News
Multiple vulnerabilities were discovered in MPlayer by
iDEFENSE, and
more were found by us while reviewing the code:
- potential heap overflow in Real RTSP streaming code
patch
- potential stack overflow in MMST streaming code
patch
- multiple buffer overflows in BMP demuxer
patch
- potential heap overflow in pnm streaming code
patch
- potential buffer overflow in mp3lib
patch
All issues affect both MPlayer 1.0pre5 and current CVS versions.
MPlayer 0.93 is obsolete and was not checked nor fixed.
All problems were fixed, and the BMP demuxer was also disabled because it's
useless and requires further analysis to be totally safe.
- 1.0pre5 users: upgrade to 1.0pre5try2 or apply this
cumulative patch
- CVS users: cvs update
An updated
CVS build
for Windows users is also available.
Detailed advisory will follow.
MPlayer 1.0pre5try2 can be downloaded from the following locations:
MD5SUM: 724c905a8dddb7e8ec9722fc585f833d
MPlayer has won the
Linux New Media Award 2004
in the category "Best Media Player". The award is organized by the
Linux New Media AG and the jury
consists of about 150 respected community members.
MPlayer got 29.8% of the votes, beating xine
(24.2%) and XMMS (23.4%) making this the second
win in a row. Detailed results can be found on the
German award page.
The MPlayer team will be represented at
SUCON '04
by at least Alex Beregszaszi, Roberto Togni, Jonas Jermann and Diego Biurrun.
SUCON is the Swiss Unix Conference held September 2-4, 2004 at the Technopark
in Zürich, Switzerland. From the description at their homepage:
SUCON is a emerging conference focused on topics related to the Unix operating
system. Our goal is to bring together developers, system administrators and
users in the field of Unix to foster projects, ideas and the knowledge of
every individual.
Alex will give a talk about MPlayer on Friday, so if you are interested in
MPlayer or would like to meet some of us and happen to be in the area, drop
by.
Update
Also present are Mike Melanson from
xine
and Samuel Hocevar from
VideoLAN.
They will be giving presentations as well and we will all be holding a
multimedia birds-of-a-feather session together on Saturday.
Update 2
Some recorded talks
have been made available. The talks by Mike Melanson and Alex Beregszaszi
are among them.
One of the hard drives in our project server is failing and needs to be
replaced. Since it is part of a RAID1 array and performance suffers a lot when
running RAID1 with different geometry drives we need either the same model
as replacement or two new IDE drives. The drive is an IBM IC35L040AVER07-0
40GB IDE drive.
If you have such a drive or a pair of new drives lying around or are willing
to buy it for us, please contact our admin
Arpad Gereöffy
and send the drive to him.
Update
We have received a DTLA305040 in donation from Stefan Seyfried (Thank you!)
and Sascha Sommer exchanged it for his IC35L040AVER07, which is now in the
project server. Also many thanks to the other people who offered help.
Once again after a long delay we are proud and happy to present you our latest
release. Tons of new features and bug fixes were included, many during a big
hacking session at LinuxTag 2004. The pending patch queue has been greatly
reduced and as usual we expect to make the next release in a more timely
fashion ;-)
Since you already know about the name change the
most important change is the security relevant string handling code audit.
Read the details in the relevant advisory.
If you haven't upgraded to a CVS snapshot already, upgrade to pre5 now.
Highlights of this release include improved Mac OS X and Windows support,
improved seeking in Real files, better MEncoder documentation with an
updated DVD ripping guide, streaming related bug fixes, fullscreen bug fixes,
a new unified ao_alsa ALSA audio output driver to replace ao_alsa9 and
ao_alsa1x, a JACK audio output driver and new icons for the GUI and menus.
Of course we also did the usual stuff like support for more codecs, new video
filters and bug fixes all over the place.
The codec packages have been updated and they now sport version numbers so you
can easily tell whether you have the latest one or not. Grab them if you are
interested in complete codec support.
Have fun...
MPlayer 1.0pre5: "LinuxTag release"
Name
- It's "MPlayer - The Movie Player" instead of
"MPlayer - The Movie Player for Linux" now.
