| news |
| news archive |
| download |
| information |
| documentation |
| mailing lists |
| screenshots |
| donations |
| related projects |
awards
|
languages
|
alternative designs
|
News
2004.12.15, Wednesday :: MPlayer 1.0pre5try2 released
|
|
The MPlayer team will be represented at LinuxTag 2004 by at least Alex Beregszaszi, Sascha Sommer and Diego Biurrun. LinuxTag is a mix between trade show and conference about Linux and free software for both companies and projects. It is held in Karlsruhe, Germany, from the 23rd to the 26th of June. We will have a booth in the projects area and be present for the full four days. Hopefully we will also be able to hold a small conference with as many developers as possible. If you ever wished to have a chat with us, that would be the perfect opportunity. |
2004.04.28, Wednesday :: Exploitable remote buffer overflow vulnerability in the Real RTSP streaming code
posted by Diego
Summary:
Multiple vulnerabilities have been found and fixed in the Real-Time Streaming Protocol (RTSP) client for RealNetworks servers, including a series of potentially remotely exploitable buffer overflows. This is a joint advisory by the MPlayer and xine teams as the code in question is common to these projects. The xine team has assigned ID XSA-2004-3 to this security announcement.
Severity:
High (arbitrary remote code execution under the user ID running the player) when playing Real RTSP streams. At this time, there is no known exploit for these vulnerabilities.
Prerequisites:
The players are only vulnerable when playing Real RTSP streams. There is no risk if Real RTSP (realrtsp) streaming is not employed.
Solution:
A fix was checked into MPlayer CVS on Sat, 24 Apr 2004 12:33:22 +0200 (CEST). This fix is included in MPlayer 1.0pre4. Users of affected MPlayer versions should upgrade to MPlayer 1.0pre4 or later. Alternatively a standalone patch is available that can be applied to the MPlayer source tree.
xine-lib fix was checked into CVS on Fri, Apr 23 21:59:04 2004 UTC. This fix is included in xine-lib 1-rc4. Users of affected xine-lib versions should upgrade to xine-lib 1-rc4 or later. If this upgrade is not feasible for some reason, the vulnerable code can be disabled by removing xine's RTSP input plugin, which is located at $(xine-config --plugindir)/xineplug_inp_rtsp.so. If installed with default paths, that is: /usr/local/lib/xine/plugins/1.0.0/xineplug_inp_rtsp.so This workaround disables RTSP streaming.
Affected versions:
MPlayer 1.0pre1-pre3try2
xine-lib 1-beta1 to 1-rc3c
Unaffected versions:
MPlayer 0.92.1 and below
MPlayer 1.0pre4 and above
MPlayer CVS HEAD
xine-lib 1-beta0 and below
xine-lib 1-rc4 and above
xine-lib CVS HEAD
History / Attack Vectors:
On Thu, 22 Apr 2004 Diego Biurrun found a crashing bug in the MPlayer realrtsp code that Roberto Togni confirmed to be a buffer overflow vulnerability later that day. The xine team was notified and independent code audits were performed by Miguel Freitas (xine) and Roberto Togni (MPlayer), revealing multiple vulnerabilities.
- Fixed length buffers were assigned for the URL used in server requests and the length of the input was never checked. Very long URLs could thus overflow these buffers and crash the application. A malicious person might possibly use a specially crafted URL or playlist to run arbitrary code on the user's machine.
- Not all strings returned from a Real server were checked for length. It might be possible to cause a buffer overflow during the RTSP session negotiation sequence. A malicious person could use a fake RTSP server to feed the client with malformed strings.
- Packets of RealNetworks' Real Data Transport (RDT) format were received using a fixed length buffer whose size was never checked. It might also be possible to exploit this by emulating a RealNetworks' RTSP server.
- On Wed, 14 Apr 2004 22:45:28 +0200 (CEST) a change was made to MPlayer CVS that removes the extension checking on RTSP streams. MPlayer now attempts to handle every RTSP connection as realrtsp first, falling back to live.com RTSP. CVS versions from that date to the time the fix was checked in are susceptible to the same problem when playing normal RTSP streams as well.
- At the time of the writing of this advisory no real exploits are known to the authors and we hope to be the first to stumble across this vulnerability. Since we believe that the bugs described in this advisory are exploitable we have released this proactive advisory.
