Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 59948

Summary: media-libs/xine-lib - Xine vcd MRL input identifier management overflow
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: c0ntex, media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.open-security.org/advisories/6
Whiteboard: A2 [ glsa ]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 11510    

Description Carsten Lohrke (RETIRED) gentoo-dev 2004-08-10 03:42:15 UTC
Like the excellent Mplayer, Xine is a superb free media player for Linux. Sadly there is a generic stack based buffer overflow in all versions of Xine-lib, including Xine-lib-rc5 that allows for local and remote malicious code execution. By overflowing the vcd:// input source identifier buffer, it is possible to modify the instruction pointer with a value that a malicious attacker can control. The issue can be replicated in a remote context by embedding the input source idientifier within a playlist file, such as an asx. When a user plays the file, this stack overflow will occur, exploit code can then be executed with the rights of the user running Xine.

The problem slightly increases due to a usability feature. It does not have to be an asx extension for exploitation to succeed as Xine will try to be clever and play any media type found, providing it's valid. This still means the attack vector MUST include the .asx input identifier but it means you can not even trust URL's for .mp3, .mpeg, .mpg or .avi media. As long as Xine finds a valid media header, it's happy to change the demuxer reference and play the found media. In this case it's a playlist file, ".asx",  though others should work.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-10 04:00:16 UTC
Patch can be found here:

http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923

Still no official Xine advisory to be found here:

http://xinehq.de/index.php/security
Comment 2 Chris White (RETIRED) gentoo-dev 2004-08-10 11:57:55 UTC
x86 ppc sparc amd64 hppa alpha ppc64

please mark stable.
Comment 3 Chris White (RETIRED) gentoo-dev 2004-08-10 12:13:17 UTC
Version numbers also help:

please mark media-libs/xine-lib-1_rc5-r3 stable

we now continue with the show already in progress.
Comment 4 Travis Tilley (RETIRED) gentoo-dev 2004-08-11 08:39:17 UTC
stable on amd64
Comment 5 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-12 12:31:46 UTC
stable on ppc
Comment 6 Chris White (RETIRED) gentoo-dev 2004-08-12 15:42:49 UTC
Stable on x86

Played some mpeg4 files
Played a dvd
Played some music
Explored the different menu options.

Everything went just nicely.
Comment 7 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-08-12 16:31:53 UTC
Stable on alpha.
Comment 8 SpanKY gentoo-dev 2004-08-13 05:44:41 UTC
stable on hppa ... dont know why you said it was stable on alpha; when i added hppa, alpha was still in unstable ...

so i added alpha to stable too :p
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-08-13 21:52:44 UTC
Sorry for the lack of movement here folks.  There is a problem with sparc32 and xine-lib which causes a failure in compiling.  I'm hoping to focus some serious time on it tomorrow and get it straightened around.  It doed work fine on sparc64 however, so if people feel that this really needs to get out pronto, we can bump.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-13 22:22:30 UTC
Jason tomorrow is fine.

GLSA drafted: security please review
Comment 11 Jason Wever (RETIRED) gentoo-dev 2004-08-15 07:55:51 UTC
Marked stable on sparc.

sparc32 is still broken on this ebuild however.  I don't see this as a huge issue as most people probably aren't attempting to watch movies on a machine that can barely play mp3s.  However I will be opening up a seperate bug to try and get that issue fixed.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-15 08:16:21 UTC
All ready for GLSA. Security please review draft.
Comment 13 Chris White (RETIRED) gentoo-dev 2004-08-17 10:30:08 UTC
*** Bug 60692 has been marked as a duplicate of this bug. ***
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-17 23:34:59 UTC
GLSA 200408-18

ppc64 please mark stable to benifit from GLSA.
Comment 15 Tom Gall (RETIRED) gentoo-dev 2004-09-26 20:35:39 UTC
stable on ppc64