Security
- complete review of string operations, buffer overflows fixed
DOCS
- small additions, corrections, updates all over the place
- audio output driver section added to the man page
- several bug fixes and improvements in the MEncoder documentation
- DVD ripping guide extended and improved
- AUTHORS file massively extended
- German man page partially updated
- Hungarian XML documentation translation started
Ports
- encrypted DVD playback on Windows fixed (again)
- Cygwin and MinGW now accept the same -dvd-device syntax
- LIVE.COM now works under MinGW
- foundations for MinGW crosscompilation
- disabled SSE on MinGW as it caused crashes
- AC3 passthrough for ao_win32
- improved vo_quartz (YUV, multiple screens support)
- vo_quartz made default on Mac OS X
- ao_macosx fixed and made default again on Mac OS X
- RealVideo binary codecs support on Mac OS X (still buggy)
- bigendian fixes in vf.c, vo_tga
- OpenBSD portability fixes
- OpenBSD/VAX support
- AMD64 support
Drivers
- support for more Radeons (9800 XT among them) in VIDIX
- Radeon related bug fixes in VIDIX
- vo_gl2 now supports GUI, fix for flickering borders in fullscreen
- support 24 and 32 bit PCM files, bigendian fixes
- ao_sdl now converts unsupported formats instead of quitting
- ENCA support
- merged ao_alsa9 and ao_alsa1x drivers into ao_alsa
- NeoMagic TV-out support through VESA
- JACK audio output driver
- vo_sdl fixes (wrong flags and screensaver disabling)
- vo_directx fixes
Decoders
- MSZH/ZLIB, FLI, QTRLE, RoQ video and RoQ audio support moved to FFmpeg
- FFmpeg Cinepak and CYUV decoders preferred
- audio format 0xff support (is AAC)
- "raw" audio in MOV supported
- Indeo audio (iac25) support via binary codec
- upgrade libfaad2 to the FAAD 2.0 release
- MPEG2 chroma422/444 support
- Winnov WINX and WNV1 support via binary codec
Demuxers
- Ogg subtitle handling and other bug fixes
- Matroska improvements
- support seeking in Real files without -idx
- support seeking in Real files without index with -forceidx
Streaming
- ASF, MMST streaming fixes
- URL escaping fixed
- NSA (Nullsoft audio) streaming support
- embedded RAM playlist support
- multibyte URL support
- rtp:// now supported even with LIVE.COM compiled in
- miscellaneous bug fixes
Filters
- vf_softskip: frame skipping filter for MEncoder
- vf_harddup: frame duplication filter for MEncoder
- vf_pullup minor fixes and improvements
- AltiVec-optimized YUV to RGB converter
- vf_spp memory corruption fix on reallocation
FFmpeg/libavcodec
- MPEG2 encoding with 8, 9, 10, 11 bit intra DC precision
- DC clipping fix, intra_dc_precision > 0 support
- Cinepak fixes and palette support
- support skipping of MB rows during decoding
- Vorbis in NUT fixed
- NUT updated to latest specification
- segfault and artifact fixes in SVQ3 decoder
- motion estimation code: overflow and chroma fixes
- change qscale -> lambda for the motion estimation
- noise preserving sum of squares comparison function in ME code
- fixed memory overwrite in truemotion decoder
- clip input motion vectors, better error tolerance on bad vectors
- FLAC decoder cleanup (partial demuxer/decoder separation)
- memalign hack for SSE/SSE2 on that alternative OS :)
- lots of AltiVec optimizations
- qscale + qprd fix
- QTrle4 support
- H.261 decoder
- coefficient saturation fix in H.263
- H.263 MCBPC fix
- per line lowpass filter in MMX and faster C lowpass filter
- SVQ1 encoder
- as usual, lots of bug fixes and optimizations
Others
- fullscreen fixes for many window managers
- fix crash on original Pentiums and older
- dvd://start-end support
- netstream (mpst://) support fixed
- support comments in plaintext playlists
- loader/ dependency removed
- keepaspect option extended to all video output drivers
- WMA to Ogg conversion and simple subtitle editing script added to TOOLS
- support for more lame options
- new set of GUI icons
- memory conserving implementation of GUI potmeters
- X11 code reindented
- further gcc 3.4 support fixes
- mixer API written for changing volume through libaf
- -rtc-device option for specifying the RTC device
- desktop/menu icon added
- miscellaneous bug fixes and cleanups
- multi-threaded encoding with lavc
- fixed a bug with Real files introduced in pre4
- -use-stdin renamed to -noconsolecontrols
MPlayer 1.0pre5 can be downloaded from the following locations. Please be kind
to our server and use one of our many mirrors.
MD5SUM: fbe6919eb025526e8ed129cd61a49969
This is a security only update for our outdated stable branch. It contains
a simple port of the fixes for the recent
GUI remote buffer overflow vulnerabilities
committed to the main MPlayer source tree.
This was done without a complete audit of the 0.90 branch of our code base
due to a lack of resources.
The 0.90 branch is long obsolete, there will be no further releases,
probably not even security fix releases. Therefore we strongly recommend
upgrading to MPlayer 1.0pre5 once it becomes available or a current CVS
snapshot.
MPlayer 0.93
Security:
- string operation buffer overflows fixed
MPlayer 0.93 can be downloaded from the following locations:
MD5SUM: 2ddd395cd1bc56559006398ef5105710
Summary
Multiple string vulnerabilities have been found and fixed in the MPlayer GUI
code, at least one of which was remotely exploitable.
Severity
High (arbitrary remote code execution under the user ID running the player) if
using the GUI to play certain types of playlist files, none when using only the
command line. The MPlayer GUI is optional and not built by default.
Solution
A fix for the vulnerability with the known exploit was checked into MPlayer CVS
on Wed, 2 June 2004 12:40:41 +0000 (UTC). The result of a thorough code audit
that uncovered further potentially exploitable bugs was checked into MPlayer CVS
on Fri, 25 June 2004 16:49:52 +0000 (UTC). All of this will be included in MPlayer
1.0pre5. Users of affected MPlayer versions should upgrade to latest CVS or MPlayer 1.0pre5
once it becomes available. Alternatively a patch for the
main and
0_90
MPlayer CVS versions is available that can be applied to the MPlayer source
tree.
Affected versions
MPlayer 1.0pre4 and before
MPlayer 0.92.1 and before
Unaffected versions
none
History
On Tue, 1 June 2004 MPlayer developers were contacted by
c0ntex who had found a string
handling vulnerability in the MPlayer GUI code complete with an example
exploit and a preliminary fix. That fix was checked into MPlayer CVS on
Wed, 2 June 2004 12:40:41 +0000 (UTC).
When playing certain types of playlist files with extremely long entries a
buffer overflow error occurs. This allows an attacker to overwrite memory with
specially crafted playlist files and execute arbitrary code under the user ID
running MPlayer.
Richard Felker started a general audit of the GUI code for further string
handling problems and uncovered a host of potential bugs, some of which were
probably exploitable. Nicholas Kain proceeded to do a full audit of the MPlayer
code for insecure string handling, which was finished by Alexander Strasser.
The result of this audit was checked into MPlayer CVS on
Fri, 25 June 2004 16:49:52 +0000 (UTC).
Since the first quick review of the GUI code immediately revealed several
potentially exploitable bugs we have refrained from publishing this advisory
until a thorough audit of the whole code was finished.