Download:
MPlayer 1.0pre4 can be downloaded from the MPlayer homepage or one of its many mirrors. Go to the MPlayer download page to get MPlayer 1.0pre4 source code.
xine-lib 1-rc4 can be downloaded from the xine homepage.
2004.04.28, Wednesday :: MPlayer 1.0pre4 released
posted by the release team
A long time has passed without a release and really a lot has happened. Between the KiSS affair and the farewell of some developers one might almost get the impression that not much development has been taking place. Indeed there have been many internal changes. Alex Beregszaszi (who has been the maintainer since 0.90rc3) is now supported by a team of maintainers, making this the first real team release of MPlayer. To reflect that we are also presenting the site in a new design. If you thought about helping us out in building the fastest and most flexible video player, now would be the perfect moment to join our team, just come and join us on our mailing lists and IRC channels. We can use not only coders but also documenters and people that want to help us out with the many details that have to be taken care of to make such a big project a success. But if you thought MPlayer development was stalled, just have a look at the huge changelog.
We fixed a remotely exploitable security vulnerability in the Real RTSP code, please read our advisory for details. Many thanks go to the xine team for cooperating so well with us in the audit of this shared code. We also found a buffer overflow in the Matroska demuxer and in the CDDB code, so we strongly urge you to upgrade.
Apart from that there are so many changes it gets hard to pick out the highlights.
As usual the documentation has been improved and extended and our many ports have been improved. The BSDs are getting closer and closer to the Linux version, Mac OS X and PowerPC users will enjoy as much as a 100% speed improvement through many AltiVec optimizations and a native Quartz (Mac OS X) output driver. The Windows version of MPlayer is shaping up to be an equal contender to the Unix versions, grab and spread it.
If you had problems with streaming in the past this may be the release for you. We fixed tons of bugs and added support for SMIL playlist to Real streaming and now support Nullsoft Streaming Video (NSV)
With (experimental) AVI OpenDML read and write support we have knocked a longstanding item from the wishlist. Now is the time to play and create huge AVI files.
Our video filter system has been extended by no less than seven filters and is thus more flexible than ever.
If you are an oldschool text mode addict and like ASCII art output you can now enjoy it in full color with the caca output driver.
On the codec front we now support XviD 1.0, VP5 and VP6 and the existing codecs have been improved and optimized. Accordingly the codec package has been extended by a few DLLs, don't forget to grab a new one.
As usual we would be nothing without FFmpeg and the many native codecs they provide. FLAC among others has joined their long list of supported codecs and the rest has seen notable speed and quality improvements.
Enjoy...
MPlayer 1.0pre4: "YAML Counter"
Security:
- HTTP parser remote heap overflow vulnerability fixed
- Real RTSP remote buffer overflow vulnerability fixed
- buffer overflow in the Matroska demuxer
- potentially exploitable buffer overflow in CDDB TOC code
DOCS:
- new Copyright file covers files from other projects and their licenses
- new DOCS/tech/translations.txt explains how to properly translate MPlayer
- new Japanese console message translation
- Polish translation finished
- Italian man page translation
- DVD ripping guide
- telecine/interlacing guide
- video out driver section added to the man page
- XML build system rewritten - now supports building individual languages
- miscellaneous updates all over the place
Ports:
- better PA-RISC detection
- support for VAX (tested on VAXstation 4000/VLC) -- really, believe me!
