
* potential buffer overflow in mp3lib
So you have a combination of running an app as root, using binary
drivers that contain potential memory access vulnerabilities, and not
only that the app in question contains well known exploitable
vulnerabilities.
And the diff.....
Shipping a tarball containing configure generated ".h" and ".mak" files.
very slick. and .bak files. nice.
Patching the base X11 and FB vo modules with "vmi_" additions rather
than adding new video out drivers. nice.
Not quite as ugly as the VeXP xine fork, but pretty close.
Still I expect another big PR push and loads of press releases
announcing a new Linux media player.... and lots of effort to get
people back onto the VIA binary drivers.
Now will they announce in the same fashion as VeXP? "Both MPlayer and
VIA developers have been working hard to bring you VeMP". Somehow I
doubt it.
Now will there be VeMYTH ?
-------
More information about the MPlayer-dev-eng
mailing list