On Thu, 1 July 2004 11:22:29 (UTC) a simple port of the fixes was committed to
the 0_90 stable MPlayer source tree. This was done without a further audit of
the 0_90 code base due to lack of resources. We have therefore dropped further
support of the 0_90 tree and recommend upgrading to MPlayer 1.0pre5 or latest
CVS.
Download
MPlayer 1.0pre5, 0.93 and CVS snapshots can be downloaded from the MPlayer homepage or one of its many
mirrors as soon as they become available. Go to the
MPlayer download page
to get MPlayer 1.0pre5 source code or a CVS snapshot.
No, it's still MPlayer ;-).
But since we run on so many different operating systems now we thought that
MPlayer - The Movie Player For Linux
is not really a fitting name any longer. So from now on it will be just
MPlayer - The Movie Player
The king is dead - long live the king!
Your video player is... PATENTED (in the USA)
Demonstration against Software Patents in Karlsruhe, the city of LinuxTag with
some developers and advocates of MPlayer.
Read more at the FFII page.
|
|
The MPlayer team will be represented at
LinuxTag 2004
by at least Alex Beregszaszi, Sascha Sommer and Diego Biurrun.
LinuxTag is a mix between trade show and conference about Linux and free
software for both companies and projects. It is held in Karlsruhe, Germany,
from the 23rd to the 26th of June. We will have a booth in the projects area
and be present for the full four days. Hopefully we will also be able to hold
a small conference with as many developers as possible. If you ever wished to
have a chat with us, that would be the perfect opportunity.
|
Summary:
Multiple vulnerabilities have been found and fixed in the Real-Time
Streaming Protocol (RTSP) client for RealNetworks servers, including a
series of potentially remotely exploitable buffer overflows. This is a
joint advisory by the MPlayer and xine teams as the code in question is
common to these projects. The xine team has assigned ID XSA-2004-3 to this
security announcement.
Severity:
High (arbitrary remote code execution under the user ID running the player)
when playing Real RTSP streams.
At this time, there is no known exploit for these vulnerabilities.
Prerequisites:
The players are only vulnerable when playing Real RTSP streams.
There is no risk if Real RTSP (realrtsp) streaming is not employed.
Solution:
A fix was checked into MPlayer CVS on Sat, 24 Apr 2004 12:33:22 +0200 (CEST).
This fix is included in MPlayer 1.0pre4. Users of affected MPlayer versions
should upgrade to MPlayer 1.0pre4 or later. Alternatively a standalone
patch is available that
can be applied to the MPlayer source tree.
xine-lib fix was checked into CVS on Fri, Apr 23 21:59:04 2004 UTC. This fix
is included in xine-lib 1-rc4. Users of affected xine-lib versions should
upgrade to xine-lib 1-rc4 or later.
If this upgrade is not feasible for some reason, the vulnerable code
can be disabled by removing xine's RTSP input plugin, which is located at
$(xine-config --plugindir)/xineplug_inp_rtsp.so. If installed with default
paths, that is: /usr/local/lib/xine/plugins/1.0.0/xineplug_inp_rtsp.so
This workaround disables RTSP streaming.
Affected versions:
MPlayer 1.0pre1-pre3try2
xine-lib 1-beta1 to 1-rc3c
Unaffected versions:
MPlayer 0.92.1 and below
MPlayer 1.0pre4 and above
MPlayer CVS HEAD
xine-lib 1-beta0 and below
xine-lib 1-rc4 and above
xine-lib CVS HEAD
History / Attack Vectors:
On Thu, 22 Apr 2004 Diego Biurrun found a crashing bug in the MPlayer
realrtsp code that Roberto Togni confirmed to be a buffer overflow
vulnerability later that day. The xine team was notified and independent
code audits were performed by Miguel Freitas (xine) and Roberto Togni
(MPlayer), revealing multiple vulnerabilities.
- Fixed length buffers were assigned for the URL used in server requests
and the length of the input was never checked. Very long URLs could thus
overflow these buffers and crash the application. A malicious person
might possibly use a specially crafted URL or playlist to run arbitrary
code on the user's machine.
- Not all strings returned from a Real server were checked for length.
It might be possible to cause a buffer overflow during the RTSP session
negotiation sequence. A malicious person could use a fake RTSP server
to feed the client with malformed strings.
- Packets of RealNetworks' Real Data Transport (RDT) format were received
using a fixed length buffer whose size was never checked. It might also be
possible to exploit this by emulating a RealNetworks' RTSP server.
- On Wed, 14 Apr 2004 22:45:28 +0200 (CEST) a change was made to MPlayer
CVS that removes the extension checking on RTSP streams. MPlayer now
attempts to handle every RTSP connection as realrtsp first, falling back
to live.com RTSP. CVS versions from that date to the time the fix was
checked in are susceptible to the same problem when playing normal RTSP
streams as well.
- At the time of the writing of this advisory no real exploits are known
to the authors and we hope to be the first to stumble across this
vulnerability. Since we believe that the bugs described in this advisory
are exploitable we have released this proactive advisory.
Download:
MPlayer 1.0pre4 can be downloaded from the MPlayer homepage or one of its many
mirrors. Go to the
MPlayer download page
to get MPlayer 1.0pre4 source code.
xine-lib 1-rc4 can be downloaded from the
xine homepage.
A long time has passed without a release and really a lot has
happened. Between the KiSS affair and the farewell of some developers
one might almost get the impression that not much development has been
taking place. Indeed there have been many internal changes. Alex
Beregszaszi (who has been the maintainer since 0.90rc3) is now
supported by a team of maintainers, making this the first real team
release of MPlayer. To reflect that we are also presenting the site in
a new design. If you thought about helping us out in building the
fastest and most flexible video player, now would be the perfect moment
to join our team, just come and join us on our
mailing lists and
IRC channels. We can use not only coders but
also documenters and people that want to help us out with the many details
that have to be taken care of to make such a big project a success. But if
you thought MPlayer development was stalled, just have a look at the huge
changelog.