- optimizing for specific MIPS CPUs under IRIX
- AMD64 detection under BSDs
- fbdev driver updated for Linux 2.6
- support for ELF only OpenBSD
- optimizing for PPC 970 (aka G5)
- SDL support fixed on MinGW
- VIDIX working under Windows XP/2000 (native dhahelper)
- builds out of the box under GNU Hurd
- SSE optimizations enabled under MinGW
- SSE support under OpenBSD
- AltiVec support under NetBSD
- GCC 3.4 support (due to changed behaviour in ASM code snippets)
Demuxers:
- Matroska containing RealVideo works better
- fixed random segfaults in VIVO
- endianess fixes in CDDA
- UYVY support in tvi/v4l2
- tvi/bsdbt848 now working under FreeBSD 5.2-CURRENT
- tvi/bsdbt848 audio part working under NetBSD
- LIVE.COM demuxer updated to conform with latest libraries
- new, independent, C implementation of the Matroska demuxer
- fix for rare Real files
- more robust Real demuxer (can resync after errors)
- support for AAC inside Real
- MPEG Aspect code 4 fixed
- support for selecting subtitle streams with -slang inside Ogg
- wrapper demuxer for FFMpeg's libavformat (Nut is playable this way)
- much improved seeking in Ogg
- Nullsoft streaming video (NSV) demuxer
- AVI OpenDML read and write support
Streaming:
- SMIL playlist parser
- support for URL redirection
- support for seeking in HTTP streams
- updated LIVE.COM streaming code
- fallback to live.com RTSP after Real RTSP
- suggests -playlist if normal streaming fails
- many improvements and bug fixes in the streaming code
Decoders:
- compilation failure without zlib in vd/lcl fixed
- removed obsoleted decoders (which were moved to libavcodec), affected: vd/8bps, vd/msrle, vd/msvideo1, vd/rpza, vd/smc
- workaround for buggy codecs in ad/acm (support for Sharp G.726)
- fixed chroma-swapping in Hauppauge Macroblock decoder
- AltiVec optimized resampler in liba52
- support for VP5 and VP6 DLL decoders
- support for Alparysoft lossless video codec (through DLLs)
- support for Lead MCMW wavelet video codec (through DLLs)
- HE-AAC working through libfaad
- removed libmpflac in favor of FFmpeg's FLAC implementation
- liba52 dynamic range compression support
Filters:
- vf_bmovl bugfixes
- vf_filmdint now handles 15fps NTSC input
- huge updates and speedup on vf_pullup
- big updates to vf_ilpack (proper interpolation and MMX optimizations)
- vf_zrmjpeg: fast MJPEG encoder using libavcodec for Zoran
- interlaced scaling support in vf_scale
- vf_kerndeint: adaptive deinterlacer
- vf_rgbtest: rgb test pattern generator for developers
- vf_qp: qp change filter
- vf_noformat: the same as vf_format but with reversed meaning
- AltiVec optimized SWScaler
- vf_phase: phase shift fields
- vf_divtc: duplicate frame removal from deinterlaced telecined video
Drivers:
- ao/esd behaves better over network now
- support for Radeon 9200/9600/9600 Pro/9700 in VIDIX
- -mixer support for alsa9
- fixed OSS audio grabber module with hardware not supporting 44khz
- native ALSA 1.x support (not through 0.9 emulation)
- better multibuffer support in VIDIX nVidia driver
- pan & scan support in VIDIX nVidia driver
- support for more cards in VIDIX nVidia driver
- vo_libcaca: color ASCII art output driver
- vo_quartz: native MacOS X/Quartz video output
- support for VIDIX when ATI FireGLX drivers are used
FFmpeg/libavcodec:
- H.263 AIC and MQ encoding support
- fixed low delay decoding
- fixed H.263+ encoding without UMV
- lots of CBR improvements
- MB type and QP visualization
- lots of code cleanup
- intra & inter dequantization split -> speedup
- fixed stereo IMA ADPCM encoding
- VBV delay setting support (MPEG2 CBR)
- improved RV20 decoder (most known errors eliminated)
- interlaced DCT
- interlaced motion estimation
- interlaced MPEG2 encoding
- 4MV encoding fixes
- initial interlaced MPEG4 encoding
- improved visual quality in SVQ3 decoder
- fixed never-before-tested embedded string decoder in SVQ1
- optimized quantization (including the trellis way)
- Sierra VMD video decoder
- MMX and SSE2 optimized H263 denoiser
- better SVCD compliance (encoder side)
- MMX and MMX2 optimized interlaced DCT decision
- various cleanup, memleak and segfault fixes
- optimized (2x faster) the MPEG layer 3 decoder
- grayscale coded MJPEG decoding support
- avimszh and avizlib decoders
- "packed" XviD decoding
- fixed some bugs in RV20 B-frames decoding
- closed GOP encoding
- SSE2 optimized FDCT
- support for quantizer noise shaping
- support for EA ADPCM and SMJPEG IMA ADPCM
- QT RLE decoder
- OBMC fixes
- FLAC decoder
- better support for DivX5
- MMX and SSE2 optimized VP3/Theora decoding
- support for Theora alpha3
- many H.264 improvements
- more robust MJPEG startcode search mechanism
- better WMV8 decoding
- native Sparc VIS optimizations
- native G.726 codec
Others:
- -codecs-file option for specifying alternative codecs.conf file
- fixed some minor bugs in the GUI
- prevent sig11 when $HOME is not set
- fix some command line handling corruptions
- Swedish and Polish yes/no options in config files
- support binding F11 and F12 keys
- TOOLS/divx2svcd updated
- stricter thread code in Win32 loader (works under NetBSD)
- PJS subtitle support (was: dunnowhat)
- TOOLS/avifix: simple tool to fix chunk sizes in AVI files
- proper extraheader handling when libavcodec is used in MEncoder
- AVI OpenDML read and write support
- AVI VPRP (video property) read and write support
- fixed long standing lame quality option off-by-one bug in MEncoder
- MPL2 subtitle support
- less verbosity in Win32 loader and other places
MPlayer 1.0pre4 can be downloaded from the following locations:
MD5SUM: 83ebac0f05b192516a41fca2350ca01a
Grab the Windows port from here: http://www.mplayerhq.hu/MPlayer/releases/win32-beta/
Also don't forget to visit the downloads page for the updated codec pack!
