|Summary:||media-libs/xine-lib: format string bug in CDDB features|
|Product:||Gentoo Security||Reporter:||Thierry Carrez (RETIRED) <koon>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||A2 [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Thierry Carrez (RETIRED) 2005-10-02 02:31:25 UTC
Ulf Harnhammar reports : When you use xine or gxine to play a CD, the programs will connect to a CDDB server to retrieve the record's artist/band and title as well as the song titles. The programs write this information to a cache file, and the code in xine-lib that performs this action suffers from a format string security bug, allowing remote execution of arbitrary code. It is worth noting that CDDB servers allow any user to add or modify information about records. [...] This bug could be used for automated attacks against anyone who listens to particular CD's in xine or gxine.
Comment 1 Thierry Carrez (RETIRED) 2005-10-02 02:33:15 UTC
Created attachment 69695 [details, diff] xine-lib.formatstring.patch Patch from Ulf Harnhammar
Comment 2 Thierry Carrez (RETIRED) 2005-10-04 05:54:08 UTC
Diego, could you prepare and attach on this bug new ebuild(s) for xine-lib fixing this ? Please do not commit them to Portage before the release date (currently set to October 8th), we'll have arch testers test them from here.
Comment 3 Diego Elio Pettenò (RETIRED) 2005-10-04 06:20:34 UTC
Created attachment 69847 [details] xine-lib-1.1.0-r5.ebuild This is going stable for sparc, alpha, ppc64 and ia64 (and amd64 would be great too, as this should fix problems with current stable).
Comment 4 Diego Elio Pettenò (RETIRED) 2005-10-04 06:22:29 UTC
Created attachment 69848 [details] xine-lib-1.0.1-r4.ebuild This is the will-be stable for everything else (but mips probably).
Comment 5 Diego Elio Pettenò (RETIRED) 2005-10-04 06:25:04 UTC
Created attachment 69849 [details] xine-lib-1_rc8-r2.ebuild And this last one is for mips, that still has this last one as stable (and I'm still moving this along also if it's basically broken for everyone else).
Comment 6 Diego Elio Pettenò (RETIRED) 2005-10-04 06:27:55 UTC
Created attachment 69850 [details] xine-lib-1.1.0-r6.ebuild At the end this is a non-stable version, based off 1.1.0-r4, with external ffmpeg, so that ~arch users won't get a regression with ffmpeg.
Comment 7 Thierry Carrez (RETIRED) 2005-10-04 06:39:52 UTC
Calling arch security contacts. Please test and report back which of those can be committed directly to stable for your arch.
Comment 8 Simon Stelling (RETIRED) 2005-10-04 06:50:41 UTC
flameeyes is member of the amd64 team, so i'll let it up to him
Comment 9 Michael Hanselmann (hansmi) (RETIRED) 2005-10-04 07:51:56 UTC
Giving ppc over to JoseJX, as xine is seriously broken on my machine (segmentation fault on startup).
Comment 10 Gustavo Zacarias (RETIRED) 2005-10-04 08:46:39 UTC
sparc looks good on 1.1.0-r5 with the exception that the patch should be named xine-lib-formatstring.patch (or changed in the ebuild) ;)
Comment 11 Markus Rothe (RETIRED) 2005-10-04 10:49:10 UTC
xine-lib-1.1.0-r5 can go stable on ppc64, too. I can confirm that you have to rename the patch.
Comment 12 Joe Jezak (RETIRED) 2005-10-05 06:22:18 UTC
The patch works fine on PPC, the segfault hansmi was reporting appears to be due to mismatched alsa-libs/in kernel driver as in bug #64818.
Comment 13 Olivier Crete (RETIRED) 2005-10-05 20:10:32 UTC
which version do you want to see tested on x86 ?
Comment 14 Diego Elio Pettenò (RETIRED) 2005-10-06 01:34:11 UTC
1.0.1-r4 I think. 1.1.0 fixes some crashes, but seems having problem with flac.
Comment 15 Bryan Østergaard (RETIRED) 2005-10-06 02:28:29 UTC
1.1.0-r5 looks good on alpha.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-06 12:14:36 UTC
Then we only need ia64 and they are not essential for GLSA purposes.
Comment 17 Bryan Østergaard (RETIRED) 2005-10-06 16:47:45 UTC
1.1.0-r5 looks good on ia64 as well.
Comment 18 Thierry Carrez (RETIRED) 2005-10-07 04:55:00 UTC
Diego: ok so this can be committed to Portage with the appropriate stable keywords on October 8 (tomorrow) 1400 UTC. Let us know if you can't make it anytime that day.
Comment 19 Diego Elio Pettenò (RETIRED) 2005-10-07 04:59:12 UTC
That should be ok, just remember me a bit before, just to be safe :)
Comment 20 Diego Elio Pettenò (RETIRED) 2005-10-08 07:04:19 UTC
Please delay the commit till this night... we're having a bit of a trouble as mips recently keyworded xine-lib-1.1.0 (but not -r3 or -r4). I won't commit anything until this is sorted out.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-08 07:35:16 UTC
Diego please commit the fixed ebuilds. mips do not block GLSA sending so please go ahead.
Comment 22 Diego Elio Pettenò (RETIRED) 2005-10-08 07:47:34 UTC
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-08 08:24:48 UTC
Thx Diego. This one is ready for GLSA release.
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) 2005-10-08 09:20:03 UTC
Thx everyone. GLSA 200510-08 mips don't forget to mark stable.