We fixed a remotely exploitable security vulnerability in the Real
RTSP code, please read our advisory for details. Many thanks go to the
xine team for cooperating so well
with us in the audit of this shared code.
We also found a buffer overflow in the Matroska demuxer and in
the CDDB code, so we strongly urge you to upgrade.
Apart from that there are so many changes it gets hard to pick out the
highlights.
As usual the documentation has been improved and extended and our many
ports have been improved. The BSDs are getting closer and closer to
the Linux version, Mac OS X and PowerPC users will enjoy as
much as a 100% speed improvement through many AltiVec optimizations
and a native Quartz (Mac OS X) output driver. The Windows version of
MPlayer is shaping up to be an equal contender to the Unix versions,
grab and spread it.
If you had problems with streaming in the past this may be the release
for you. We fixed tons of bugs and added support for SMIL playlist to
Real streaming and now support Nullsoft Streaming Video (NSV)
With (experimental) AVI OpenDML read and write support we have knocked
a longstanding item from the wishlist. Now is the time to play and
create huge AVI files.
Our video filter system has been extended by no less than seven
filters and is thus more flexible than ever.
If you are an oldschool text mode addict and like ASCII art output you
can now enjoy it in full color with the caca output driver.
On the codec front we now support XviD 1.0, VP5 and VP6 and the
existing codecs have been improved and optimized. Accordingly the
codec package has been extended by a few DLLs, don't forget to grab a
new one.
As usual we would be nothing without
FFmpeg and the many native codecs
they provide. FLAC among others has joined their long list of
supported codecs and the rest has seen notable speed and quality
improvements.
Enjoy...
MPlayer 1.0pre4: "YAML Counter"
Security:
- HTTP parser remote heap overflow vulnerability fixed
- Real RTSP remote buffer overflow vulnerability fixed
- buffer overflow in the Matroska demuxer
- potentially exploitable buffer overflow in CDDB TOC code
DOCS:
- new Copyright file covers files from other projects and their licenses
- new DOCS/tech/translations.txt explains how to properly translate MPlayer
- new Japanese console message translation
- Polish translation finished
- Italian man page translation
- DVD ripping guide
- telecine/interlacing guide
- video out driver section added to the man page
- XML build system rewritten - now supports building individual languages
- miscellaneous updates all over the place
Ports:
- better PA-RISC detection
- support for VAX (tested on VAXstation 4000/VLC) -- really, believe me!
- optimizing for specific MIPS CPUs under IRIX
- AMD64 detection under BSDs
- fbdev driver updated for Linux 2.6
- support for ELF only OpenBSD
- optimizing for PPC 970 (aka G5)
- SDL support fixed on MinGW
- VIDIX working under Windows XP/2000 (native dhahelper)
- builds out of the box under GNU Hurd
- SSE optimizations enabled under MinGW
- SSE support under OpenBSD
- AltiVec support under NetBSD
- GCC 3.4 support (due to changed behaviour in ASM code snippets)
Demuxers:
- Matroska containing RealVideo works better
- fixed random segfaults in VIVO
- endianess fixes in CDDA
- UYVY support in tvi/v4l2
- tvi/bsdbt848 now working under FreeBSD 5.2-CURRENT
- tvi/bsdbt848 audio part working under NetBSD
- LIVE.COM demuxer updated to conform with latest libraries
- new, independent, C implementation of the Matroska demuxer
- fix for rare Real files
- more robust Real demuxer (can resync after errors)
- support for AAC inside Real
- MPEG Aspect code 4 fixed
- support for selecting subtitle streams with -slang inside Ogg
- wrapper demuxer for FFMpeg's libavformat (Nut is playable this way)
- much improved seeking in Ogg
- Nullsoft streaming video (NSV) demuxer
- AVI OpenDML read and write support
Streaming:
- SMIL playlist parser
- support for URL redirection
- support for seeking in HTTP streams
- updated LIVE.COM streaming code
- fallback to live.com RTSP after Real RTSP
- suggests -playlist if normal streaming fails
- many improvements and bug fixes in the streaming code
Decoders:
- compilation failure without zlib in vd/lcl fixed
- removed obsoleted decoders (which were moved to libavcodec), affected:
vd/8bps, vd/msrle, vd/msvideo1, vd/rpza, vd/smc
- workaround for buggy codecs in ad/acm (support for Sharp G.726)
- fixed chroma-swapping in Hauppauge Macroblock decoder
- AltiVec optimized resampler in liba52
- support for VP5 and VP6 DLL decoders
- support for Alparysoft lossless video codec (through DLLs)
- support for Lead MCMW wavelet video codec (through DLLs)
- HE-AAC working through libfaad
- removed libmpflac in favor of FFmpeg's FLAC implementation
- liba52 dynamic range compression support
Filters:
- vf_bmovl bugfixes
- vf_filmdint now handles 15fps NTSC input
- huge updates and speedup on vf_pullup
- big updates to vf_ilpack (proper interpolation and MMX optimizations)
- vf_zrmjpeg: fast MJPEG encoder using libavcodec for Zoran
- interlaced scaling support in vf_scale
- vf_kerndeint: adaptive deinterlacer
- vf_rgbtest: rgb test pattern generator for developers
- vf_qp: qp change filter
- vf_noformat: the same as vf_format but with reversed meaning
- AltiVec optimized SWScaler
- vf_phase: phase shift fields
- vf_divtc: duplicate frame removal from deinterlaced telecined video
Drivers:
- ao/esd behaves better over network now