2004.04.26, Monday :: New ways of communication
posted by Alex
Since a while, MPlayer has two official IRC channels on the freenode network:
- #mplayer for users
- #mplayerdev for developers
2004.04.23, Friday :: Resurrection
posted by Alex
After two (nowadays not so active, but valuable) developers leaving the project (both of them posting an unneeded news article about it), one could think it's almost dead now. This assumption is false, other developers are still active, but busy with work.
Be prepared for a new tech release!
Just for clarification: I say 'unneeded news article', because many developers left already without news entries and more joined the project after them.
2004.04.23, Friday :: Say NO to software patents - Bruxelles 2004
posted by Alex
The FFII has organized a demo this year
just like the one in 2003.
The MPlayer project is proud to be a part of the conferences: Diego Biurrun
and myself have been there and talked about patents and the KiSS issue with
known and great authorities, such as Alan Cox and George Greve (President
of FSF Europe).
As a report, read this post from Diego.
2004.04.23, Friday :: Leaving
posted by Gabucino
I've decided to leave the MPlayer project. Personal thanks go to:
- A'rpi, Pontscho, Alex for all the fun we've been through together
- LGB for his poetry
- Diego Biurrun for never giving up
Farewell.
2004.03.30, Tuesday :: Exploitable remote buffer overflow vulnerability in the HTTP parser
posted by Gabucino
Severity:
HIGH (if playing HTTP streaming content)
LOW (if playing only normal files)
Description:
A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful HTTP header ("Location:"), and trick MPlayer into executing arbitrary code upon parsing that header.
affected MPlayer versions:
MPlayer 0.90pre series
MPlayer 0.90rc series
MPlayer 0.90
MPlayer 0.91
MPlayer 1.0pre1
MPlayer 1.0pre2
MPlayer 1.0pre3
unaffected MPlayer versions:
MPlayer releases before 0.60pre1
MPlayer 0.92.1
MPlayer 1.0pre3try2
MPlayer 0_92 CVS
MPlayer HEAD CVS
Notification status:
Developers were notified on 2004.03.29 (by "blexim")
Fix was commited into HEAD CVS at 2004.03.30 12:58:43 CEST
MPlayer 0.92.1 (vuln-fix-only release) was released on 2004.03.30
16:45:00 CEST
MPlayer 1.0pre3try2 (vuln-fix-only release) was released on 2004.03.30
16:51:00 CEST
Patch availability:
A patch for all vulnerable versions is available.
Suggested upgrading methods:
MPlayer 1.0pre3 users should upgrade to latest CVS.
MPlayer 0.92 (and below) users should upgrade to 0.92.1 or latest CVS.
MPlayer 0.92.1 (PGP signature) (MD5 checksum) can be downloaded from the following sites:
MPlayer 1.0pre3try2 (PGP signature) (MD5 checksum) can be downloaded from the following sites:
2004.03.26, Friday :: Leaving MPlayer
posted by A'rpi
I (A'rpi) already left MPlayer G1 a year ago, when 0.90 was released. This is not YAML (Yet Another Mplayer Leaving :)), I left G1 dev to work on MPlayer G2. Now I'm leaving the whole MPlayer project, including G2 development and all the rest, except for MPHQ server administration (for technical reasons). I did not read mplayer lists (any) since months (except for a few mails pointed to me), and I lost the rest of my interest towards MPlayer development.
