Linux suppliers are urging users to patch a serious bug in the graphical user interface of the popular Mplayer media player application, which could allow a remote attacker to execute malicious code on a Linux or Unix system.
Gentoo Linux have instructed users to upgrade to the latest version of Mplayer. However, developers have warned that more bugs of the same sort are likely to be uncovered in Mplayer's GUI and recommended administrators to switch the interface off.
The application comes with many Linux distributions and is likely to have the GUI switched on by default, warned "c0ntex", the researcher at Open Security Group who discovered the flaw. It was originally confirmed on Red Hat and FreeBSD installations, although any version of Linux is likely to be vulnerable.
The bug was first publicly reported on the Bugtraq security mailing list about a month ago, and the Mplayer project released a fix at that time, which Linux suppliers are now tailoring for their individual distributions. All versions of Mplayer up to 1.0pre4 are vulnerable, c0ntex said.
A problem in the common.c file, part of the GUI, is vulnerable to a buffer overflow caused by improper checking of user-supplied input. The result is that if a user were enticed to play a specially-crafted media file the player could be crashed or malicious code executed on the system.
More problems are likely to surface in common.c, according to one Mplayer developer. In a message to a Mplayer developers' e-mail list in early June, programmer Richard Felker said he had discovered "lots" of buffer overflows in the file.
"I would recommend not using the GUI," he wrote. "This code is so nasty and broken that I'm not going to spend my time fixing it... if you want the GUI to work, and don't want to be embarrassed by remote [vulnerabilities] in Mplayer, step up and fix it."
Advisories from Secunia, Internet Security Systems and others have given the Mplayer bug a high-risk rating. The bug has the reference code CAN-2004-0659 in the US government-backed Common Vulnerabilities and Exposures database.
Matthew Broersma writes for Techworld.com