We are proud to announce another release. This time, it's a dual one, because libdvdread was split from libdvdnav and is now developed in a separate tree, retaining API compatibility with the old upstream.
Apart from the split, the highlights for this release include a large number of memory and resource leak fixes, pkgconfig support and the introduction of dvdread-config script.
libdvdnav-4.1.3 and libdvdread-4.1.3 can be downloaded from the following locations. Please be kind to our server and use one of our many mirrors.
SHA1SUM: d1b95eb8a7caee1fa7580a1abad84d6cb3cad046
MD5SUM: d62383c45b28816771e283515f2c27fa
SHA1SUM: fc4c7ba3e49929191e057b435bc4f867583ea8d5
MD5SUM: 6dc068d442c85a3cdd5ad3da75f6c6e8
Also this year MPlayer will be at LinuxTag. You can meet us at Messe Berlin in Hall 7 booth 113, from May 28 to 31.
This year we're sharing the booth with FFmpeg and OGP.
Come visit us in Berlin!
No, we do not have plans to switch to GPL version 3 at this particular point in time. However, we do wish to be compatible with GPL version 3. We also wish to have the option of switching licenses available in the future. Circumstances making a license upgrade desirable might arise, one never knows. Unfortunately there are some bits of code in MPlayer, which are licensed as GPL version 2 only. Trying to get in contact with the authors of these parts has been fruitless, we have had no reaction from them.
Thus we are looking for help contacting them. Specifically, we are searching for the authors of (crossed out authors we already found)
libmpcodecs/ve_x264.clibmpdemux/demux_ty_osd.cTOOLS/realcodecs/*If you know how to get in touch with them or if you are one of the people we are seeking, please contact us so that we can get these issues resolved. Thanks a bunch.
On the first anniversary of libdvdnav under the new dev team, we're happy to announce a new release. But first, some history.
As some of you probably know, libdvdnav hasn't been actively developed upstream for quite some time. About a year ago, a couple of developers related to MPlayer took over the task of maintaining libdvdnav. The first release happened quietly on Sunday, October 28th 2007 and now it is time for another.
There have been many improvements to the build system and some bugfixes including plugging a few memory leaks since the last release, but no major changes.
libdvdnav-4.1.2 can be downloaded from the following locations. Please be kind to our server and use one of our many mirrors.
SHA1SUM: 65e8f5aa01a60cf8fd013ef9e5d8c23b9fef21d6
MD5SUM: 0e9a494403f9f5a2e781252c77599561
A buffer overflow was found and reported by Adam Bozanich of Musecurity in the code used to extract album titles from CDDB server answers.
When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) when getting disk information from a malicious CDDB entry, null if you do not use this feature. Please note that it is possible to overwrite entries in the CDDB database, so an attack can also be performed via a non-compromised server. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Sun Jan 20 20:58:02 2008 UTC as r25824. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25824 (Sun Jan 20 20:58:02 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25824 (Sun Jan 20 20:58:02 2008 UTC)
MPlayer 1.0rc2 + security patches
A buffer overflow was found and reported by Adam Bozanich of Musecurity in the code used to escape URL strings.
The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) if you can play untrusted URLs (e.g. delivered by a remote playlist), null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Sun Jan 20 20:43:46 2008 UTC as r25823. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25823 (Sun Jan 20 20:43:46 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25823 (Sun Jan 20 20:43:46 2008 UTC)
MPlayer 1.0rc2 + security patches
A buffer overflow was found and reported by Felipe Manzano and Anibal Sacco of CORE Security Technologies in the code used to parse MOV file headers. Other similar issues were found by Reimar Döffinger while fixing the code. The vulnerability is identified as CORE-2008-0122.
The code read some values from the file and used them as indexes into an array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) when playing a malicious MOV file, null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Tue Jan 29 22:13:20 2008 UTC as r25920, Tue Jan 29 22:13:47 2008 UTC as r25921 and Tue Jan 29 22:14:00 2008 UTC as r25922. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25922 (Tue Jan 29 22:14:00 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25922 (Tue Jan 29 22:14:00 2008 UTC)
MPlayer 1.0rc2 + security patches
A stack overflow was found and reported by Damian Frizza and Alfredo Ortega of CORE Security Technologies in the code used to parse FLAC comments. The vulnerability is identified as CORE-2008-1218.
When loading a comment from the file, a length value is read from the file and then used as an index to a VLA array with no check performed. A malicious file could trigger a stack overflow in the program, leading to arbitrary code execution with the UID of the user running MPlayer.
High (arbitrary code execution under the user ID running the player) when playing a FLAC file with malicious comments, null if you do not use this feature. At the time the buffer overflow was fixed there was no known exploit in the wild.
A fix for this problem was committed to SVN on Tue Jan 29 22:00:58 2008 UTC as r25917. Users of affected MPlayer versions should download a patch for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC). Older versions are probably affected, but they were not checked.
SVN HEAD after r25917 (Tue Jan 29 22:00:58 2008 UTC)
MPlayer 1.0rc2 + security patches
Like every year the Hungarian Unix Portal has held its annual Readers' Choice Award and MPlayer + its frontends came out on top of the "favorite video player" category. MPlayer got 600 votes (61%), placing it before VLC with 231 (23%) and Totem with 49 (5%).
If you can read Hungarian, check out the HUP award page.
It's been a while, but we are still around and have decided that it's time to funnel our steady stream of daily changes into a release again.
One main source of improvements has, as always, been FFmpeg, which added support for several new video and audio codecs along with speedups and massive code cleanups.
MPlayer now supports Real RTSP authentication and the libnemesi streaming library as an alternative to live555. Also, many QuickTime over RTSP streams can now be played. There have been various improvements to TV streaming, Intel Mac support should be complete.
Support for VC-1 in MPEG-TS and MPEG-PS will make many HDTV streams work. Blu-ray or HD-DVD playback is not possible yet, but MPlayer can play the EVO files after they have been decrypted.
MPlayer now assumes square pixels as found on LCD panels. If the video on your monitor appears squished or stretched please use '-monitoraspect 4:3' to get back the previous behavior.
It is no longer necessary to patch the sources to get AMR audio support. Instead, download AMR libraries for Linux and install them as described on that page.
Note that this release will not compile on current (as of this writing) Cygwin versions due to a missing llrint implementation in Cygwin. You will have to wait for the next gcc upgrade in Cygwin or patch either Cygwin or MPlayer locally.
There is no need to download binary codec packages if you already have an older version.
MPlayer 1.0rc2 can be downloaded from the following locations. Please be kind to our server and use one of our many mirrors.
MPlayer 1.0rc2 is also available on BitTorrent.
MD5SUM: 7e27e535c2d267637df34898f1b91707
SHA1SUM: e9b496f3527c552004ec6d01d6b43f196b43ce2d