About G2, my primary reason of giving up on it was the dual licensing issues, discussed recently on the g2-dev list. My opinion about GPL was proven again, ie. it doesn't protect us against code stealing (see the KiSS issue for example), while it keeps project sponsors and companies away. I wanted to make G2 to be usable by any program as the standard linux media lib/API, but GPL is too strict for this, and all other license options were immediately refused by all other (potential) G2 developers. Of course G2 can be written as free GPL software (free as RMS:)) too, but it will took long, and I have no interest to participate.
What's now with me? I'm back to some of my old projects, like AMC, and I've started a new project about heuristic email virus scanning, called pymavis.
2004.03.10, Wednesday :: Radio interview with Pontscho
posted by Gabucino
The hungarian Tilos Radio's Speedlight program has made a live interview with Zoltán Ponekker (Pontscho), one of the MPlayer founders who has developed significant parts of MPlayer, most notably the GUI (Graphical User Interface).
Download the interview here (Hungarian): 1. part | 2. part | 3. part |
2004.03.06, Saturday :: Softonic Multimedia Award Won
posted by Gabucino
Thanks to our fellow users, we've won another award, this time it is Softonic's "Mejor Reproductor de Vídeo" trophy.
Thanks for the support!
2004.01.26, Monday :: MPlayerHQ server update: moved to SCSI disks
posted by Arpi
Thanks to the great donations by Charlie (Adaptec 29160 controller) and Lupin III (2 x 36GB 10krpm disks), we could finally move OS and data (mailing lists, cvs, web etc) to SCSI base, hopefully solving the continous stability issues we had with those old IBM IDE disks since December. It should also improve speed and reaction time of the server.
Anyway we still have a small problem: the disks have 80-pin (SCA) connectors, and the 80-to-68pin converters I could buy here don't work in LVD mode, thus limiting bandwith to 40Mb/sec (SE mode). It should be enough for our current needs, but if you have 2 pieces of spare LVD-capable 80/68 converters, don't hesitate to donate! :)
2004.01.19, Monday :: HUP Reader's Choice Awards 2003
posted by Alex
2003 seems to be the year of MPlayer. Yet another award we got!
The Hungarian Unix Portal - the biggest Hungarian free software site - promoted it's first Reader's Choice Awards in November 2003. Members could vote starting on 19th November 2003 until the 20th December 2003.
For the people, who don't speak Hungarian, here are the results:
- 1. MPlayer (96%)
- 2. xine (2%)
- 3. VideoLan and avifile - head to head
The Hungarian speaking minority could visit the portal: article about the winners.
2004.01.18, Sunday :: LinuxQuestions.org Members Choice Award
posted by Diego
LinuxQuestions.org has finished voting for its LinuxQuestions.org Members Choice Award and MPlayer has been voted Multimedia application of the Year.
MPlayer received 44.61% of the votes, beating XMMS with 27.90% and xine with 17.40%.
2004.01.15, Thursday :: Mailing lists problem
posted by Arpi
Thanks to the serie of IDE HDD crashes we've got in past weeks, some of the mailman config/user databases got corrupted.
Especially the MPlayer-G2-dev list, which is uncorrectable, so I've re-created the list today, and subscribed everyone again, at least who subscribed until Aug 15 this year. I have no info about member (un)subscribes past that date, as I've disabled the notification. Please verify your membership and settings!
Since the MPlayer-users list also got somehow corrupted, several people reported that they either stop receiving mail or begin to receive them again despite of their are no longer member (they've already unsubscribed). Anyway this list has over 1500 members, many of them with broken (bouncing) addresses.
Update:
So, to clean things up, I've created an mplayer-newusers list, but
Attila Kinali suggested a better method: send a mail asking everyone
at mplayer-users to subscribe again, mass unsubscribe everyone,
and then re-create the list.
So, you have to subscribe again, even if you were already subscribed:
SUBSCRIBE.
2004.01.10, Saturday :: Radio interview: KiSS VS MPlayer
posted by Gabucino
The Danish National Radio (http://dr.dk) has made an interview with me (as MPlayer representative), and KiSS Technology's managing director Peter Wilmar Christensen.
It is going to be broadcasted tonight at 20:35, but it is also downloadable from the Internet right now:
A written article is also available, in Danish.
We have made a rough english translation of the session (thanks to Anders Rune Jensen). Our commentaries can be found at the bottom.
- Speaker:
- The development of MPlayer was started by a little group of Hungarian programmers 3 years ago.
