Web lists-archives.com

Re: [MPlayer-dev-eng] Attack by subtitles - from subtitles to complete takeover




On Mon, 29 May 2017 00:20:09 +0200, Ingo Brückl <ib@xxxxxxxxxxxxxxx>
wrote:

> Does anyone know or can estimate whether MPlayer is affected by

mplayer is not affected.

wm4 reported that mpv is also not affected 
[15:52] <wm4> mpv + subliminal script is apparently not affected

from the blog post:
> http://blog.checkpoint.com/2017/05/23/hacked-in-translation/,
> Some media players download subtitles automatically; these repositories hold extensive potential for attackers.

mplayer does not download subtitles automatically, which is what this
vector targeted.

imo opensubtitles website should sanitize their subtitle repository to
avoid vectors like this in the future.

> particularly by any overflows as mentioned in
> https://news.ycombinator.com/item?id=14408859?

from that post:

>The Kodi issue was a zip archive path traversal (i.e. no protection against zip files extracting files to parent directories).

mplayer does not look for subtitles in zip / archives either , so this
vector is not applicable.

-compn
_______________________________________________
MPlayer-dev-eng mailing list
MPlayer-dev-eng@xxxxxxxxxxxx
https://lists.mplayerhq.hu/mailman/listinfo/mplayer-dev-eng