- support for Radeon 9200/9600/9600 Pro/9700 in VIDIX
- -mixer support for alsa9
- fixed OSS audio grabber module with hardware not supporting 44khz
- native ALSA 1.x support (not through 0.9 emulation)
- better multibuffer support in VIDIX nVidia driver
- pan & scan support in VIDIX nVidia driver
- support for more cards in VIDIX nVidia driver
- vo_libcaca: color ASCII art output driver
- vo_quartz: native MacOS X/Quartz video output
- support for VIDIX when ATI FireGLX drivers are used
FFmpeg/libavcodec:
- H.263 AIC and MQ encoding support
- fixed low delay decoding
- fixed H.263+ encoding without UMV
- lots of CBR improvements
- MB type and QP visualization
- lots of code cleanup
- intra & inter dequantization split -> speedup
- fixed stereo IMA ADPCM encoding
- VBV delay setting support (MPEG2 CBR)
- improved RV20 decoder (most known errors eliminated)
- interlaced DCT
- interlaced motion estimation
- interlaced MPEG2 encoding
- 4MV encoding fixes
- initial interlaced MPEG4 encoding
- improved visual quality in SVQ3 decoder
- fixed never-before-tested embedded string decoder in SVQ1
- optimized quantization (including the trellis way)
- Sierra VMD video decoder
- MMX and SSE2 optimized H263 denoiser
- better SVCD compliance (encoder side)
- MMX and MMX2 optimized interlaced DCT decision
- various cleanup, memleak and segfault fixes
- optimized (2x faster) the MPEG layer 3 decoder
- grayscale coded MJPEG decoding support
- avimszh and avizlib decoders
- "packed" XviD decoding
- fixed some bugs in RV20 B-frames decoding
- closed GOP encoding
- SSE2 optimized FDCT
- support for quantizer noise shaping
- support for EA ADPCM and SMJPEG IMA ADPCM
- QT RLE decoder
- OBMC fixes
- FLAC decoder
- better support for DivX5
- MMX and SSE2 optimized VP3/Theora decoding
- support for Theora alpha3
- many H.264 improvements
- more robust MJPEG startcode search mechanism
- better WMV8 decoding
- native Sparc VIS optimizations
- native G.726 codec
Others:
- -codecs-file option for specifying alternative codecs.conf file
- fixed some minor bugs in the GUI
- prevent sig11 when $HOME is not set
- fix some command line handling corruptions
- Swedish and Polish yes/no options in config files
- support binding F11 and F12 keys
- TOOLS/divx2svcd updated
- stricter thread code in Win32 loader (works under NetBSD)
- PJS subtitle support (was: dunnowhat)
- TOOLS/avifix: simple tool to fix chunk sizes in AVI files
- proper extraheader handling when libavcodec is used in MEncoder
- AVI OpenDML read and write support
- AVI VPRP (video property) read and write support
- fixed long standing lame quality option off-by-one bug in MEncoder
- MPL2 subtitle support
- less verbosity in Win32 loader and other places
MPlayer 1.0pre4 can be downloaded from the following locations:
MD5SUM: 83ebac0f05b192516a41fca2350ca01a
Grab the Windows port from here: http://www.mplayerhq.hu/MPlayer/releases/win32-beta/
Also don't forget to visit the downloads page for the updated codec pack!
Since a while, MPlayer has two official IRC channels on the
freenode network:
- #mplayer for users
- #mplayerdev for developers
After two (nowadays not so active, but valuable) developers leaving the project
(both of them posting an unneeded news article about it), one could think it's
almost dead now. This assumption is false, other developers are still active,
but busy with work.
Be prepared for a new tech release!
Just for clarification: I say 'unneeded news article', because many
developers left already without news entries and more joined the project
after them.
The FFII has organized a demo this year
just like the one in 2003.
The MPlayer project is proud to be a part of the conferences: Diego Biurrun
and myself have been there and talked about patents and the KiSS issue with
known and great authorities, such as Alan Cox and George Greve (President
of FSF Europe).
As a report, read
this
post from Diego.
I've decided to leave the MPlayer project. Personal thanks go to:
- A'rpi, Pontscho, Alex for all the fun we've been through together
- LGB for his poetry
- Diego Biurrun for never giving up
Farewell.
Severity:
HIGH (if playing HTTP streaming content)
LOW (if playing only normal files)
Description:
A remotely exploitable buffer overflow vulnerability was found in MPlayer.
A malicious host can craft a harmful HTTP header ("Location:"), and trick MPlayer
into executing arbitrary code upon parsing that header.
affected MPlayer versions:
MPlayer 0.90pre series
MPlayer 0.90rc series
MPlayer 0.90
MPlayer 0.91
MPlayer 1.0pre1
MPlayer 1.0pre2
MPlayer 1.0pre3
unaffected MPlayer versions:
MPlayer releases before 0.60pre1
MPlayer 0.92.1
MPlayer 1.0pre3try2
MPlayer 0_92 CVS
MPlayer HEAD CVS
Notification status:
Developers were notified on 2004.03.29 (by "blexim")
Fix was commited into HEAD CVS at 2004.03.30 12:58:43 CEST
MPlayer 0.92.1 (vuln-fix-only release) was released on 2004.03.30
16:45:00 CEST
MPlayer 1.0pre3try2 (vuln-fix-only release) was released on 2004.03.30
16:51:00 CEST
Patch availability:
A patch for all
vulnerable versions is available.
Suggested upgrading methods:
MPlayer 1.0pre3 users should upgrade to latest CVS.
MPlayer 0.92 (and below) users should upgrade to 0.92.1 or latest CVS.
MPlayer 0.92.1
(PGP signature)
(MD5 checksum)
can be downloaded from the following sites:
MPlayer 1.0pre3try2
(PGP signature)
(MD5 checksum)
can be downloaded from the following sites:
I (A'rpi) already left MPlayer G1 a year ago, when 0.90 was released.