- Speaker:
- We needed a program that could play media files under Linux and were so unsatisfied with the existing choices that we started making a better alternative - said Gabucino, the spokesperson for the MPlayer programmers.
- Speaker:
- MPlayer has reached a wide recognition in the Open Source community. Gabucino emphasizes the program's stability and ability to play many different movie formats as some of the obvious advantages.
- Speaker:
- The trouble with KiSS technology started recently when one of the MPlayer developers was shopping for a new DVD player and went for a product by the Danish company. For fun the programmer started looking at the software in the Danish DVD player, the so called firmware, and compared it with MPlayer's own code. There were enough similarities to take a closer look at the case and make the MPlayer team angry - Gabucino said.
- Speaker:
- The specific part of the code in which the similarities are found is the one controlling the subtitles when playing movies. The reality is that the code doesn't contain anything really brilliant. On the contrary, it's very simple. So Gabucino is puzzled why anyone would even bother using the code instead of writing it themselves. He suggests that it could be laziness on the programmer's side.
- Speaker:
- I think it's actually a very normal thing that programmers borrow Open Source code because they are too lazy to write it themselves. There have been some cases prior to this which have caused quite a lot of trouble. I think there are hundreds of examples like this that we just don't hear about - Gabucino said.
- Speaker:
- The MPlayer team has published the accusation of the code theft on their website and has tried to document it by listing the strings in the code which are identical in the two pieces of software. According to Gabucino, there are so many similarities that it's unthinkable that this might be a coincidence.
- Speaker:
- Normally this type of code is different depending on who implemented it, so, when there are so many identical strings, it's obvious that we're dealing with theft, the Hungarians believe.
- Speaker:
- GPL or General Public License which MPlayer is licensed under is a very widely used Open Source license, which gives the users certain rights and certain duties. Long story short, it is okay to take the code from MPlayer and develop it further, as long as the result is given back to the community. In this specific example Gabucino and the other Hungarians therefore demand that KiSS Technology should release the software used in its DVD players. And makes it clear that it is not a matter of getting some money from the Danish company, but a matter of fulfilling the requirements of the GPL and releasing the software.
- Speaker:
- KiSS Technology at first didn't react to the Hungarians' inquiry, but after the story began to get large publicity in the different net-medias and forums the company began to investigate the case this week. There are two main questions: whether code from MPlayer really is inside the KiSS software and how the licenses of Open Source software should be interpreted and applied. Apart from being accused of taking code from MPlayer, KiSS Technology has also been accused of using other Open Source software, but managing director Peter Wilmar Christensen denies all accusations with small requisitions. The DVD player from KiSS uses a modified version of Linux as its operating system and that part of the software has been released in accordance with the licenses. But KiSS proclaims that the programs used in the machines on top of the operating system, which enables them to play video and music files are the company's own and therefore are not required to be released, the managing director Peter Christensen explains.
- Peter:
- I would say that the is no truth to the accusations. In large there has been some interest regarding our applications recently and around GPL, which is the software used in the Open Source community which requires you to publish the source code if you use it. And there has been some interest in some of the programs used on our DVD players. Something called libmad and libjpg and than this Hungarian company MPlayer. On our DVD players we run Linux which is licensed under the GPL, we have on our webpage published the operating system so that people can download the improved version of Linux that we use. The application layer on top of Linux is proprietary and is not based on any GPL code. We doesn't use MPlayer, we use our own player, a player like we know from Real Player, Microsoft Media Player is the application used to display movies. It is a fundamental thing for our player, because it's what we are known for, being able to play a wide range of different formats.
- Speaker:
- The documentation the Hungarians has presented on their website is parts from your code. By simply comparing the strings line for line and concludes that they are so identical that this can be no coincidence. What is your comment on this?
- Peter:
- We are currently investigating exactly that specific part, how that can be and if it's really true what they say. Currently we have not investigated it enough to be sure whether or not they are right or wrong in their accusations. What is important is that we do not use their application (Of course, only the subtitle reader! - Gabucino). Should there be cases where the code is very much alike, we have to look at how that could have happened. But we doubt that there is any truth to the accusations. There are a lot of things that could have happened, one could imagine that code from our community has spread to other communities included the Open Source and code originating from our player could accordingly be a part of MPlayer, if in fact there are any similarities. It can be hard to tell how those similarities have supposedly appeared. What is important is that we do not use their application. If there are a few identical lines then one might ask themselves how that has happened. But it could have just as well come from one side as from the other. In any case, we are under no circumstances of the opinion that we have borrowed code.
