Also this year MPlayer will be at LinuxTag. You can meet us at Messe Berlin in Hall 7 booth 113, from May 28 to 31.
This year we're sharing the booth with FFmpeg and OGP.
Come visit us in Berlin!
No, we do not have plans to switch to GPL version 3 at this particular point in time. However, we do wish to be compatible with GPL version 3. We also wish to have the option of switching licenses available in the future. Circumstances making a license upgrade desirable might arise, one never knows. Unfortunately there are some bits of code in MPlayer, which are licensed as GPL version 2 only. Trying to get in contact with the authors of these parts has been fruitless, we have had no reaction from them.
Thus we are looking for help contacting them. Specifically, we are searching for the authors of (crossed out authors we already found)
libmpcodecs/ve_x264.clibmpdemux/demux_ty_osd.cTOOLS/realcodecs/*If you know how to get in touch with them or if you are one of the people we are seeking, please contact us so that we can get these issues resolved. Thanks a bunch.
On the first anniversary of libdvdnav under the new dev team, we're happy to announce a new release. But first, some history.
As some of you probably know, libdvdnav hasn't been actively developed upstream for quite some time. About a year ago, a couple of developers related to MPlayer took over the task of maintaining libdvdnav. The first release happened quietly on Sunday, October 28th 2007 and now it is time for another.
There have been many improvements to the build system and some bugfixes including plugging a few memory leaks since the last release, but no major changes.
libdvdnav-4.1.2 can be downloaded from the following locations. Please be kind to our server and use one of our many mirrors.
SHA1SUM: 65e8f5aa01a60cf8fd013ef9e5d8c23b9fef21d6
MD5SUM: 0e9a494403f9f5a2e781252c77599561
A buffer overflow was found and reported by Adam Bozanich of Musecurity in the code used to extract album titles from CDDB server answers.
When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) when getting disk information from a malicious CDDB entry, null if you do not use this feature. Please note that it is possible to overwrite entries in the CDDB database, so an attack can also be performed via a non-compromised server. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Sun Jan 20 20:58:02 2008 UTC as r25824. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25824 (Sun Jan 20 20:58:02 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25824 (Sun Jan 20 20:58:02 2008 UTC)
MPlayer 1.0rc2 + security patches
A buffer overflow was found and reported by Adam Bozanich of Musecurity in the code used to escape URL strings.
The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) if you can play untrusted URLs (e.g. delivered by a remote playlist), null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Sun Jan 20 20:43:46 2008 UTC as r25823. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25823 (Sun Jan 20 20:43:46 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25823 (Sun Jan 20 20:43:46 2008 UTC)
MPlayer 1.0rc2 + security patches
A buffer overflow was found and reported by Felipe Manzano and Anibal Sacco of CORE Security Technologies in the code used to parse MOV file headers. Other similar issues were found by Reimar Döffinger while fixing the code. The vulnerability is identified as CORE-2008-0122.
The code read some values from the file and used them as indexes into an array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) when playing a malicious MOV file, null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Tue Jan 29 22:13:20 2008 UTC as r25920, Tue Jan 29 22:13:47 2008 UTC as r25921 and Tue Jan 29 22:14:00 2008 UTC as r25922. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25922 (Tue Jan 29 22:14:00 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25922 (Tue Jan 29 22:14:00 2008 UTC)
MPlayer 1.0rc2 + security patches
A stack overflow was found and reported by Damian Frizza and Alfredo Ortega of CORE Security Technologies in the code used to parse FLAC comments. The vulnerability is identified as CORE-2008-1218.
When loading a comment from the file, a length value is read from the file and then used as an index to a VLA array with no check performed. A malicious file could trigger a stack overflow in the program, leading to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) when playing a FLAC file with malicious comments, null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Tue Jan 29 22:00:58 2008 UTC as r25917. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25917 (Tue Jan 29 22:00:58 2008 UTC)
MPlayer 1.0rc2 + security patches
Like every year the Hungarian Unix Portal has held its annual Readers' Choice Award and MPlayer + its frontends came out on top of the "favorite video player" category. MPlayer got 600 votes (61%), placing it before VLC with 231 (23%) and Totem with 49 (5%).
If you can read Hungarian, check out the HUP award page.
It's been a while, but we are still around and have decided that it's time to funnel our steady stream of daily changes into a release again.
One main source of improvements has, as always, been FFmpeg, which added support for several new video and audio codecs along with speedups and massive code cleanups.
