Media Player Classic FLI File Processing Buffer Overflow
Secunia Advisory: SA26591
Release Date: 2007-08-24
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Media Player Classic 6.x
However, I wonder when (if ever?!?) it will be patched? The files havent been updated early 2006 so...maybe there hasnt been any need for?
Has anyone even noticed this post?
Nobody to patch this vulnerability?
I hope someone will write a patch for it, too.
From codecguide.com I just got new version of Media Player Classic, its now 184.108.40.206 and published 11/9/2007. Is this patched version or just some new hacked version?!? (Actually I only got it via Real Alternative, the actual Klite Mega Codec Pack still has the old 220.127.116.11+ version.)
Could someone who actually works in this project actually give out some information about the situation?!?
Isn't it the decoder/splitter than hands the data to MPC? seems strange to specifically mention FLI when MPC doesn't have its own codecs, if there is some boundary error in MPC it would affect ANY codec and format that mishandles it and feeds it to MPC.
Sounds to me secunia doesn't know what it is talking about, correct me if I'm wrong though, as far as I know secunia has a good reputation but this makes little sense in this description.
And are FLI files still being produced even?
> MPC doesn't have its own codecs
Uhh.. yes it does have some. Quite a few of the items listed in the "Internal Filters" panel of the options make it so that MPC doesn't need any outside help, with FLI files being one of them.
> And are FLI files still being produced even?
What are you saying? That it doesn't need fixed since they're not all that common any more? If so, that's rather narrow minded. If MPC supports it and there's a vulnerability with it, then it needs fixed. Who's to say that someone wouldn't make one that exploits MPC and distribute it, especially just because they can? That's how some of these human parasites work, ya know.
It is QUITE disappointing that Gabest chooses to largely ignore these forums, though.
Well yes, a format that's rare is easy to avoid isn't it? so it does matter that it's rare.
Plus you can download an alternative decoder and use that I guess.
And it's true that the support and updates for MPC includes years of silence, that's known and obvious if you look at the filedates and forums (I see flicsource.ax is dated 2003)
It would be nice if you got immediate responses, but it's unpayed volunteer work and you take what you get I guess, and as other posters say for more immediate discussion there's always the doom9 forums.
But it's indeed a pity because MPC is still a very nice player and much more stable and 'supple' than VLC and for instance in my experience, not that you can't get both of course
Oh incidentally, the last time I tried a fli file in MPC it didn't play, but that was quite some time ago, but it indicates that the fli decoder might be a bit too dated anyway, and I guess realmedia, who own the format now I hear, updated it or something.
And one more thing, I saw on a german techsite where they track new files that they had v 18.104.22.168 for download, in fact that's why I visited to check if it was here, but it wasn't, so now I'm a bit puzzled where the .1 originated, doom9 or some other source.
> Well yes, a format that's rare is easy to avoid isn't it? so it does matter that it's
> rare. Plus you can download an alternative decoder and use that I guess.
From the perspective of someone who knows better, of course, but you can't lose sight of the people that don't. You gotta love them for being so sweet an innocent, but these are just the cold, hard facts. ;-)
Windows comes configured by default to hide extensions of known file types, which makes it all that much easier to hide things from people. This is one of the things that people looking to take advantage of these exploits rely on, as is evident by the number of malicious files floating around with double extensions, such as "PrettyPicture.jpg .fli". Even if extensions aren't hidden, all those spaces are most likely enough to push the real extension beyond the width of the column in Explorer, effectivly hiding it, and people ignore the elipses Explorer adds to indicate this. Of course, there's the Type column, but that gets ignored too. One of MPC's saving graces is that it doesn't associate itself with every single file type it supports, like so many presumptuous programs do, so the chance of someone who doesn't know any better actually getting MPC associated with the .fli extension is probably pretty low. But still, that's no reason not to fix it.
> Oh incidentally, the last time I tried a fli file in MPC it didn't play, but that was
> quite some time ago, but it indicates that the fli decoder might be a bit too dated
> anyway, and I guess realmedia, who own the format now I hear, updated it or something.
Interesting... The one on this page works, but it's from 1996, which is probably pre-RealMedia. Heh
Great.. seems as though SourceForge's forums took the liberty of removing all the spaces in my filename example, but I'm sure you get the idea.
Hmm, true, but on the other hand how many people use MPC that are so 'sweet and innocent' though :)
Plus since MPC has no automatic updates would they even find out if it was actually fixed in an update?
I read here: http://www.free-codecs.com/download/Media_Player_Classic.htm
that there is even a "Media Player Classic - Home Cinema 22.214.171.124"
With the listed changes among others:
- Fix in FLV splitter when video does not start with keyframe
- Vulnerability CAL-20070912-1 in AVI source filter (could potential execute arbitrary code with the user's privileges)
- Vulnerability in FLI internal source filter (referenced by Team 509)
A Media Player Classic mod designed for homecinema usage and released by Casimir666.
So perhaps you can use that for the time being.
there is a new file mpc 126.96.36.199, but i didn't find the sourcecode for it, so i don't know what was fixed. (changelog?)