This is not YAML (Yet Another Mplayer Leaving :)), I left G1 dev
to work on MPlayer G2. Now I'm leaving the whole MPlayer project,
including G2 development and all the rest, except for MPHQ server
administration (for technical reasons). I did not read mplayer
lists (any) since months (except for a few mails pointed to me),
and I lost the rest of my interest towards MPlayer development.
About G2, my primary reason of giving up on it was the dual
licensing issues, discussed recently on the g2-dev list.
My opinion about GPL was proven again, ie. it doesn't protect us
against code stealing (see the KiSS issue for example), while
it keeps project sponsors and companies away. I wanted to make
G2 to be usable by any program as the standard linux media lib/API,
but GPL is too strict for this, and all other license options
were immediately refused by all other (potential) G2 developers.
Of course G2 can be written as free GPL software (free as RMS:)) too,
but it will took long, and I have no interest to participate.
What's now with me? I'm back to some of my old projects, like AMC,
and I've started a new project about heuristic email virus scanning,
called pymavis.
The hungarian Tilos Radio's
Speedlight program has made a live interview with
Zoltán Ponekker (Pontscho), one of the MPlayer founders who has
developed significant parts of MPlayer, most notably the GUI
(Graphical User Interface).
Download the interview here (Hungarian):
1. part |
2. part |
3. part |
Thanks to our fellow users, we've won another award, this time it is
Softonic's "Mejor Reproductor
de Vídeo" trophy.
Thanks for the support!
Thanks to the great donations by Charlie (Adaptec 29160 controller)
and Lupin III (2 x 36GB 10krpm disks), we could finally move OS and
data (mailing lists, cvs, web etc) to SCSI base,
hopefully solving the continous stability issues we had with those
old IBM IDE disks since December. It should also improve speed and
reaction time of the server.
Anyway we still have a small problem: the disks have 80-pin (SCA)
connectors, and the 80-to-68pin converters I could buy here
don't work in LVD mode, thus limiting bandwith to 40Mb/sec (SE mode).
It should be enough for our current needs, but if you have 2 pieces of
spare LVD-capable 80/68 converters, don't hesitate to donate! :)
2003 seems to be the year of MPlayer. Yet another award we got!
The Hungarian Unix Portal - the biggest Hungarian free software site -
promoted it's first Reader's Choice Awards in November 2003. Members
could vote starting on 19th November 2003 until the 20th December 2003.
For the people, who don't speak Hungarian, here are the results:
- 1. MPlayer (96%)
- 2. xine (2%)
- 3. VideoLan and avifile - head to head
The Hungarian speaking minority could visit the portal:
article
about the winners.
LinuxQuestions.org has
finished voting for its LinuxQuestions.org Members Choice Award and
MPlayer has been voted
Multimedia application of the Year.
MPlayer received 44.61% of the votes, beating
XMMS with 27.90% and
xine with 17.40%.
Thanks to the serie of IDE HDD crashes we've got in past weeks,
some of the mailman config/user databases got corrupted.
Especially the MPlayer-G2-dev list, which is uncorrectable, so
I've re-created the list today, and subscribed everyone again, at
least who subscribed until Aug 15 this year. I have no info
about member (un)subscribes past that date, as I've disabled the
notification. Please verify your membership and settings!
Since the MPlayer-users list also got somehow corrupted,
several people reported that they either stop receiving mail
or begin to receive them again despite of their are no longer
member (they've already unsubscribed). Anyway this list has
over 1500 members, many of them with broken (bouncing) addresses.
Update:
So, to clean things up, I've created an mplayer-newusers list, but
Attila Kinali suggested a better method: send a mail asking everyone
at mplayer-users to subscribe again, mass unsubscribe everyone,
and then re-create the list.
So, you have to subscribe again, even if you were already subscribed:
SUBSCRIBE.
The Danish National Radio (http://dr.dk) has
made an interview with me (as MPlayer representative), and
KiSS Technology's
managing director
Peter Wilmar Christensen.
It is going to be broadcasted tonight at 20:35, but it is also
downloadable from the Internet right now:
A written article is also available,
in Danish.
We have made a rough english translation of the session (thanks to
Anders Rune Jensen). Our commentaries can be found at the bottom.
- Speaker:
- The development of MPlayer was
started by a little group of Hungarian programmers 3 years ago.
- Speaker:
- We needed a program that could play media files under Linux
and were so unsatisfied with the existing choices that we started making
a better alternative - said Gabucino, the spokesperson for the
MPlayer programmers.
- Speaker:
- MPlayer has reached a wide recognition in the Open Source
community. Gabucino emphasizes the program's stability and ability to
play many different movie formats as some of the obvious advantages.
- Speaker:
- The trouble with KiSS technology started recently when one of
the MPlayer developers was shopping for a new DVD player
and went for a product by the Danish company. For fun the programmer
started looking at the software in the Danish DVD player, the so
called firmware, and compared it with MPlayer's own code. There were
enough similarities to take a closer look at the case and make the
MPlayer team angry - Gabucino said.
- Speaker:
- The specific part of the code in which the similarities are found
is the one controlling the subtitles when playing movies.
The reality is that the code doesn't contain anything really brilliant. On
the contrary, it's very simple. So Gabucino is puzzled why anyone would
even bother using the code instead of writing it themselves. He
suggests that it could be laziness on the programmer's side.
- Speaker:
- I think it's actually a very normal thing that programmers
borrow Open Source code because they are too lazy to write it
themselves. There have been some cases prior to this which have
caused quite a lot of trouble. I think there are hundreds of
examples like this that we just don't hear about - Gabucino said.
- Speaker:
- The MPlayer team has published the accusation of the code
theft on their website and has tried to document it by listing the
strings in the code which are identical in the two pieces of software.
