xine security announcement ========================== Announcement-ID: XSA-2004-2 Summary: By opening a malicious playlist in the xine-ui media player, an attacker can write arbitrary content to an arbitrary file, only restricted by the permissions of the user running xine-ui. Description: xine-ui offers the feature of embedding special items in playlists that will apply changes to xine configuration options once the playlist item is played. But some of xine's configuration options specify files that will be written to during playback. One example of such an option is "audio.sun_audio_device", which specifies the audio device on SUN machines. The decoded PCM samples of the audio stream will be written to this file. By having a user open a playlist with an entry "cfg:/audio.sun_audio_device:.bashrc" followed by an entry "http://myserver/mybashrc" in xine-ui, the value of the "audio.sun_audio_device" option will be changed and the next entry will play a specially crafted audio stream. This way an attacker could fill any file the user has access to with arbitrary content. Other configuration options that allow such an attack exist (we also found "dxr3.devicename"), so the vulnerability is not limited to SUN machines. Severity: Expoits have not been seen in the public and not all xine setups use the vulnerable configuration options. But at least xine users on SUN machines and users of a DXR3 or Hollywood+ MPEG decoder card are vulnerable. Other such problematic configuration options might have slipped through the review or might be provided by xine plugins outside the main xine distribution, leaving other users vulnerable as well. Given the wide range of possible harm, we consider this problem to be highly critical. Affected versions: All releases starting with 0.9.21 up to and including 0.9.23. Unaffected versions: All releases older than 0.9.21. CVS HEAD has been fixed. The upcoming 0.99.1 release. Solution: Changes to xine configuration options via playlist are now disabled by default. The attached patch to xine-ui fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to CVS HEAD or to the next version of xine-ui, which is to be released soon. For further information and in case of questions, please contact the xine team. Our website is http://xinehq.de/ Michael Roitzsch
Created attachment 29471 [details, diff] xine-ui patch
The simpler approach will be to create a 0.9.23-r2 with the patch and have everyone upgrade to it when it's stable (GLSA common with the others xine vulns) media-video : sorry to ask you more work after the previous xine-ui, but your help is still needed ! Thanks in advance.
Included the patch in xine-ui-0.9.23-r2.
Thanks phosphan. Arches : please test xine-ui-0.9.23-r2 and mark stable if/when appropriate. -K
Bump: x86, ppc please test and mark stable (if stable :) ) -K
already marked stable on amd64 by someone who forgot to remove amd64 from CC. wee
x86, ppc : anything I should be aware of preventing this one to go stable ? We need xine-ui-0.9.23-r2 and xine-lib-1_rc3-r3 stable for GLSA publication -- TIA -K
Stable on ppc.
Stable on x86.
GLSA-ready. Common with other xine vulns
GLSA 200404-20.