|Summary:||media-libs/xine-lib - Xine vcd MRL input identifier management overflow|
|Product:||Gentoo Security||Reporter:||Carsten Lohrke (RETIRED) <carlo>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||A2 [ glsa ]|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Carsten Lohrke (RETIRED) 2004-08-10 03:42:15 UTC
Like the excellent Mplayer, Xine is a superb free media player for Linux. Sadly there is a generic stack based buffer overflow in all versions of Xine-lib, including Xine-lib-rc5 that allows for local and remote malicious code execution. By overflowing the vcd:// input source identifier buffer, it is possible to modify the instruction pointer with a value that a malicious attacker can control. The issue can be replicated in a remote context by embedding the input source idientifier within a playlist file, such as an asx. When a user plays the file, this stack overflow will occur, exploit code can then be executed with the rights of the user running Xine. The problem slightly increases due to a usability feature. It does not have to be an asx extension for exploitation to succeed as Xine will try to be clever and play any media type found, providing it's valid. This still means the attack vector MUST include the .asx input identifier but it means you can not even trust URL's for .mp3, .mpeg, .mpg or .avi media. As long as Xine finds a valid media header, it's happy to change the demuxer reference and play the found media. In this case it's a playlist file, ".asx", though others should work.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-10 04:00:16 UTC
Patch can be found here: http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923 Still no official Xine advisory to be found here: http://xinehq.de/index.php/security
Comment 2 Chris White (RETIRED) 2004-08-10 11:57:55 UTC
x86 ppc sparc amd64 hppa alpha ppc64 please mark stable.
Comment 3 Chris White (RETIRED) 2004-08-10 12:13:17 UTC
Version numbers also help: please mark media-libs/xine-lib-1_rc5-r3 stable we now continue with the show already in progress.
Comment 4 Travis Tilley (RETIRED) 2004-08-11 08:39:17 UTC
stable on amd64
Comment 5 Pieter Van den Abeele (RETIRED) 2004-08-12 12:31:46 UTC
stable on ppc
Comment 6 Chris White (RETIRED) 2004-08-12 15:42:49 UTC
Stable on x86 Played some mpeg4 files Played a dvd Played some music Explored the different menu options. Everything went just nicely.
Comment 7 Bryan Østergaard (RETIRED) 2004-08-12 16:31:53 UTC
Stable on alpha.
Comment 8 SpanKY 2004-08-13 05:44:41 UTC
stable on hppa ... dont know why you said it was stable on alpha; when i added hppa, alpha was still in unstable ... so i added alpha to stable too :p
Comment 9 Jason Wever (RETIRED) 2004-08-13 21:52:44 UTC
Sorry for the lack of movement here folks. There is a problem with sparc32 and xine-lib which causes a failure in compiling. I'm hoping to focus some serious time on it tomorrow and get it straightened around. It doed work fine on sparc64 however, so if people feel that this really needs to get out pronto, we can bump.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-13 22:22:30 UTC
Jason tomorrow is fine. GLSA drafted: security please review
Comment 11 Jason Wever (RETIRED) 2004-08-15 07:55:51 UTC
Marked stable on sparc. sparc32 is still broken on this ebuild however. I don't see this as a huge issue as most people probably aren't attempting to watch movies on a machine that can barely play mp3s. However I will be opening up a seperate bug to try and get that issue fixed.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-15 08:16:21 UTC
All ready for GLSA. Security please review draft.
Comment 13 Chris White (RETIRED) 2004-08-17 10:30:08 UTC
*** Bug 60692 has been marked as a duplicate of this bug. ***
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-17 23:34:59 UTC
GLSA 200408-18 ppc64 please mark stable to benifit from GLSA.
Comment 15 Tom Gall (RETIRED) 2004-09-26 20:35:39 UTC
stable on ppc64