Arch Linux Security Advisory ASA-201605-11 ========================================== Severity: Medium Date : 2016-05-07 CVE-ID : CVE-2016-4352 Package : mplayer Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package mplayer before version 37857-1 is vulnerable to denial of service. Resolution ========== Upgrade to 37857-1. # pacman -Syu "mplayer>=37857-1" The problem has been fixed upstream in version 37857. Workaround ========== None. Description =========== A vulnerability has been discovered that is leading to a crash when playing a fuzzed gif file. The gif demuxes assumed in many places that width*height is <= INT_MAX, however this was not always true and was leading to an integer overflow. Impact ====== A remote attacker is able to use a specially crafted gid file that, when processed, is resulting in an application crash leading to denial of service. References ========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4352 http://www.openwall.com/lists/oss-security/2016/04/29/7 https://bugs.archlinux.org/task/49195 https://trac.mplayerhq.hu/ticket/2295