Re: [MPlayer-dev-eng] Attack by subtitles - from subtitles to complete takeover
- Date: Mon, 29 May 2017 10:14:18 -0400
- From: Compn <tempn@xxxxxxxxx>
- Subject: Re: [MPlayer-dev-eng] Attack by subtitles - from subtitles to complete takeover
On Mon, 29 May 2017 00:20:09 +0200, Ingo Brückl <ib@xxxxxxxxxxxxxxx>
> Does anyone know or can estimate whether MPlayer is affected by
mplayer is not affected.
wm4 reported that mpv is also not affected
[15:52] <wm4> mpv + subliminal script is apparently not affected
from the blog post:
> Some media players download subtitles automatically; these repositories hold extensive potential for attackers.
mplayer does not download subtitles automatically, which is what this
imo opensubtitles website should sanitize their subtitle repository to
avoid vectors like this in the future.
> particularly by any overflows as mentioned in
from that post:
>The Kodi issue was a zip archive path traversal (i.e. no protection against zip files extracting files to parent directories).
mplayer does not look for subtitles in zip / archives either , so this
vector is not applicable.
MPlayer-dev-eng mailing list