According to Gabucino, there are so many similarities that it's
unthinkable that this might be a coincidence.
- Speaker:
- Normally this type of code is different depending on who
implemented it, so, when there are so many identical strings, it's
obvious that we're dealing with theft, the Hungarians believe.
- Speaker:
- GPL or General Public License which MPlayer is licensed under
is a very widely used Open Source license, which gives the users
certain rights and certain duties. Long story short, it is okay to take
the code from MPlayer and develop it further, as long as the result is
given back to the community. In this specific example Gabucino and the
other Hungarians therefore demand that KiSS Technology should release
the software used in its DVD players. And makes it clear that it is
not a matter of getting some money from the Danish company, but a
matter of fulfilling the requirements of the GPL and releasing the
software.
- Speaker:
- KiSS Technology at first didn't react to the Hungarians'
inquiry, but after the story began to get large publicity in the
different net-medias and forums the company began to investigate
the case this week. There are two main questions: whether
code from MPlayer really is inside the KiSS software and
how the licenses of Open Source software should be
interpreted and applied. Apart from being accused of taking code
from MPlayer, KiSS Technology has also been accused of using other
Open Source software, but managing director Peter Wilmar Christensen
denies all accusations with small requisitions. The DVD player from
KiSS uses a modified version of Linux as its operating system and
that part of the software has been released in accordance with the
licenses. But KiSS proclaims that the programs used in the machines on
top of the operating system, which enables them to play video and
music files are the company's own and therefore are not required to be
released, the managing director Peter Christensen explains.
- Peter:
- I would say that the is no truth to the accusations. In large
there has been some interest regarding our applications recently and
around GPL, which is the software used in the Open Source community
which requires you to publish the source code if you use it. And there
has been some interest in some of the programs used on our DVD
players. Something called libmad and libjpg and than this Hungarian
company MPlayer. On our DVD players we run Linux which is licensed
under the GPL, we have on our webpage published the operating system
so that people can download the improved version of Linux that we use.
The application layer on top of Linux is proprietary and is not based
on any GPL code. We doesn't use MPlayer, we use our own player, a
player like we know from Real Player, Microsoft Media Player is the
application used to display movies. It is a fundamental thing for our
player, because it's what we are known for, being able to play a wide
range of different formats.
- Speaker:
- The documentation the Hungarians has presented on their
website is parts from your code. By simply comparing the strings line
for line and concludes that they are so identical that this can be no
coincidence. What is your comment on this?
- Peter:
- We are currently investigating exactly that specific part, how
that can be and if it's really true what they say. Currently we have
not investigated it enough to be sure whether or not they are right or
wrong in their accusations. What is important is that we do not use
their application (Of course, only the subtitle reader! - Gabucino). Should there be cases where the code is very much
alike, we have to look at how that could have happened. But we doubt
that there is any truth to the accusations. There are a lot of things
that could have happened, one could imagine that code from our
community has spread to other communities included the Open Source and
code originating from our player could accordingly be a part of
MPlayer, if in fact there are any similarities. It can be hard to
tell how those similarities have supposedly appeared. What is important is that
we do not use their application. If there are a few identical lines
then one might ask themselves how that has happened. But it could have just
as well come from one side as from the other. In any case, we are under no
circumstances of the opinion that we have borrowed code.
- Speaker:
- Whoever made the code for subtitles in the Hungarian software
and in the Danish DVD players can be thought of as a minor issue in
today's world. But what is important is the matter of principles in
this specific issue and what private companies can allow themselves
when they use Open Source and on the other hand what the Open Source
community can expect from the companies. Because of the current case,
managing director Peter Wilmar Christensen has had a closer look
at the GPL license and evaluated its legal status.
- Peter:
- We have confirmed what we already knew, that when using code
licensed under the GPL then we have to publish any derivative work.
This means that the legal foundation is very thin and there is no
place in the world that I know of where the GPL has been tested in
court. So from a business perspective I would say that the license is
relatively weak. This doesn't change the fundamental spirit in the
Open Source community which I think - all in all - is positive.
But it is clear that as a commercial company living off selling its
product, can not and will not release its proprietary code. It is naturally
so that one should not use GPL code in proprietary systems.
- Speaker:
- According to Gabucino, the Hungarian software
developers of MPlayer are glad that
their accusation against the Danish company has reached the media.
- Speaker:
- As he said, there are no big economical options for
dragging the case to court. Instead they hope that the Open Source
community will put so much pressure on KiSS Techonology that they
will be forced to release all its software.
- Speaker:
- But that is completely out of the question, said the managing
director Peter Wilmar Christensen, even though he is very keen on
staying good friends with the Open Source community.
- Peter:
- We don't have any intentions of working against or in another
way make enemies with the people in this community. We try to tell
what we use and what guidelines we follow. Have we made any error,
such as making incorrect descriptions in our manuals then we will of
course fix those things. It is not so that we in any way want
confrontation, but we have to make a clear statement that our
software will not be released as Open Source.
- Speaker:
- What is your conclusion of this case, what will it be after
this?
- Peter:
- The conclusion will be that the licenses in this area are a good
description of how one ought to operate within this community. They're
more of a tool to describe how to operate than a set of rules that can
be used in court. And I think that the Open Source circles uses far
too much energy on hunting down private companies like us for
instance, because it's so obvious that one as a private company simply
can't release your source code. We appreciate the Linux community very
much and see it as a good thing for the industry. Generally that there
is an alternative to the Microsoft community. But we think that the
community should respect the companies who use Linux and not hunt
them because I don't think that's beneficial for anyone.