- Speaker:
- Whoever made the code for subtitles in the Hungarian software and in the Danish DVD players can be thought of as a minor issue in today's world. But what is important is the matter of principles in this specific issue and what private companies can allow themselves when they use Open Source and on the other hand what the Open Source community can expect from the companies. Because of the current case, managing director Peter Wilmar Christensen has had a closer look at the GPL license and evaluated its legal status.
- Peter:
- We have confirmed what we already knew, that when using code licensed under the GPL then we have to publish any derivative work. This means that the legal foundation is very thin and there is no place in the world that I know of where the GPL has been tested in court. So from a business perspective I would say that the license is relatively weak. This doesn't change the fundamental spirit in the Open Source community which I think - all in all - is positive. But it is clear that as a commercial company living off selling its product, can not and will not release its proprietary code. It is naturally so that one should not use GPL code in proprietary systems.
- Speaker:
- According to Gabucino, the Hungarian software developers of MPlayer are glad that their accusation against the Danish company has reached the media.
- Speaker:
- As he said, there are no big economical options for dragging the case to court. Instead they hope that the Open Source community will put so much pressure on KiSS Techonology that they will be forced to release all its software.
- Speaker:
- But that is completely out of the question, said the managing director Peter Wilmar Christensen, even though he is very keen on staying good friends with the Open Source community.
- Peter:
- We don't have any intentions of working against or in another way make enemies with the people in this community. We try to tell what we use and what guidelines we follow. Have we made any error, such as making incorrect descriptions in our manuals then we will of course fix those things. It is not so that we in any way want confrontation, but we have to make a clear statement that our software will not be released as Open Source.
- Speaker:
- What is your conclusion of this case, what will it be after this?
- Peter:
- The conclusion will be that the licenses in this area are a good description of how one ought to operate within this community. They're more of a tool to describe how to operate than a set of rules that can be used in court. And I think that the Open Source circles uses far too much energy on hunting down private companies like us for instance, because it's so obvious that one as a private company simply can't release your source code. We appreciate the Linux community very much and see it as a good thing for the industry. Generally that there is an alternative to the Microsoft community. But we think that the community should respect the companies who use Linux and not hunt them because I don't think that's beneficial for anyone.
END OF TRANSLATION
Gabucino's comments: I find it quite disgusting to read so much plain lies. It's obvious how companies like KiSS or SCO treat open source. Let's read these particular sentences again:
- Peter:
- ...There are a lot of things that could have happened, one could imagine that code from our community has spread to other communities included the Open Source and code originating from our player could accordingly be a part of MPlayer, if in fact there are any similarities. It can be hard to tell how those similarities have supposedly started. What is important is that we do not use their application. If there are a few identical lines then one might ask themselves how that has happened.
It's quite clear that they've never read our News section, because we hurried to state they've even stolen our own subtitle file format MPsub (see our specifications).
Its idea was mine, then I asked laaz if he would be so kind as to implement it in MPlayer. Then in 2001 October 12 at 13:51:58 he commited the support, as can be seen here. The format was never spotted in the wild.
Several things can be concluded:
- Mr. Christensen never took the time to read our announcements.
- Mr. Christensen suggest they've implemented our subtitle format way before we did it ourselves. The KiSS firmwares are all made in 2003, which is - as far as I know - a way later year than 2001.
- Mr. Christensen doesn't have the slightest clue about what software his company is using.
- KiSS Technology has strange interpretation problems with some sentences, like "...We don't have any intentions of working against, or in another way make enemies with the people in this (Open Source) community."
Actually we can picture a quite nice representation of their viewpoint, especially after seeing their unwillingness to start a conversation with us in E-Mail. KiSS Technology's views are:
- "...making our source open to public is out of question"
- Pressing Microsoft (or Bush)-style PR, like repeating their own lies, emphasized again and again: "What is important is that we do not use their application."
- Spreading FUD: "It can be hard to tell how those similarities have supposedly started." Ever heard of version control systems?
- Holding good communiqe with the Open Source community: "If there are a few identical lines then one might ask themselves how that has happened. But it could have just as well come from one side as from the other..." The pitful aspect of this is that it implies a totally ignorant viewpoint, like 'our sources are ours, it's completely obfuscated, but yes, our claims are the truth, yours are plain lies'
How come companies like KiSS cant'be punished by Law?
