Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 107854 - media-libs/xine-lib: format string bug in CDDB features
Summary: media-libs/xine-lib: format string bug in CDDB features
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major
Assignee: Gentoo Security
Whiteboard: A2 [glsa] jaervosz
Depends on:
Reported: 2005-10-02 02:31 UTC by Thierry Carrez (RETIRED)
Modified: 2019-11-30 22:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

xine-lib.formatstring.patch (xine-lib.formatstring.patch,315 bytes, patch)
2005-10-02 02:33 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff
xine-lib-1.1.0-r5.ebuild (xine-lib-1.1.0-r5.ebuild,6.70 KB, text/plain)
2005-10-04 06:20 UTC, Diego Elio Pettenò (RETIRED)
no flags Details
xine-lib-1.0.1-r4.ebuild (xine-lib-1.0.1-r4.ebuild,7.34 KB, text/plain)
2005-10-04 06:22 UTC, Diego Elio Pettenò (RETIRED)
no flags Details
xine-lib-1_rc8-r2.ebuild (xine-lib-1_rc8-r2.ebuild,5.16 KB, text/plain)
2005-10-04 06:25 UTC, Diego Elio Pettenò (RETIRED)
no flags Details
xine-lib-1.1.0-r6.ebuild (xine-lib-1.1.0-r6.ebuild,6.78 KB, text/plain)
2005-10-04 06:27 UTC, Diego Elio Pettenò (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-10-02 02:31:25 UTC
Ulf Harnhammar reports :

When you use xine or gxine to play a CD, the programs will connect
to a CDDB server to retrieve the record's artist/band and title as
well as the song titles. The programs write this information to
a cache file, and the code in xine-lib that performs this action
suffers from a format string security bug, allowing remote execution
of arbitrary code.

It is worth noting that CDDB servers allow any user to add or modify
information about records. [...]
This bug could be used for automated attacks against anyone who
listens to particular CD's in xine or gxine.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-02 02:33:15 UTC
Created attachment 69695 [details, diff]

Patch from Ulf Harnhammar
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-04 05:54:08 UTC
Diego, could you prepare and attach on this bug new ebuild(s) for xine-lib
fixing this ? Please do not commit them to Portage before the release date
(currently set to October 8th), we'll have arch testers test them from here.
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-04 06:20:34 UTC
Created attachment 69847 [details]

This is going stable for sparc, alpha, ppc64 and ia64 (and amd64 would be great
too, as this should fix problems with current stable).
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-04 06:22:29 UTC
Created attachment 69848 [details]

This is the will-be stable for everything else (but mips probably).
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-04 06:25:04 UTC
Created attachment 69849 [details]

And this last one is for mips, that still has this last one as stable (and I'm
still moving this along also if it's basically broken for everyone else).
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-04 06:27:55 UTC
Created attachment 69850 [details]

At the end this is a non-stable version, based off 1.1.0-r4, with external
ffmpeg, so that ~arch users won't get a regression with ffmpeg.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-10-04 06:39:52 UTC
Calling arch security contacts. 
Please test and report back which of those can be committed directly to stable
for your arch.
Comment 8 Simon Stelling (RETIRED) gentoo-dev 2005-10-04 06:50:41 UTC
flameeyes is member of the amd64 team, so i'll let it up to him
Comment 9 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-04 07:51:56 UTC
Giving ppc over to JoseJX, as xine is seriously broken on my machine
(segmentation fault on startup).
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-04 08:46:39 UTC
sparc looks good on 1.1.0-r5 with the exception that the patch should be named
xine-lib-formatstring.patch (or changed in the ebuild) ;)
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2005-10-04 10:49:10 UTC
xine-lib-1.1.0-r5 can go stable on ppc64, too. I can confirm that you have to
rename the patch.
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2005-10-05 06:22:18 UTC
The patch works fine on PPC, the segfault hansmi was reporting appears to be due
to mismatched alsa-libs/in kernel driver as in bug #64818.
Comment 13 Olivier Crete (RETIRED) gentoo-dev 2005-10-05 20:10:32 UTC
which version do you want to see tested on x86 ?
Comment 14 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-06 01:34:11 UTC
1.0.1-r4 I think. 1.1.0 fixes some crashes, but seems having problem with 
Comment 15 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-06 02:28:29 UTC
1.1.0-r5 looks good on alpha.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-06 12:14:36 UTC
Then we only need ia64 and they are not essential for GLSA purposes. 
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-06 16:47:45 UTC
1.1.0-r5 looks good on ia64 as well.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-10-07 04:55:00 UTC
Diego: ok so this can be committed to Portage with the appropriate stable
keywords on October 8 (tomorrow) 1400 UTC. 

Let us know if you can't make it anytime that day.
Comment 19 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-07 04:59:12 UTC
That should be ok, just remember me a bit before, just to be safe :) 
Comment 20 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-08 07:04:19 UTC
Please delay the commit till this night... we're having a bit of a trouble as  
mips recently keyworded xine-lib-1.1.0 (but not -r3 or -r4). I won't commit 
anything until this is sorted out. 
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-08 07:35:16 UTC
Diego please commit the fixed ebuilds. mips do not block GLSA sending so 
please go ahead. 
Comment 22 Diego Elio Pettenò (RETIRED) gentoo-dev 2005-10-08 07:47:34 UTC
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-08 08:24:48 UTC
Thx Diego. This one is ready for GLSA release. 
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-08 09:20:03 UTC
Thx everyone.  
GLSA 200510-08  
mips don't forget to mark stable.