Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 214270

Summary: media-libs/xine-lib <1.1.11.1 Multiple Integer Overflow Vulnerabilities (CVE-2008-1482)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: flameeyes, ingmar, media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/29484/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 16:02:46 UTC 
Secunia:

Luigi Auriemma has reported some vulnerabilities in xine-lib, which
potentially can be exploited by malicious people to compromise a
user's system.

The vulnerabilities are caused due to integer overflow errors when
allocating memory in src/demuxers/demux_flv.c,
src/demuxers/demux_qt.c, src/demuxers/demux_real.c,
src/demuxers/demux_wc3movie.c, src/demuxers/ebml.c, and
src/demuxers/demux_film.c. These can be exploited to cause heap-based
buffer overflows via overly large fields included in e.g. FLV, MOV,
RM, MVE, MKV, and CAK files.

The vulnerabilities are reported in version 1.1.11. Other versions
may also be affected.

SOLUTION:
Do not open untrusted files using xine-lib.

PROVIDED AND/OR DISCOVERED BY:
Luigi Auriemma

ORIGINAL ADVISORY:
http://aluigi.altervista.org/adv/xinehof-adv.txt
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 16:04:21 UTC 
flameeyes, are these fixed upstream?
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-03-22 16:41:47 UTC 
These were not known to upstream until now, and it's now freakin' easter, don't expect me to find a way to fix them before tuesday... incidentally I decided to use easter as timeframe to clean up my office's cabling -_-;
Comment 3 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-03-22 16:43:06 UTC 
FWIW, they should _all_ be fixed in 1.2 series, I suppose backporting the relevant changes, if possible, would solve the issue. 1.2 makes good use of calloc rather than using malloc directly.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 20:55:43 UTC 
Diego, is there any update here?
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-03-26 21:54:19 UTC 
Upstream is handling it as bug 71: http://bugs.xine-project.org/show_bug.cgi?id=71
There is a patch but I wasn't able to doublecheck its commit status yet, sorry I'm behind with my own schedule.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-04-04 02:02:06 UTC 
ping, flamy and others?
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-04-04 02:07:49 UTC 
Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please bump.
Comment 9 Alexis Ballier gentoo-dev 2008-04-07 19:42:51 UTC 
(In reply to comment #8)
> Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please
> bump.
> 

bumped; there was two (known to me) regressions in this release, they're patched.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-04-07 23:53:41 UTC 
Arches, please test and mark stable:
=media-libs/xine-lib-1.1.11.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-08 02:12:22 UTC 
Stable for HPPA.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2008-04-08 05:18:26 UTC 
ppc64 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2008-04-08 20:10:05 UTC 
Stable on alpha.
Comment 14 Friedrich Oslage (RETIRED) gentoo-dev 2008-04-08 22:00:09 UTC 
Tested =media-libs/xine-lib-1.1.11.1 USE="X a52 aac aalib alsa dts dvd flac gnome gtk mad mng musepack nls opengl samba sdl speex theora truetype vcd vidix vorbis xcb xinerama xv (-altivec) -arts -debug (-directfb) -dxr3 -esd -fbcon -imagemagick -ipv6 -jack -libcaca -mmap (-modplug) -oss -pulseaudio (-real) -v4l -wavpack (-win32codecs) (-xvmc)" on sparc.

- compiles fine
- no test failures
- no collisions
- works fine using dvds and vcds

# emerge --info
Portage 2.1.4.4 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r4 sparc64)
=================================================================
System uname: 2.6.24-gentoo-r4 sparc64 sun4u
Timestamp of tree: Tue, 08 Apr 2008 21:00:01 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="sparc"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb"
DISTDIR="/tmp/distfiles"
FEATURES="collision-protect distlocks installsources metadata-transfer parallel-fetch sandbox splitdebug strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="de_DE.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en de"
MAKEOPTS="-j10"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/portage/local/layman/gnash-cvs /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="64bit 7zip X a52 aac aalib ace agg alsa artworkextra audacious blender-game bluetooth bzip2 c++ caps clock-screen cups curl custom-cflags cvs cxx dbus devhelp dga disk-partition divx doc dri dts dv dvd dvdread eds encode evo exif fastcgi fat festival ffmpeg flac ftp fuse gd gif gimp gimpprint glade gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 imap ithreads javascript jpeg jpeg2k key-screen libsexy lyrics lzo mad mbrola memcache midi mikmod mjpeg mng mouse mp2 mp3 mpeg mpeg2 mplayer musepack musicbrainz nautilus ncurses network network-cron networking nls nptl nptlonly nsplugin offensive ogg openal opengl openmp opera pam parallel pcre pdf png pnm ppds qt3support quicktime raw realmedia regex ruby samba sasl sdl sdl-image search-screen slang smartcard smp sms sound soundex source sourceview sparc speex spell sqlite3 ssl subversion svg symlink taglib tagwriting theora threads tiff timidity truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf wmp wordexp x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_CARDS="CS4231" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="mach64 fbdev mga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2008-04-09 09:51:06 UTC 
ia64/sparc/x86 stable, thanks Friedrich
Comment 16 Markus Meier gentoo-dev 2008-04-09 20:46:41 UTC 
amd64 stable
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-10 18:43:57 UTC 
ppc stable
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-04-10 20:38:59 UTC 
Fixed in release snapshot.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 00:31:43 UTC 
GLSA 200808-01