|Summary:||media-libs/xine-lib < 1.1.11 Array Indexing Vulnerability (CVE-2008-0073)|
|Product:||Gentoo Security||Reporter:||Diego Elio Pettenò (RETIRED) <flameeyes>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Diego Elio Pettenò (RETIRED) 2008-03-11 14:17:30 UTC
From: Secunia Research <firstname.lastname@example.org> Date: Mar 10, 2008 10:20 AM Subject: Xine "sdpplin_parse()" Array Indexing Vulnerability To: email@example.com Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Hello, Secunia Research has discovered a vulnerability in Xine, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to overwrite arbitrary memory regions via an overly large "streamid" SDP parameter included in a malicious RTSP stream. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 188.8.131.52. Other versions may also be affected. Vulnerability Details: ---------------------- The vulnerability is present in input/libreal/sdpplin.c at line 255. --- desc->stream[stream->stream_id] = stream; --- Exploitation: ------------- Secunia Research has created a PoC for the vulnerability, which is available upon request. Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA28694 and CVE identifier CVE-2008-0073. A preliminary disclosure date of 2008-03-19 10am CET has been set, where the details will be publicly disclosed. However, we are naturally prepared to push the disclosure date if you need more time to address the vulnerability. Please acknowledge receiving this e-mail and let us know when you expect to fix the vulnerability. Credits should go to: Alin Rad Pop, Secunia Research. Also, if you have any questions, then please don't hesitate to contact me. -- Alin Rad Pop Security Specialist Secunia Hammerensgade 4, 2. floor DK-1267 Copenhagen K Denmark Phone +45 7020 5144 Fax +45 7020 5145
Comment 1 Diego Elio Pettenò (RETIRED) 2008-03-11 14:18:51 UTC
FWIW, the same vulnerability apply to VLC.
Comment 2 Robert Buchholz (RETIRED) 2008-03-12 02:18:41 UTC
Does VLC know, have a patch? Does xine have a patch?
Comment 3 Diego Elio Pettenò (RETIRED) 2008-03-12 02:32:24 UTC
xine has a patch, the same patch should apply over VLC. I'm not sure if VLC is informed, I said that to secunia though people though.
Comment 4 Pierre-Yves Rofes (RETIRED) 2008-03-19 14:53:53 UTC
*** Bug 213928 has been marked as a duplicate of this bug. ***
Comment 5 Pierre-Yves Rofes (RETIRED) 2008-03-19 14:54:55 UTC
Comment 6 Ben de Groot (RETIRED) 2008-03-20 00:29:39 UTC
media-lib/xine-lib-1.1.11.ebuild in cvs Arches please test and mark stable. Target KEYWORDS="alpha amd64 ~arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 7 Jeroen Roovers (RETIRED) 2008-03-20 04:30:09 UTC
(In reply to comment #6) > media-lib/xine-lib-1.1.11.ebuild in cvs That's not even a proper path if the directory was spelled right! :) =media-libs/xine-lib-1.1.11 will do nicely.
Comment 8 Christian Faulhammer (RETIRED) 2008-03-20 07:34:41 UTC
Comment 9 Jeroen Roovers (RETIRED) 2008-03-20 17:45:12 UTC
Stable for HPPA.
Comment 10 Markus Meier 2008-03-20 21:40:10 UTC
Comment 11 Tobias Klausmann 2008-03-21 12:30:00 UTC
Comment 12 Brent Baude (RETIRED) 2008-03-21 14:16:59 UTC
Comment 13 Raúl Porcel (RETIRED) 2008-03-22 15:29:44 UTC
Comment 14 Tobias Scherbaum (RETIRED) 2008-03-23 11:32:47 UTC
ppc stable, ready for glsa
Comment 15 Peter Volkov (RETIRED) 2008-03-23 12:43:28 UTC
Fixed in release snapshot.
Comment 16 Robert Buchholz (RETIRED) 2008-03-24 19:45:03 UTC
request filed, will only be glsa'd after bug 214270 was fixed.
Comment 17 Robert Buchholz (RETIRED) 2008-08-06 00:31:35 UTC