136176 – media-video/xine-ui: <= 0.99.4 Format String Vuln (CVE-2006-2230)

Bug 136176 - media-video/xine-ui: <= 0.99.4 Format String Vuln (CVE-2006-2230)

Summary: media-video/xine-ui: <= 0.99.4 Format String Vuln (CVE-2006-2230)

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor
Assignee:	Gentoo Security

URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	B3 [upstream] Falco
Keywords:

Depends on:
Blocks:

Reported:	2006-06-09 05:06 UTC by Raphael Marichez (Falco) (RETIRED)
Modified:	2006-06-09 06:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-09 05:06:58 UTC

CVE-2006-2230

Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine 0.99.4 might allow attackers to cause a denial of service via format string specifiers in an MP3 filename specified on the command line. NOTE: this is a different vulnerability than CVE-2006-1905. In addition, if the only attack vectors involve a user-complicit, local command line argument of a non-setuid program, this issue might not be a vulnerability.



I class it as a B3, but Debian has just issued a DSA for this so we should at least fix the vulnerability. A GLSA may not be needed, i will propose a GLSA-voting.

There is not any vendor patch nor a fixed version yet.

Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-06-09 05:19:11 UTC

Errrrrrr... Are you sure this isn't actually fixed already in our xine-ui? the last format string is fixed by patch 160_all_formats2.patch thanks to Ludwig Nussle from SUSE LINUX. Upstream should be fixed, too.

(In this case, I joined upstream today so if you can point me if there is something else, I'll fix it right away).

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-09 05:35:10 UTC

> Errrrrrr... Are you sure this isn't actually fixed already in our xine-ui? the
> last format string is fixed by patch 160_all_formats2.patch thanks to Ludwig
> Nussle from SUSE LINUX. Upstream should be fixed, too.
> 


is it in the -r6 ebuild which you added 2 days ago ? (june 7th)

In this case, you may consider to remove the old vulnerable ebuilds (after stabilization done of course), and we may vote if we send a GLSA or not.

If you're refering to the old format string vuln of bug 136176 (CVE-2006-1905), this one is different (CVE-2006-2230).

Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-06-09 05:45:52 UTC

No, -r5 has already that patch (patchlevel 10).

Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-09 06:00:57 UTC

Then it's a different one... :/

Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev

2006-06-09 06:17:39 UTC

Are you sure? I checked once again the whole xitk/main.c file and I can't find any other string vulnerability.

I'll try to contact Darren Salt who's working with Debian to fix the xine's problems.

Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-09 06:40:51 UTC

you're right, i have just checked the Debian patch http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1.diff.gz
and our -r6 code, and the patch has already been applied ;)
Debian was just late, which is not new :

Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-09 06:40:51 UTC

you're right, i have just checked the Debian patch http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3-1sarge1.diff.gz
and our -r6 code, and the patch has already been applied ;)
Debian was just late, which is not new :þ

I'm closing with invalid.