Gentoo Full Text Bug Listing

Bug 214270 - media-libs/xine-lib <1.1.11.1 Multiple Integer Overflow Vulnerabilities (CVE-2008-1482)

Description:

Opened: 2008-03-22 16:02 0000

Secunia:

Luigi Auriemma has reported some vulnerabilities in xine-lib, which
potentially can be exploited by malicious people to compromise a
user's system.

The vulnerabilities are caused due to integer overflow errors when
allocating memory in src/demuxers/demux_flv.c,
src/demuxers/demux_qt.c, src/demuxers/demux_real.c,
src/demuxers/demux_wc3movie.c, src/demuxers/ebml.c, and
src/demuxers/demux_film.c. These can be exploited to cause heap-based
buffer overflows via overly large fields included in e.g. FLV, MOV,
RM, MVE, MKV, and CAK files.

The vulnerabilities are reported in version 1.1.11. Other versions
may also be affected.

SOLUTION:
Do not open untrusted files using xine-lib.

PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma

ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/xinehof-adv.txt

------- Comment #1 From Robert Buchholz 2008-03-22 16:04:21 0000 -------

flameeyes, are these fixed upstream?

------- Comment #2 From Diego E. 'Flameeyes' Pettenò 2008-03-22 16:41:47 0000 -------

These were not known to upstream until now, and it's now freakin' easter, don't
expect me to find a way to fix them before tuesday... incidentally I decided to
use easter as timeframe to clean up my office's cabling -_-;

------- Comment #3 From Diego E. 'Flameeyes' Pettenò 2008-03-22 16:43:06 0000 -------

FWIW, they should _all_ be fixed in 1.2 series, I suppose backporting the
relevant changes, if possible, would solve the issue. 1.2 makes good use of
calloc rather than using malloc directly.

------- Comment #4 From Robert Buchholz 2008-03-26 20:55:43 0000 -------

Diego, is there any update here?

------- Comment #5 From Diego E. 'Flameeyes' Pettenò 2008-03-26 21:54:19 0000 -------

Upstream is handling it as bug 71:
http://bugs.xine-project.org/show_bug.cgi?id=71
There is a patch but I wasn't able to doublecheck its commit status yet, sorry
I'm behind with my own schedule.

------- Comment #7 From Robert Buchholz 2008-04-04 02:02:06 0000 -------

ping, flamy and others?

------- Comment #8 From Robert Buchholz 2008-04-04 02:07:49 0000 -------

Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please
bump.

------- Comment #9 From Alexis Ballier 2008-04-07 19:42:51 0000 -------

(In reply to comment #8)
> Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please
> bump.
> 

bumped; there was two (known to me) regressions in this release, they're
patched.

------- Comment #10 From Robert Buchholz 2008-04-07 23:53:41 0000 -------

Arches, please test and mark stable:
=media-libs/xine-lib-1.1.11.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

------- Comment #11 From Jeroen Roovers 2008-04-08 02:12:22 0000 -------

Stable for HPPA.

------- Comment #12 From Markus Rothe 2008-04-08 05:18:26 0000 -------

ppc64 stable

------- Comment #13 From Tobias Klausmann 2008-04-08 20:10:05 0000 -------

Stable on alpha.

------- Comment #14 From Friedrich Oslage 2008-04-08 22:00:09 0000 -------

Tested =media-libs/xine-lib-1.1.11.1 USE="X a52 aac aalib alsa dts dvd flac
gnome gtk mad mng musepack nls opengl samba sdl speex theora truetype vcd vidix
vorbis xcb xinerama xv (-altivec) -arts -debug (-directfb) -dxr3 -esd -fbcon
-imagemagick -ipv6 -jack -libcaca -mmap (-modplug) -oss -pulseaudio (-real)
-v4l -wavpack (-win32codecs) (-xvmc)" on sparc.

- compiles fine
- no test failures
- no collisions
- works fine using dvds and vcds

# emerge --info
Portage 2.1.4.4 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.24-gentoo-r4 sparc64)
=================================================================
System uname: 2.6.24-gentoo-r4 sparc64 sun4u
Timestamp of tree: Tue, 08 Apr 2008 21:00:01 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="sparc"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe
-ggdb"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf
/etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe
-ggdb"
DISTDIR="/tmp/distfiles"
FEATURES="collision-protect distlocks installsources metadata-transfer
parallel-fetch sandbox splitdebug strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="de_DE.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en de"
MAKEOPTS="-j10"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise
/usr/portage/local/layman/gnash-cvs /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="64bit 7zip X a52 aac aalib ace agg alsa artworkextra audacious
blender-game bluetooth bzip2 c++ caps clock-screen cups curl custom-cflags cvs
cxx dbus devhelp dga disk-partition divx doc dri dts dv dvd dvdread eds encode
evo exif fastcgi fat festival ffmpeg flac ftp fuse gd gif gimp gimpprint glade
gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 imap
ithreads javascript jpeg jpeg2k key-screen libsexy lyrics lzo mad mbrola
memcache midi mikmod mjpeg mng mouse mp2 mp3 mpeg mpeg2 mplayer musepack
musicbrainz nautilus ncurses network network-cron networking nls nptl nptlonly
nsplugin offensive ogg openal opengl openmp opera pam parallel pcre pdf png pnm
ppds qt3support quicktime raw realmedia regex ruby samba sasl sdl sdl-image
search-screen slang smartcard smp sms sound soundex source sourceview sparc
speex spell sqlite3 ssl subversion svg symlink taglib tagwriting theora threads
tiff timidity truetype tta unicode usb userlocales utils vcd vidix vim
vim-syntax vim-with-x vorbis wma wmf wmp wordexp x264 xanim xcb xfce xine
xinerama xorg xulrunner xv xvid zlib" ALSA_CARDS="CS4231"
ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa
lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc"
INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU"
VIDEO_CARDS="mach64 fbdev mga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

------- Comment #15 From Raúl Porcel 2008-04-09 09:51:06 0000 -------

ia64/sparc/x86 stable, thanks Friedrich

------- Comment #16 From Markus Meier 2008-04-09 20:46:41 0000 -------

amd64 stable

------- Comment #17 From Tobias Scherbaum 2008-04-10 18:43:57 0000 -------

ppc stable

------- Comment #18 From Peter Volkov 2008-04-10 20:38:59 0000 -------

Fixed in release snapshot.

------- Comment #19 From Robert Buchholz 2008-08-06 00:31:43 0000 -------

GLSA 200808-01

Bug#: 214270	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: Linux	Status: RESOLVED	Severity: normal	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL: http://secunia.com/advisories/29484/
Summary: media-libs/xine-lib <1.1.11.1 Multiple Integer Overflow Vulnerabilities (CVE-2008-1482)
Keywords:
Status Whiteboard: A2 [glsa]
Opened: 2008-03-22 16:02 0000