Bug 249041 (CVE-2008-5233)

Summary:	<media-libs/xine-lib-1.1.15 malloc DoS/possible arbitrary code execution (CVE-2008-{5233,5234,5235,5236,5237,5238,5239,5240,5241,5242,5243,5244,5245,5246,5247,5248})
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	media-video
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://sourceforge.net/project/shownotes.php?release_id=619869
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2008-11-27 00:04:31 UTC

CVE-2008-5233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5233):
  xine-lib 1.1.12, and other versions before 1.1.15, does not check for
  failure of malloc in circumstances including (1) the
  mymng_process_header function in demux_mng.c, (2) the open_mod_file
  function in demux_mod.c, and (3) frame_buffer allocation in the
  real_parse_audio_specific_data function in demux_real.c, which allows
  remote attackers to cause a denial of service (crash) or possibly
  execute arbitrary code via a crafted media file.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2008-11-27 00:08:13 UTC

We also need to check these: http://www.ocert.org/analysis/2008-008/analysis.txt

Comment 2 Stefan Behte (RETIRED) gentoo-dev

2008-11-27 00:10:51 UTC

CVE-2008-5234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5234):
  Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
  versions before 1.1.15, allow remote attackers to execute arbitrary
  code via vectors related to (1) a crafted metadata atom size
  processed by the parse_moov_atom function in demux_qt.c and (2) frame
  reading in the id3v23_interp_frame function in id3.c.  NOTE: as of
  20081122, it is possible that vector 1 has not been fixed in 1.1.15.

CVE-2008-5235 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5235):
  Heap-based buffer overflow in the demux_real_send_chunk function in
  src/demuxers/demux_real.c in xine-lib before 1.1.15 allows remote
  attackers to execute arbitrary code via a crafted Real Media file.
  NOTE: some of these details are obtained from third party information.

CVE-2008-5236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5236):
  Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
  1.1.15 and earlier versions, allow remote attackers to execute
  arbitrary code via vectors related to (1) a crafted EBML element
  length processed by the parse_block_group function in
  demux_matroska.c; (2) a certain combination of sps, w, and h values
  processed by the real_parse_audio_specific_data and
  demux_real_send_chunk functions in demux_real.c; and (3) an
  unspecified combination of three values processed by the open_ra_file
  function in demux_realaudio.c.  NOTE: vector 2 reportedly exists
  because of an incomplete fix in 1.1.15.

CVE-2008-5237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5237):
  Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
  earlier versions, allow remote attackers to cause a denial of service
  (crash) or possibly execute arbitrary code via (1) crafted width and
  height values that are not validated by the mymng_process_header
  function in demux_mng.c before use in an allocation calculation or
  (2) crafted current_atom_size and string_size values processed by the
  parse_reference_atom function in demux_qt.c.

CVE-2008-5238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5238):
  Integer overflow in the real_parse_mdpr function in demux_real.c in
  xine-lib 1.1.12, and other versions before 1.1.15, allows remote
  attackers to cause a denial of service (crash) or possibly execute
  arbitrary code via a crafted stream_name_size field.

CVE-2008-5239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5239):
  xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
  properly handle (a) negative and (b) zero values during unspecified
  read function calls in input_file.c, input_net.c, input_smb.c, and
  input_http.c, which allows remote attackers to cause a denial of
  service (crash) or possibly execute arbitrary code via vectors such
  as (1) a file or (2) an HTTP response, which triggers consequences
  such as out-of-bounds reads and heap-based buffer overflows.

CVE-2008-5240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5240):
  xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
  untrusted input value to determine the memory allocation and does not
  check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
  element processed by demux_matroska.c; and (2) PROP_TAG, (3)
  MDPR_TAG, and (4) CONT_TAG chunks processed by the real_parse_headers
  function in demux_real.c; which allows remote attackers to cause a
  denial of service (NULL pointer dereference and crash) or possibly
  execute arbitrary code via a crafted value.

CVE-2008-5241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5241):
  Integer underflow in demux_qt.c in xine-lib 1.1.12, and other 1.1.15
  and earlier versions, allows remote attackers to cause a denial of
  service (crash) via a crafted media file that results in a small
  value of moov_atom_size in a compressed MOV (aka CMOV_ATOM).

CVE-2008-5242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5242):
  demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions,
  does not validate the count field before calling calloc for STSD_ATOM
  atom allocation, which allows remote attackers to cause a denial of
  service (crash) or possibly execute arbitrary code via a crafted
  media file.

CVE-2008-5243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5243):
  The real_parse_headers function in demux_real.c in xine-lib 1.1.12,
  and other 1.1.15 and earlier versions, relies on an untrusted input
  length value to "reindex into an allocated buffer," which allows
  remote attackers to cause a denial of service (crash) via a crafted
  value, probably an array index error.

CVE-2008-5244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5244):
  Unspecified vulnerability in xine-lib before 1.1.15 has unknown
  impact and attack vectors related to libfaad.  NOTE: due to the lack
  of details, it is not clear whether this is an issue in xine-lib or
  in libfaad.

CVE-2008-5245 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5245):
  xine-lib before 1.1.15 performs V4L video frame preallocation before
  ascertaining the required length, which has unknown impact and attack
  vectors, possibly related to a buffer overflow in the
  open_video_capture_device function in src/input/input_v4l.c.

CVE-2008-5246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5246):
  Multiple heap-based buffer overflows in xine-lib before 1.1.15 allow
  remote attackers to execute arbitrary code via vectors that send ID3
  data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame
  functions in src/demuxers/id3.c.  NOTE: the provenance of this
  information is unknown; the details are obtained solely from third
  party information.

CVE-2008-5247 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5247):
  The real_parse_audio_specific_data function in demux_real.c in
  xine-lib 1.1.12, and other 1.1.15 and earlier versions, uses an
  untrusted height (aka codec_data_length) value as a divisor, which
  allow remote attackers to cause a denial of service (divide-by-zero
  error and crash) via a zero value.

CVE-2008-5248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5248):
  xine-lib before 1.1.15 allows remote attackers to cause a denial of
  service (crash) via "MP3 files with metadata consisting only of
  separators."

Comment 3 Stefan Behte (RETIRED) gentoo-dev

2009-01-05 22:13:34 UTC

xine-lib-1.1.15-r1 is in the tree, and already got stabled, glsa needs to be filed.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2009-01-05 22:21:57 UTC

IMHO, Nico from Debian said not all of the CVEs are fixed upstream yet. Flameeyes, can you advise here?

Comment 5 Alexis Ballier gentoo-dev

2009-01-08 18:52:05 UTC

xine-lib (1.1.16) 2009-01-07
  * Security fixes:
    - Heap overflow in Quicktime atom parsing.                 (CVE-2008-5234)
    - Multiple buffer overflows.                               (CVE-2008-5236)
    - Multiple integer overflows.                              (CVE-2008-5237)
    - Unchecked or incompletely-checked read function results. (CVE-2008-5239)
    - Unchecked malloc using untrusted values.                 (CVE-2008-5240)
    - Buffer indexing using untrusted or unchecked values.     (CVE-2008-5243)
    - Integer overflows in the ffmpeg audio decoder and the CDDA server.
    - Heap buffer overflow in the ffmpeg video decoder.
    - Avoid segfault on invalid track type in Matroska files.
    - Avoid underflow (compressed atoms) in the Qt demuxer.


which is in the tree and raises the question: what's left ? :)

Comment 6 Alexis Ballier gentoo-dev

2009-02-10 19:57:12 UTC

xine-lib (1.1.16.2) 2009-02-10
  * Build fixes related to ImageMagick 6.4 & later.
  * Fix an error in Matroska PTS calculation.
  * Some front ends hang due to the hang fixes in 1.1.16. Fix this by
    removing a break statement.
  * Fix broken size checks in various input plugins (ref. CVE-2008-5239).
  * More malloc checking (ref. CVE-2008-5240).
  * Fix race conditions in gapless_switch (ref. kde bug #180339)
  * Fix a possible integer overflow in the 4XM demuxer. (TKADV2009-004.txt)



Ping?

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev

2009-04-04 14:57:04 UTC

Ready for GLSA, the rest is handled in bug 260069. Sorry about that.

Comment 8 Alex Legler (RETIRED) archtester

2010-05-30 10:35:13 UTC

GLSA filed including bug 234777, bug 249041, bug 260069, and bug 265250.

Comment 9 Alex Legler (RETIRED) archtester

2010-06-01 15:45:24 UTC

GLSA 201006-04