MPlayer now supports Real RTSP authentication and the libnemesi streaming library as an alternative to live555. Also, many QuickTime over RTSP streams can now be played. There have been various improvements to TV streaming, Intel Mac support should be complete.
Support for VC-1 in MPEG-TS and MPEG-PS will make many HDTV streams work. Blu-ray or HD-DVD playback is not possible yet, but MPlayer can play the EVO files after they have been decrypted.
MPlayer now assumes square pixels as found on LCD panels. If the video on your monitor appears squished or stretched please use '-monitoraspect 4:3' to get back the previous behavior.
It is no longer necessary to patch the sources to get AMR audio support. Instead, download AMR libraries for Linux and install them as described on that page.
Note that this release will not compile on current (as of this writing) Cygwin versions due to a missing llrint implementation in Cygwin. You will have to wait for the next gcc upgrade in Cygwin or patch either Cygwin or MPlayer locally.
There is no need to download binary codec packages if you already have an older version.
MPlayer 1.0rc2 can be downloaded from the following locations. Please be kind to our server and use one of our many mirrors.
MPlayer 1.0rc2 is also available on BitTorrent.
MD5SUM: 7e27e535c2d267637df34898f1b91707
SHA1SUM: e9b496f3527c552004ec6d01d6b43f196b43ce2d
A stack overflow was found and reported by Stefan Cornelius of Secunia Research in the code used to handle CDDB queries. Two other similar issues were found by Reimar Döffinger while fixing the issue. The vulnerability is identified with CVE-2007-2948 and SAID 24302.
When copying the album title and category, no checking was performed on the size of the strings before storing them in a fixed-size array. A malicious entry in the database could trigger a stack overflow in the program, leading to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary remote code execution under the user ID running the player) when getting disk information from a malicious CDDB entry, null if you do not use this feature. Please note that it is possible to overwrite entries in the CDDB database, so an attack can also be performed via a non-compromised server. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Tue Jun 5 11:13:32 2007 UTC as r23470. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc1 or update to the latest version if they're using SVN.
In case you can't upgrade or apply the suggested patch, these are some possible workarounds:
Please note that we are not releasing an updated tarball with this fix at the
moment.
If you need to stay with 1.0rc1, get the MPlayer 1.0rc1 tarball,
apply the patch with the fix and recompile MPlayer. If possible, however, we
recommend that you upgrade to SVN.
If you decide to stay with rc1, don't forget to also apply this
older fix.
If you mantain a binary package for MPlayer, please name the updated version
MPlayer 1.0rc1try3.
MPlayer 1.0rc1, MPlayer 1.0rc1try2 and SVN before r23470 (Tue Jun 5 11:13:32 2007 UTC). Older versions are probably affected, too, but they were not checked.
SVN HEAD after r23470 (Tue Jun 5 11:13:32 2007 UTC)
MPlayer 1.0rc1 + security patches
Like in previous years, MPlayer will be present at LinuxTag. This year the event will take place from May 30 to June 2 at Messe Berlin. FFmpeg will be there, too.
You are welcome to meet the developers and tell us your suggestions in Hall 12 Booth 93.
If you happen to be there on Friday morning we suggest you to attend the presentation FFmpeg: Past, Present, And Future by Mike Melanson, an FFmpeg developer and well-known multimedia hacker.
See you in Berlin!
We would like to thank all the generous people who donated towards helping us organizing LinuxTag this year. Like last time when our server had broken down, the donations exceeded our expectations and are now closed.
The list of donors can be found on the donations page. Please mail me if you would like to have your name removed.
Many thanks to all of you!
Like every year, the FFmpeg and MPlayer teams are going to man a booth at LinuxTag this year. Unfortunately, some of our developers do not have enough cash to get there.
We estimated that we need about 800EUR to get everyone to LinuxTag. Thus we would like to kindly ask our users and supporters to donate us a little bit of money so that we can meet you in Berlin.
We have just been notified that LinuxQuestions.org has held its annual Members Choice Award again and MPlayer has come out on top in the category Video Media Player Application of the Year.
MPlayer received 618 votes (41.93%), the second place went to VLC with with 306 (20.76%) and the third place to kaffeine with 235 (15.94%).
A big thank you to our many fans.
Like every year the Hungarian Unix Portal has held its annual Readers' Choice Award and once again MPlayer came out on top of the "favorite video player" category. MPlayer got 799 votes (73%), placing it before VLC with 148 (13%) and xine with 52 (5%).
We also managed to return to the top of the "Favorite Hungarian Project" category. Thanks for the support!
If you can read Hungarian, check out the HUP award page.