NEW MPC vulnerability!

2007-09-13
2013-05-08
  • Markus Jansson

    Markus Jansson - 2007-09-13

    Check out, .avi files are also vulnerable!
    http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt

    COULD SOMEONE WHO IS WORKING ON THIS MPC ACTUALLY RESPOND SOMETHING HERE? YOU KNOW, IT WOULD BE NICE TO EVEN KNOW THAT YOU ARE ACTUALLY AWARE THAT THERE ARE CURRETLY 2 MAJOR SECURITY VULNERABILITIES IN MPC?!?

    My previous post about .fli files being vulnerable via MPC didnt get any sensible responses from authors.
    http://sourceforge.net/forum/forum.php?thread_id=1809436&forum_id=281014

     
    • Gordon Venem

      Gordon Venem - 2007-09-13

      you can look at doom9. There are users offering patched builds. But I don't think someone has written a patch for these 2 vulnerabilities.

       
    • Wvlle

      Wvlle - 2007-09-15

      At least this is a MPC error, unlike the FLI issue which as I say in that thread makes no sense because MPC has no codecs and if it has a bug it's applicable to any format that hands it the wrong (or should I say right) data.
      Perhaps this is the very same bug they tried to point out when they mentioned FLI, and they just only noticed it with FLI because the FLI codec used was buggy (and presumably pretty old) and fed MPC data in such a way as to expose the general issue mentioned here.
      But if a codec and splitter, like ffdshow or a general directshow one handles itself right the possible exploitable erroneous data will never reach MPC to be exploited.

      So I'm not sure you can strictly call this a MPC bug, it's more a combination one, you need a bad codec to play along and then the bug in MPC could be exploited, but to then actually exploit it would take quite some effort, the malicious coder would have to hope the victim has the right decoder AND uses MPC.

      But I'm no expert.

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks