Bug 208100 - media-libs/xine-lib <1.1.10 ASF Header Buffer overflow (CVE-2008-1110)
A few days ago xine-lib-1.1.10 was released mentionning that in its changelog:
* Security fixes:
- Buffer overflow which allows a remote attacker to execute arbitrary
code or crash the client program via a crafted ASF header.
(Related to CVE-2006-1664)
I do not have more info at the moment and do not know what you would like to do
with this.
Thanks for letting us know.
Just for reference, CVE-2006-1664 was handled in bug 128838. We should refer to
this using a new CVE name, because code-wise, they look unrelated (just
similar).
The $URL contains the patch, but I guess we could just go with stabling .10?
Can someone reproduce this with the PoC here:
http://milw0rm.com/exploits/1641 ?
$ gdb xine
...
(gdb) run egg.mpeg
...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x40000032ef0 (LWP 2315)]
0x0000040002b6e4f8 in ?? () from
/usr/lib64/xine/plugins/1.1.9.1/xineplug_dmx_asf.so
(gdb)
1.1.10 doesn't want to open the file.
It's probably a good idea to go for 1.1.10 stable (esp. since current stable
has issues with amarok and this version is supposed to fix 'em)
Arches, please test and mark stable:
=media-libs/xine-lib-1.1.10
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
@Alexis: Weird thing is that I could reproduce the crash with 1.1.8 in a normal
startup, but not within gdb.
media-libs/xine-lib-1.1.10 USE="X a52 aac alsa dts* dvd flac gtk imagemagick*
libcaca mad* nls opengl samba sdl theora* truetype v4l vorbis xv* -aalib
(-altivec) -arts -debug -directfb -dxr3 -esd -fbcon -gnome -ipv6 -jack -mmap
-mng -modplug -musepack -oss -pulseaudio -real -speex -vcd (-vidix) -wavpack
(-win32codecs) -xcb -xinerama -xvmc"
* Emerges on AMD64.
* Works!
- -
Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.23-gentoo-r3 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r3 x86_64 AMD Turion(tm) 64 X2 Mobile Technology
TL-56
Timestamp of tree: Wed, 30 Jan 2008 21:30:07 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
app-shells/bash: 3.2_p17-r1
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python: 2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.23-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -Os -msse3 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo
/etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=k8 -Os -msse3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://213.186.33.38/gentoo-distfiles/
http://213.186.33.37/gentoo-distfiles/"
LANG="C"
LC_ALL="C"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr amrnb amrwb bash-completion
berkdb bitmap-fonts branding bzip2 cairo cli cracklib crypt cups dbus divx doc
dvd dvdr emerald fam ffmpeg firefox flac fortran gd gdbm gif glade glib glitz
gtk gtkspell hal hddtemp iconv imagemagick insecure-savers isdnlog javascript
jpeg jpeg2k kqemu libcaca libnotify midi mmx mmxext mp2 mp3 mp4 mpeg mplayer
mudflap musicbrainz mysql ncurses nls nptl nptlonly offensive ogg opengl openmp
pam pcre png pppd python quicktime readline realmedia reflection samba sdl
session smp spell spl sse sse2 ssl stream svg syslog taglib tcpd threads
truetype truetype-fonts type1 type1-fonts unicode v4l v4l2 vhosts vim-syntax
vorbis wmp xcomposite xorg xosd xpm xscreensaver xvid zlib" ALSA_CARDS="ali5451
als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938
es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" APACHE2_MODULES="actions alias
auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm
authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache
dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache
filter headers include info log_config logio mem_cache mime mime_magic
negotiation rewrite setenvif speling status unique_id userdir usertrack
vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics
joystick" KERNEL="linux" LCD_DEVICES="xosd" USERLAND="GNU" VIDEO_CARDS="nv
nvidia none"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable, thanks miknix
Tested media-libs/xine-lib-1.1.10 USE="X a52 aac aalib alsa dts dvd flac gnome
gtk mad musepack nls opengl samba sdl speex theora truetype vcd vidix vorbis
xcb xinerama xv (-altivec) -arts -debug (-directfb) -dxr3 -esd -fbcon
-imagemagick -ipv6 -jack -libcaca -mmap -mng (-modplug) -oss -pulseaudio
(-real) -v4l -wavpack (-win32codecs) (-xvmc)" on sparc.
- compiles
- no test phase
- no collisions
- works!
# emerge --info
Portage 2.1.3.19 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2,
glibc-2.6.1-r0, 2.6.23-gentoo-r6 sparc64)
=================================================================
System uname: 2.6.23-gentoo-r6 sparc64 sun4u
Timestamp of tree: Fri, 01 Feb 2008 17:00:01 +0000
ccache version 2.4 [enabled]
app-shells/bash: 3.2_p17-r1
dev-lang/python: 2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache: 2.4-r7
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.23-r3
ACCEPT_KEYWORDS="sparc"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe
-frename-registers -ggdb"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf
/etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CPPFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe
-frename-registers -ggdb"
CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe
-frename-registers -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distlocks installsources metadata-transfer
parallel-fetch sanxbox splitdebug strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="de_DE.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en de"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="64bit 7zip X a52 aac aalib alsa artworkextra audacious avahi blender-game
bluetooth bzip2 caps ccache cups curl custom-cflags cvs dbus dga disk-partition
divx dts dv dvd dvdread encode fastcgi fat ffmpeg flac ftp fuse gd gif gimp
gimpprint gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394
ithreads javascript jpeg jpeg2k lzo mad memcache midi mikmod mjpeg mp2 mp3 mpeg
mpeg2 mplayer musepack nautilus ncurses network networking nls nptl nptlonly
nsplugin offensive ogg openal opengl opera pam pcre png pnm ppds quicktime
realmedia regex ruby samba sdl sdl-image slang smartcard smp sms sound soundex
sparc speex spell sqlite3 ssl subversion svg symlink test theora threads tiff
timidity truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax
vim-with-x vorbis wma wmf wmp x264 xanim xcb xfce xine xinerama xorg xulrunner
xv xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file
hooks ladspa lfloat linear meter mulaw multi null rate route share shm"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de"
USERLAND="GNU" VIDEO_CARDS="mach64"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
alpha/ia64/sparc stable, thanks Tobias and Friedrich
GLSA 200802-12, thanks everyone.
CVE-2008-1110 was assigned to the new issue, I'll update the GLSA.
