214270 2008-03-22 16:02 0000 media-libs/xine-lib <1.1.11.1 Multiple Integer Overflow Vulnerabilities (CVE-2008-1482) 2008-08-06 00:31:43 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/29484/ A2 [glsa] P2 normal --- 1 rbu@gentoo.org security@gentoo.org arm@gentoo.org flameeyes@gentoo.org ingmar@gentoo.org media-video@gentoo.org rbu@gentoo.org 2008-03-22 16:02:46 0000 Secunia: Luigi Auriemma has reported some vulnerabilities in xine-lib, which potentially can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to integer overflow errors when allocating memory in src/demuxers/demux_flv.c, src/demuxers/demux_qt.c, src/demuxers/demux_real.c, src/demuxers/demux_wc3movie.c, src/demuxers/ebml.c, and src/demuxers/demux_film.c. These can be exploited to cause heap-based buffer overflows via overly large fields included in e.g. FLV, MOV, RM, MVE, MKV, and CAK files. The vulnerabilities are reported in version 1.1.11. Other versions may also be affected. SOLUTION: Do not open untrusted files using xine-lib. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/xinehof-adv.txt rbu@gentoo.org 2008-03-22 16:04:21 0000 flameeyes, are these fixed upstream? flameeyes@gentoo.org 2008-03-22 16:41:47 0000 These were not known to upstream until now, and it's now freakin' easter, don't expect me to find a way to fix them before tuesday... incidentally I decided to use easter as timeframe to clean up my office's cabling -_-; flameeyes@gentoo.org 2008-03-22 16:43:06 0000 FWIW, they should _all_ be fixed in 1.2 series, I suppose backporting the relevant changes, if possible, would solve the issue. 1.2 makes good use of calloc rather than using malloc directly. rbu@gentoo.org 2008-03-26 20:55:43 0000 Diego, is there any update here? flameeyes@gentoo.org 2008-03-26 21:54:19 0000 Upstream is handling it as bug 71: http://bugs.xine-project.org/show_bug.cgi?id=71 There is a patch but I wasn't able to doublecheck its commit status yet, sorry I'm behind with my own schedule. rbu@gentoo.org 2008-03-26 23:06:14 0000 Merged here: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a3f2772fd14b;style=gitweb http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=08bb2b5bfddd;style=gitweb Although it seems this here is worth merging too: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=6f9e9feb84e5;style=gitweb rbu@gentoo.org 2008-04-04 02:02:06 0000 ping, flamy and others? rbu@gentoo.org 2008-04-04 02:07:49 0000 Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please bump. aballier@gentoo.org 2008-04-07 19:42:51 0000 (In reply to comment #8) > Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please > bump. > bumped; there was two (known to me) regressions in this release, they're patched. rbu@gentoo.org 2008-04-07 23:53:41 0000 Arches, please test and mark stable: =media-libs/xine-lib-1.1.11.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86" jer@gentoo.org 2008-04-08 02:12:22 0000 Stable for HPPA. corsair@gentoo.org 2008-04-08 05:18:26 0000 ppc64 stable klausman@gentoo.org 2008-04-08 20:10:05 0000 Stable on alpha. bluebird@gentoo.org 2008-04-08 22:00:09 0000 Tested =media-libs/xine-lib-1.1.11.1 USE="X a52 aac aalib alsa dts dvd flac gnome gtk mad mng musepack nls opengl samba sdl speex theora truetype vcd vidix vorbis xcb xinerama xv (-altivec) -arts -debug (-directfb) -dxr3 -esd -fbcon -imagemagick -ipv6 -jack -libcaca -mmap (-modplug) -oss -pulseaudio (-real) -v4l -wavpack (-win32codecs) (-xvmc)" on sparc. - compiles fine - no test failures - no collisions - works fine using dvds and vcds # emerge --info Portage 2.1.4.4 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r4 sparc64) ================================================================= System uname: 2.6.24-gentoo-r4 sparc64 sun4u Timestamp of tree: Tue, 08 Apr 2008 21:00:01 +0000 app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="sparc" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb" DISTDIR="/tmp/distfiles" FEATURES="collision-protect distlocks installsources metadata-transfer parallel-fetch sandbox splitdebug strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en de" MAKEOPTS="-j10" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/portage/local/layman/gnash-cvs /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="64bit 7zip X a52 aac aalib ace agg alsa artworkextra audacious blender-game bluetooth bzip2 c++ caps clock-screen cups curl custom-cflags cvs cxx dbus devhelp dga disk-partition divx doc dri dts dv dvd dvdread eds encode evo exif fastcgi fat festival ffmpeg flac ftp fuse gd gif gimp gimpprint glade gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 imap ithreads javascript jpeg jpeg2k key-screen libsexy lyrics lzo mad mbrola memcache midi mikmod mjpeg mng mouse mp2 mp3 mpeg mpeg2 mplayer musepack musicbrainz nautilus ncurses network network-cron networking nls nptl nptlonly nsplugin offensive ogg openal opengl openmp opera pam parallel pcre pdf png pnm ppds qt3support quicktime raw realmedia regex ruby samba sasl sdl sdl-image search-screen slang smartcard smp sms sound soundex source sourceview sparc speex spell sqlite3 ssl subversion svg symlink taglib tagwriting theora threads tiff timidity truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf wmp wordexp x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_CARDS="CS4231" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="mach64 fbdev mga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS armin76@gentoo.org 2008-04-09 09:51:06 0000 ia64/sparc/x86 stable, thanks Friedrich maekke@gentoo.org 2008-04-09 20:46:41 0000 amd64 stable dertobi123@gentoo.org 2008-04-10 18:43:57 0000 ppc stable pva@gentoo.org 2008-04-10 20:38:59 0000 Fixed in release snapshot. rbu@gentoo.org 2008-08-06 00:31:43 0000 GLSA 200808-01