END OF TRANSLATION
Gabucino's comments: I find it quite disgusting to read so much
plain lies. It's obvious how companies like KiSS or SCO treat
open source. Let's read these particular sentences again:
- Peter:
- ...There are a lot of things
that could have happened, one could imagine that code from our
community has spread to other communities included the Open Source and
code originating from our player could accordingly be a part of
MPlayer, if in fact there are any similarities. It can be hard to
tell how those similarities have supposedly started. What is important is that
we do not use their application. If there are a few identical lines
then one might ask themselves how that has happened.
It's quite clear that they've never read our News section, because we
hurried to state they've even stolen our own subtitle
file format MPsub (see our
specifications).
Its idea was mine, then I asked laaz if he would be so kind as
to implement it in MPlayer. Then in 2001 October 12 at 13:51:58 he
commited the support, as can be
seen here.
The format was never spotted in the wild.
Several things can be concluded:
- Mr. Christensen
never took the time to read our announcements.
- Mr. Christensen
suggest they've implemented our subtitle format way before we did it
ourselves. The KiSS firmwares are all made in 2003, which is - as far
as I know - a way later year than 2001.
- Mr. Christensen
doesn't have the slightest clue about what software his company is using.
- KiSS Technology has strange interpretation problems with
some sentences, like
"...We don't have any intentions of working against, or in
another way make enemies with the people in this (Open
Source) community."
Actually we can picture a quite nice representation of their viewpoint,
especially after seeing their unwillingness to start a conversation
with us in E-Mail. KiSS Technology's views are:
- "...making our source open to public is out of
question"
- Pressing Microsoft (or Bush)-style PR, like repeating
their own lies, emphasized again and again: "What is
important is that we do not use their application."
- Spreading FUD: "It can be hard to tell how
those similarities have supposedly started." Ever heard of
version control systems?
- Holding good communiqe with the Open Source community:
"If there are a few identical lines then one might ask
themselves how that has happened. But it could have just as well
come from one side as from the other..." The pitful aspect of
this is that it implies a totally ignorant viewpoint, like
'our sources are ours, it's completely obfuscated, but yes,
our claims are the truth, yours are plain lies'
How come companies like KiSS cant'be punished by Law?
The binaries in KiSS Technology's newer firmwares doesn't seem to
contain our strings at the first sight.
First we though they are encrypted, or obfuscated in some other way,
like an executable packer. Actually these new files are simply
compressed with gzip. Decompressing them is very simple:
dd if=fileplayer.bin bs=64 skip=1 | gunzip > fileplayer.bin.decomp
The strings are still there. Nothing has changed.
Downloads:
It has been brought to my attention, that the now famous KiSS
Technology - already in violation of the GNU
General Public License - has been confirmed stealing another
program which is also completely under the GPL license.
The software in question is the high-quality MPEG audio codec,
MAD (libmad).
This codec is used by a lot of other audio players, like
mpg321, a command line
MP3 player found in most Linux distributions - including Debian.
The strings from the KiSS firmware (matching
libmad sources),
can be viewed -
but you can also check it for yourself, it's really easy.
And if you do: don't be surprised when you run into more strings -
which match libjpeg's.
Before I get another 10 mails about this: the GPL.ZIP file
which they offer for download on their site contains only the Linux
kernel and busybox sources, not MPlayer's!
Thanks.
Basically KiSS Technology
is specialized in particular kinds of media hardware, namely DVD and
MPEG-4 players,
set-top-boxes, and such.
There is nothing wrong with that.
However, if a careless user initiates a string search in one of their
firmwares:
$ strings KiSS_DP-508_FW2.7.4_PAL.iso | grep -A 3 -B 6 MPSub
Microdvd
Subrip
Subviewer
Sami
Vplayer
Unknown
MPSub
Subviewer 2.0
Subrip 0.9
Jacosub
Running the same command on the MPlayer binary:
$ strings /usr/bin/mplayer | grep -B 8 mpsub -A 4
<...>
L>microdvd
subrip
subviewer
sami
vplayer
dunnowhat
mpsub
subviewer 2.0
subrip 0.9
jacosub
<...>
You can also check the subreader.h
or the subreader.c
files in MPlayer sources.
As you can see, the KiSS firmware contains the subtitle formats in
the very same order as we do. The thing that really catches the eye is
the MPSub format, which is our own subtitle format, which hasn't
been used anywhere else so far.
Another nice nit is the "dunnowhat" AKA "unknown"
subtitle format, whose name remains unknown for us - thus the naming.
It's the same in KiSS' files.
This of course is hardly enough for a proof. What really makes it
a one hundred percent stealing is quite obvious: the sscanf() calls
which contains the patterns of the subtitle formats known to the subtitle
parser, in order to identify the chosen subtitle file.
Let's take an easy example:
$ strings fileplayer.bin
<...>
<SAMI>
%d:%d:%d.%d %d:%d:%d.%d
@%d @%d
%d:%d:%d:
%d:%d:%d
Dialogue: Marked
%d,%d,"%c
FORMAT=%d
FORMAT=TIM%c
-->>
<...>
$ strings subreader.o
<...>
<SAMI>
%d:%d:%d.%d %d:%d:%d.%d
@%d @%d
%d:%d:%d:
%d:%d:%d
Dialogue: Marked
Dialogue:
%d,%d,"%c
FORMAT=%d
FORMAT=TIM%c
-->>
<...>
These are the patterns we use to identify a SAMI subtitle file.
We have one more pattern in our parser, which was commited on
2003 July 20, in effect of supporting a new subtitle format,
called "ASS". KiSS Tech's files are missing this one, so they must
have lifted our code before that date.
Let's see another:
$ strings fileplayer.bin
<...>
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<...>
$ strings subreader.o
<...>
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<...>
These are the patterns we use to identify an RT subtitle file.
Every single one of their patterns match ours! This is not
coincidence. This is stealing GPL code into a proprietary
product! KiSS Technology failed to answer our inquiry for their
source files (which they are obligated to provide), so this news
entry is posted.
Downloads:
|