2004.01.07, Wednesday :: Update on KiSS Technology
posted by Gabucino
The binaries in KiSS Technology's newer firmwares doesn't seem to contain our strings at the first sight. First we though they are encrypted, or obfuscated in some other way, like an executable packer. Actually these new files are simply compressed with gzip. Decompressing them is very simple:
dd if=fileplayer.bin bs=64 skip=1 | gunzip > fileplayer.bin.decomp
The strings are still there. Nothing has changed.
Downloads:
2004.01.03, Saturday :: Another stolen software in KiSS firmware
posted by Gabucino
It has been brought to my attention, that the now famous KiSS Technology - already in violation of the GNU General Public License - has been confirmed stealing another program which is also completely under the GPL license.
The software in question is the high-quality MPEG audio codec, MAD (libmad). This codec is used by a lot of other audio players, like mpg321, a command line MP3 player found in most Linux distributions - including Debian.
The strings from the KiSS firmware (matching libmad sources), can be viewed - but you can also check it for yourself, it's really easy.
And if you do: don't be surprised when you run into more strings - which match libjpeg's.
2004.01.03, Saturday :: KiSS Tech comment
posted by Gabucino
Before I get another 10 mails about this: the GPL.ZIP file
which they offer for download on their site contains only the Linux
kernel and busybox sources, not MPlayer's!
Thanks.
2004.01.02, Friday :: Another GPL violation: KiSS Technology
posted by Gabucino
Basically KiSS Technology is specialized in particular kinds of media hardware, namely DVD and MPEG-4 players, set-top-boxes, and such.
There is nothing wrong with that.
However, if a careless user initiates a string search in one of their firmwares:
$ strings KiSS_DP-508_FW2.7.4_PAL.iso | grep -A 3 -B 6 MPSub
Microdvd
Subrip
Subviewer
Sami
Vplayer
Unknown
MPSub
Subviewer 2.0
Subrip 0.9
Jacosub
Running the same command on the MPlayer binary:
$ strings /usr/bin/mplayer | grep -B 8 mpsub -A 4
<...>
L>microdvd
subrip
subviewer
sami
vplayer
dunnowhat
mpsub
subviewer 2.0
subrip 0.9
jacosub
<...>
You can also check the subreader.h
or the subreader.c
files in MPlayer sources.
As you can see, the KiSS firmware contains the subtitle formats in the very same order as we do. The thing that really catches the eye is the MPSub format, which is our own subtitle format, which hasn't been used anywhere else so far.
Another nice nit is the "dunnowhat" AKA "unknown" subtitle format, whose name remains unknown for us - thus the naming. It's the same in KiSS' files.
This of course is hardly enough for a proof. What really makes it a one hundred percent stealing is quite obvious: the sscanf() calls which contains the patterns of the subtitle formats known to the subtitle parser, in order to identify the chosen subtitle file.
Let's take an easy example:
$ strings fileplayer.bin
<...>
<SAMI>
%d:%d:%d.%d %d:%d:%d.%d
@%d @%d
%d:%d:%d:
%d:%d:%d
Dialogue: Marked
%d,%d,"%c
FORMAT=%d
FORMAT=TIM%c
-->>
<...>
$ strings subreader.o
<...>
<SAMI>
%d:%d:%d.%d %d:%d:%d.%d
@%d @%d
%d:%d:%d:
%d:%d:%d
Dialogue: Marked
Dialogue:
%d,%d,"%c
FORMAT=%d
FORMAT=TIM%c
-->>
<...>
These are the patterns we use to identify a SAMI subtitle file. We have one more pattern in our parser, which was commited on 2003 July 20, in effect of supporting a new subtitle format, called "ASS". KiSS Tech's files are missing this one, so they must have lifted our code before that date.
Let's see another:
$ strings fileplayer.bin
<...>
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<...>
$ strings subreader.o
<...>
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<%*[tT]ime %*[bB]egin="%d:%d.%d" %*[Ee]nd="%d:%d.%d"%*[^<]<clear/>%n
<...>
These are the patterns we use to identify an RT subtitle file.
Every single one of their patterns match ours! This is not coincidence. This is stealing GPL code into a proprietary product! KiSS Technology failed to answer our inquiry for their source files (which they are obligated to provide), so this news entry is posted.
Downloads: