Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 213039
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Diego E. 'Flameeyes' Pettenò <flameeyes@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 213039 depends on: Show dependency tree
Bug 213039 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-11 14:17 0000 
From: Secunia Research <vuln@secunia.com>
Date: Mar 10, 2008 10:20 AM
Subject: Xine "sdpplin_parse()" Array Indexing Vulnerability
To: security@xinehq.de
Cc: miguel@cetuc.puc-rio.br, mroi@users.sourceforge.net,
melanson@pcisys.net, tmattern@noos.fr, vendor-sec@lst.de,
vuln@secunia.com


Hello,

 Secunia Research has discovered a vulnerability in Xine, which can be
 exploited by malicious people to compromise a user's system.

 The vulnerability is caused due to a boundary error within the
 "sdpplin_parse()" function in input/libreal/sdpplin.c. This can be
 exploited to overwrite arbitrary memory regions via an overly large
 "streamid" SDP parameter included in a malicious RTSP stream.

 Successful exploitation allows execution of arbitrary code.

 The vulnerability is confirmed in version 1.1.10.1. Other versions may
 also be affected.

 Vulnerability Details:
 ----------------------

 The vulnerability is present in input/libreal/sdpplin.c at line 255.

 ---
 desc->stream[stream->stream_id] = stream;
 ---

 Exploitation:
 -------------

 Secunia Research has created a PoC for the vulnerability, which is
 available upon request.

 Closing comments:
 -----------------

 We have assigned this vulnerability Secunia advisory SA28694 and CVE
 identifier CVE-2008-0073.

 A preliminary disclosure date of 2008-03-19 10am CET has been set, where
 the details will be publicly disclosed. However, we are naturally
 prepared to push the disclosure date if you need more time to address
 the vulnerability.

 Please acknowledge receiving this e-mail and let us know when you expect
 to fix the vulnerability.

 Credits should go to:
 Alin Rad Pop, Secunia Research.

 Also, if you have any questions, then please don't hesitate to contact
 me.

 --
 Alin Rad Pop
 Security Specialist

 Secunia
 Hammerensgade 4, 2. floor
 DK-1267 Copenhagen K
 Denmark

 Phone  +45 7020 5144
 Fax    +45 7020 5145

------- Comment #1 From Diego E. 'Flameeyes' Pettenò 2008-03-11 14:18:51 0000 ------- 
FWIW, the same vulnerability apply to VLC.

------- Comment #2 From Robert Buchholz 2008-03-12 02:18:41 0000 ------- 
Does VLC know, have a patch? Does xine have a patch?

------- Comment #3 From Diego E. 'Flameeyes' Pettenò 2008-03-12 02:32:24 0000 ------- 
xine has a patch, the same patch should apply over VLC. I'm not sure if VLC is
informed, I said that to secunia though people though.

------- Comment #4 From Pierre-Yves Rofes 2008-03-19 14:53:53 0000 ------- 
*** Bug 213928 has been marked as a duplicate of this bug. ***

------- Comment #5 From Pierre-Yves Rofes 2008-03-19 14:54:55 0000 ------- 
public now.

------- Comment #6 From Ben de Groot 2008-03-20 00:29:39 0000 ------- 
media-lib/xine-lib-1.1.11.ebuild in cvs

Arches please test and mark stable.
Target KEYWORDS="alpha amd64 ~arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"

------- Comment #7 From Jeroen Roovers 2008-03-20 04:30:09 0000 ------- 
(In reply to comment #6)
> media-lib/xine-lib-1.1.11.ebuild in cvs

That's not even a proper path if the directory was spelled right! :)

=media-libs/xine-lib-1.1.11 will do nicely.

------- Comment #8 From Christian Faulhammer 2008-03-20 07:34:41 0000 ------- 
x86 stable

------- Comment #9 From Jeroen Roovers 2008-03-20 17:45:12 0000 ------- 
Stable for HPPA.

------- Comment #10 From Markus Meier 2008-03-20 21:40:10 0000 ------- 
amd64 stable

------- Comment #11 From Tobias Klausmann 2008-03-21 12:30:00 0000 ------- 
alpha stable

------- Comment #12 From Brent Baude 2008-03-21 14:16:59 0000 ------- 
ppc64 stable

------- Comment #13 From Raúl Porcel 2008-03-22 15:29:44 0000 ------- 
ia64/sparc stable

------- Comment #14 From Tobias Scherbaum 2008-03-23 11:32:47 0000 ------- 
ppc stable, ready for glsa

------- Comment #15 From Peter Volkov 2008-03-23 12:43:28 0000 ------- 
Fixed in release snapshot.

------- Comment #16 From Robert Buchholz 2008-03-24 19:45:03 0000 ------- 
request filed, will only be glsa'd after bug 214270 was fixed.

------- Comment #17 From Robert Buchholz 2008-08-06 00:31:35 0000 ------- 
GLSA 200808-01
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug