Bug 134951

Comment 1 Thierry Carrez (RETIRED) 2006-05-30 13:32:11 UTC

Auditors, please review and confirm if current stable version is affected
Exploit is publicly posted so opening this bug for all to see

Comment 2 Tavis Ormandy (RETIRED) 2006-05-30 14:19:30 UTC

confirmed on media-video/gxine-0.4.5 using

$ perl -e 'print "A"x"9500"' | nc -lp 8080 

and

$ gxine http://localhost:8080/foo.mpg

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2006-05-30 21:16:24 UTC

media-video please bump.

Comment 4 Tavis Ormandy (RETIRED) 2006-05-31 03:51:14 UTC

flameeyes reports the actual bug is within xine-lib, not gxine, correcting summary...

Comment 5 Diego Elio Pettenò (RETIRED) 2006-05-31 04:19:43 UTC

I can only reproduce an invalid pointer dereference here on this system, if someone can point me to something on the sources (no it's not friggin' gcc 4.0.2, I wonder why it says that, it's 4.1.1).

Portage 2.1_rc3-r2 (default-linux/amd64/2006.0, gcc-4.0.2, glibc-2.4-r3, 2.6.16-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.16-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3500+
Gentoo Base System version 1.12.0
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.4 [disabled]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r1
dev-util/confcache:  0.4.2-r1
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.93
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r6, 2.6.16
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -Os -ftracer -pipe -ftree-vectorize -Wformat=2 -Wno-error -Wno-pointer-sign -g -ggdb -Wstrict-aliasing=2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-march=athlon64 -Os -ftracer -pipe -ftree-vectorize -Wno-error -Wformat=2 -g -ggdb -Wstrict-aliasing=2 -fvisibility-inlines-hidden"
DISTDIR="/var/portage/distfiles"
EMERGE_DEFAULT_OPTS="--alphabetical"
FEATURES="autoaddcvs autoconfig collision-protect confcache cvs distlocks metadata-transfer multilib-strict noinfo parallel-fetch sandbox sfperms sign splitdebug userpriv usersandbox"
GENTOO_MIRRORS="http://www.die.unipd.it/pub/Linux/distributions/gentoo-sources/         http://ftp.unina.it/pub/linux/distributions/gentoo/      http://gentoo.osuosl.org/"
LANG="en_US.UTF-8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-Bdirect -Wl,-hashvals"
LINGUAS="en it"
MAKEOPTS="-j1 -s"
PKGDIR="/var/portage/pkg-enterprise"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/var/portage/cvs/gentoo-x86"
PORTDIR_OVERLAY="/var/portage/crossoverlay /var/portage/cvs/gentoo-alt/overlay /var/portage/cvs/flame-overlay /var/portage/cvs/flame-portage /var/portage/cvs/vmware"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnowex S3TC a52 aac acl acpi4linux alsa amd64 apm audiofile avi bash-completion bzip2 bzlib cdda cddb cdio cdr cjk crypt css cups dlloader dnd dpms dts dvd dvdr dvdread eds emboss fam fame ffmpeg flac foomaticdb gif gnutls gpgme gphoto2 gtk2 howl idn ieee1394 imlib imlib2 ipv6 ithreads joystick jpeg kde kdehiddenvisibility latex lm_sensors lx700 lzw lzw-tiff mad maildir matroska mmap mng mozsvg mp3 mpeg mpeg4 mpm-threadpool native no_wxgtk1 noantlr nobcel nobeanutils nobsh nocommonslogging nocommonsnet nodrm nojdepend nojsch nojython nolog4j nomotif nooro noregexp norhino noxalan noxerces nptl nptlonly nvidia ogg oggvorbis openntpd pam pdf pdflib pic png ppds qemu-fast qt rtc snmp speex spell ssl stencil-buffer subversion svg svgz symlink sysfs syslog tetex theora threads tiff truetype truetype-fonts type1 type1-fonts udev unicode usb userlocales utf8 v4l v4l2 vhosts vorbis wxwindows x11vnc xinerama xpm xv xvid zlib zvbi elibc_glibc kernel_linux linguas_en linguas_it sane_backends_snapscan userland_GNU video_cards_none video_cards_nvidia"
Unset:  CTARGET, INSTALL_MASK, PORTAGE_RSYNC_EXTRA_OPTS

Comment 6 Diego Elio Pettenò (RETIRED) 2006-05-31 07:34:23 UTC

Adding myself so I won't forget of this, anyway problem reproduced, working on identifying it.

Comment 7 Diego Elio Pettenò (RETIRED) 2006-05-31 08:30:05 UTC

Okay, point identified, fixed, patched, new ebuild in portage, xine-lib-1.1.2_pre20060328-r9, ready for stable marking (a lot more fixes in it too, so users will be happy).
Although up to -r8 it needed -fvisibility=hidden support, now it will build even without (for arches stuck with gcc 3.3), although then there will be some corner cases where it might die of an horrible dead like trying to play AAC files with external ffmpeg and aac enabled in ffmpeg, or in amarok with support for aac), but alas can't do much about those arches, for most of the uses it's fine tho.

Comment 8 Stefan Cornelius (RETIRED) 2006-05-31 08:34:08 UTC

arches, please test and stable xine-lib-1.1.2_pre20060328-r9, thanks

i've done some testing with

media-libs/xine-lib-1.1.2_pre20060328-r9  +X +a52 +aac +aalib +alsa (-altivec) -arts +asf -debug -directfb +dts +dvd -dxr3 -esd +fbcon +ffmpeg +flac +gnome +imagemagick +ipv6 -libcaca +mad +mng -modplug +nls +opengl -oss -samba +sdl +speex +theora -v4l +vcd -video_cards_i810 +video_cards_nvidia -video_cards_via +vidix +vorbis +win32codecs -xinerama +xv -xvmc

using

media-video/totem-1.2.1  +a52 -debug +dvd +flac +gnome -lirc +mad +mpeg -nsplugin +ogg +theora +vorbis +win32codecs +xine +xv

and

media-video/xine-ui-0.99.4-r5  +X +aalib +curl -libcaca -lirc +ncurses +nls +readline -vdr -xinerama

video playback seems to be ok in both players. i've experienced some 'The Application "totem" has quit unexpectedly.' directly after opening a file after the player was allready running and i had done the same at least 3 times before. as these crashes are not connected to a particular file and nothing indicates that this is a xine-lib bug, i guess that this is a totem bug i've just not noticed before. i'm gonna try if recomiling totem helps ....

to cut a long story short:
xine-lib-1.1.2_pre20060328-r9 is ok in my opinion for x86.

PS: i'll post 'emerge --info' on request.

well, that totem bug still remains after rebuilding; i think it has nothing to do with xine-lib.

Comment 11 Diego Elio Pettenò (RETIRED) 2006-05-31 16:29:20 UTC

I'm not saying that the current version is exempt from bugs, there are at least three I know of, but for those I need more inspections, I will try to fix them ASAP and call another stable, but not it's mostly about the security issue :/

Comment 12 Luis Medinas (RETIRED) 2006-06-01 11:32:28 UTC

amd64 is happy... marked stable

Comment 13 Thomas Cort (RETIRED) 2006-06-01 12:27:44 UTC

xine-lib-1.1.2_pre20060328-r9 stable on alpha.

Comment 14 Jason Wever (RETIRED) 2006-06-01 15:47:33 UTC

SPARC stable

I experienced a side effect since I upgraded to xine-lib-1.1.2_pre20060328-r9 as I am no longer able to play mp3 streaming audio files in gxine-0.5.6. The error returned is

---The xine engine failed to start.
No input plugin was found.
Maybe the file does not exist or cannot be accessed, or there is an error in the URL.

AND

---Permission error
http://www.reprisesdupont.com/2006-06-01-Dupont_Le_Midi.mp3

Prior to this version (xine-lib-1.1.2_pre20060328-r8 and lower) I never had problem playing mp3 files on this website.

NOTE : Downloading the mp3 file & playing it locally works fine so it's not a problem with a missing plug-in either with a bad URL. I tried to recompile gxine  w/o success (gxine compile but the problem remains).

Portage 2.1_rc3-r5 (default-linux/x86/2006.0, gcc-4.1.1, glibc-2.4-r3, 2.6.17-rc5! i686)
=================================================================
System uname: 2.6.17-rc5! i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz
Gentoo Base System version 1.12.0
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r5
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4m -O2 -fomit-frame-pointer -pipe -mmmx -msse -msse2 -mno-sse3 -mno-3dnow"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /var/bind"
CONFIG_PROTECT_MASK="/etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium4m -O2 -fomit-frame-pointer -pipe -mmmx -msse -msse2 -mno-sse3 -mno-3dnow"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildpkg distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://mirror.pacific.net.au/linux/Gentoo ftp://mirror.isp.net.au/pub/gentoo"
LANG="C"
LINGUAS="en en_AU en_CA en_GB en_US"
PKGDIR="/home/Linux"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.au.gentoo.org/gentoo-portage"
USE="x86 X alsa apache2 apm arts avi berkdb bitmap-fonts cli crypt cups dri eds emboss encode esd foomaticdb fortran gdbm gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdflib perl png pppd python qt quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev vorbis xml xmms xorg xv zlib elibc_glibc input_devices_joystick input_devices_keyboard input_devices_mouse kernel_linux linguas_en linguas_en_AU linguas_en_CA linguas_en_GB linguas_en_US userland_GNU video_cards_savage"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 16 Tobias Scherbaum (RETIRED) 2006-06-02 13:23:38 UTC

ppc stable

Comment 17 Mark Loeser (RETIRED) 2006-06-02 18:49:02 UTC

x86 done

Comment 18 René Nussbaumer (RETIRED) 2006-06-03 02:49:28 UTC

stable on hppa

Supplementary notes to Comment #15

o) Problem is still present in xine-lib-1.1.2_pre20060328-r10 but not in xine-lib-1.1.2_pre20060328-r1 (I downgraded xine-lib just to test it).

o) I think the latest version w/o this bug was xine-lib-1.1.2_pre20060328-r8 but I'm not absolutely sure.

Comment 20 Diego Elio Pettenò (RETIRED) 2006-06-03 06:38:18 UTC

Sounds like playing mp3 files rather than shoutcast streams via HTTP relied on the buffer being overflowing. Intersting, eh?
Let's stable this and then I'll ask a quick stable with a couple more fixes.

(In reply to comment #20)
> Sounds like playing mp3 files rather than shoutcast streams via HTTP relied on
> the buffer being overflowing. Intersting, eh?
> Let's stable this and then I'll ask a quick stable with a couple more fixes.
> 

You're probably right. The problem should probably a side effect of one of the numerous Gentoo patches between -r2 and -r10 and not related to the overflow problem addressed in this bug. BTW, I noticed this problem just with this website (funny, no ?). As stated in comment #15, I have a workaround to avoid this issue. I just need to download the file first & play it as usual in gxine OR 2) I just need to open MRL using totem-1.4 compiled, of coarse, w/o xine support).

Comment 22 Markus Rothe (RETIRED) 2006-06-05 13:13:58 UTC

ppc64 stable

Comment 23 Raphael Marichez (Falco) (RETIRED) 2006-06-09 05:02:18 UTC

Buff overflow -> B2 -> s/[stable]/[glsa] and adding to the glsamaker pool

Comment 24 Raphael Marichez (Falco) (RETIRED) 2006-06-09 05:12:01 UTC

add it's CVE-2006-2802 , please update the summary & whiteboard ;)

Stupid thing but bug reported on Comment #15 is now fixed with the clean-up you have done in xine-lib-1.1.2_pre20060606.

Thanks.

Comment 26 Diego Elio Pettenò (RETIRED) 2006-06-09 17:00:00 UTC

Good to hear, although it's probably simpler to wait for 1.1.2 final release and stable that when it's time anyway :)

Comment 27 Thierry Carrez (RETIRED) 2006-06-13 13:30:51 UTC

GLSA draft only talks about DoS. This would be a client-side DoS so not really a security issue (a malicious server can deny service in all cases).

Comment 28 Wolf Giesen (RETIRED) 2006-06-13 15:19:46 UTC

Auditing team, can you figure out whether there's arbitrary code exec might be possible, or does it "just crash" without sideeffects?

Comment 29 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-14 09:33:52 UTC

Setting to glsa? until we decide wether this is only a crash issue.

Comment 30 Raphael Marichez (Falco) (RETIRED) 2006-06-18 04:54:34 UTC

Personnaly i really don't know.

Debian and Mitre reference this as a simple DoS

I would vote NO-glsa since xine-* has very often GLSAs concerning code execution, and we won't start to send GLSA for a xine DoS.
Futhermore, it's a client DoS by enticing the user to play a specially crafted file, which is not very common, and really not dangerous at all.

Comment 31 Thierry Carrez (RETIRED) 2006-06-18 08:27:35 UTC

No GLSA for me.

Comment 32 Sune Kloppenborg Jeppesen (RETIRED) 2006-06-18 08:53:41 UTC

Voting NO, closing and GLSAmaker cleaned up.

Feel free to reopen if you disagree.