Gentoo Base System version 1.6.14 Portage 2.1_rc2-r3 (default-linux/x86/2005.1, gcc-3.4.4, glibc-2.3.5-r2, 2.6.16-gentoo-r7 i686) ================================================================= System uname: 2.6.16-gentoo-r7 i686 AMD Athlon(tm) XP 2600+ dev-lang/python: 2.3.5, 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer -pipe -ggdb -g" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config" CONFIG_PROTECT_MASK="/etc/gconf /etc/splash /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-xp -O2 -fomit-frame-pointer -pipe -ggdb -g" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks metadata-transfer nostrip sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.seren.com/gentoo http://www.gtlib.gatech.edu/pub/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 16bit S3TC X X509 aac acl acpi activefilter aim alsa amd ansi apache2 apm arts artworkextra audiofile authdaemond avantgo avi bash-completion bcmath bdf berkdb bidi bitmap-fonts blender-game bluetooth bzip2 bzlib cap cddb cdinstall cdparanoia cdrom cgi chroot cjk clanJavaScript clanVoice cli client code crypt cups dri eds emboss encode foomaticdb fortran gdbm gif gnome gpm gstreamer gtk gtk2 imap imlib ipv6 isdnlog jpeg jython kadu-modules kadu-voice kakasi kde kerberos krb4 latex lcms leim libclamav libdsk libg++ libgd libgda libsamplerate libwww live lua lufsusermount lzo lzw lzw-tiff m17n-lib mad maildir matroska mbox mcal mdb memlimit migemo mikmod mime mixer mjpeg mls mmap mng monkey motif mozcalendar mozdevelop mozp3p mozsvg mozxmlterm mp3 mpeg mpeg4 mpi mplayer msn mule music mysql mythtv nagios-dns nagios-ntp nagios-ping nagios-ssh native ncurses net netcdf network neural nis nls nowin nptl ntlm nviz oav objc ocaml offensive ofx ogg oggvorbis openal opengl opie oscar ospfapi oss pam parse-clocks pcap pcntl pcre pdf pdflib perl pg-hier pg-intdatetime pg-vacuumdelay php physfs pic plotutils png portaudio posix postgresql povray ppds pppd pri print procmail pthreads python qt quicktime quotas quotes readline real reflection resperl rhino rogue rplay samba sasl sdl servlet-2.3 servlet-2.4 session sftplogging shared sharedmem silc simplexml skk slp smime sndfile snortsam sockets socks5 softquota sox spell spl ssl stencil-buffer stroke struts svg sysvipc szip t1lib tcpd tcsim tga theora tidy transcode truetype truetype-fonts type1-fonts uim underscores unicode usb v4l v4l2 vcd vda videos virus-scan vorbis wddx winbind wmf wxwindows xanim xatrix xchatdccserver xchattext xemacs xface xgetdefault xine xml2 xmlrpc xmms xorg xosd xpm xprint xrandr xscreensaver xsl xv xvid xvmc yahoo yaz yp yv12 zaptel zeo zlib zvbi elibc_glibc kernel_linux userland_GNU" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Auditors, please review and confirm if current stable version is affected Exploit is publicly posted so opening this bug for all to see
confirmed on media-video/gxine-0.4.5 using $ perl -e 'print "A"x"9500"' | nc -lp 8080 and $ gxine http://localhost:8080/foo.mpg
media-video please bump.
flameeyes reports the actual bug is within xine-lib, not gxine, correcting summary...
I can only reproduce an invalid pointer dereference here on this system, if someone can point me to something on the sources (no it's not friggin' gcc 4.0.2, I wonder why it says that, it's 4.1.1). Portage 2.1_rc3-r2 (default-linux/amd64/2006.0, gcc-4.0.2, glibc-2.4-r3, 2.6.16-gentoo-r8 x86_64) ================================================================= System uname: 2.6.16-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.12.0 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [disabled] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r1 dev-util/confcache: 0.4.2-r1 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.93 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r6, 2.6.16 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -Os -ftracer -pipe -ftree-vectorize -Wformat=2 -Wno-error -Wno-pointer-sign -g -ggdb -Wstrict-aliasing=2" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/X11/xkb /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=athlon64 -Os -ftracer -pipe -ftree-vectorize -Wno-error -Wformat=2 -g -ggdb -Wstrict-aliasing=2 -fvisibility-inlines-hidden" DISTDIR="/var/portage/distfiles" EMERGE_DEFAULT_OPTS="--alphabetical" FEATURES="autoaddcvs autoconfig collision-protect confcache cvs distlocks metadata-transfer multilib-strict noinfo parallel-fetch sandbox sfperms sign splitdebug userpriv usersandbox" GENTOO_MIRRORS="http://www.die.unipd.it/pub/Linux/distributions/gentoo-sources/ http://ftp.unina.it/pub/linux/distributions/gentoo/ http://gentoo.osuosl.org/" LANG="en_US.UTF-8" LC_ALL="" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-Bdirect -Wl,-hashvals" LINGUAS="en it" MAKEOPTS="-j1 -s" PKGDIR="/var/portage/pkg-enterprise" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/var/portage/cvs/gentoo-x86" PORTDIR_OVERLAY="/var/portage/crossoverlay /var/portage/cvs/gentoo-alt/overlay /var/portage/cvs/flame-overlay /var/portage/cvs/flame-portage /var/portage/cvs/vmware" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnowex S3TC a52 aac acl acpi4linux alsa amd64 apm audiofile avi bash-completion bzip2 bzlib cdda cddb cdio cdr cjk crypt css cups dlloader dnd dpms dts dvd dvdr dvdread eds emboss fam fame ffmpeg flac foomaticdb gif gnutls gpgme gphoto2 gtk2 howl idn ieee1394 imlib imlib2 ipv6 ithreads joystick jpeg kde kdehiddenvisibility latex lm_sensors lx700 lzw lzw-tiff mad maildir matroska mmap mng mozsvg mp3 mpeg mpeg4 mpm-threadpool native no_wxgtk1 noantlr nobcel nobeanutils nobsh nocommonslogging nocommonsnet nodrm nojdepend nojsch nojython nolog4j nomotif nooro noregexp norhino noxalan noxerces nptl nptlonly nvidia ogg oggvorbis openntpd pam pdf pdflib pic png ppds qemu-fast qt rtc snmp speex spell ssl stencil-buffer subversion svg svgz symlink sysfs syslog tetex theora threads tiff truetype truetype-fonts type1 type1-fonts udev unicode usb userlocales utf8 v4l v4l2 vhosts vorbis wxwindows x11vnc xinerama xpm xv xvid zlib zvbi elibc_glibc kernel_linux linguas_en linguas_it sane_backends_snapscan userland_GNU video_cards_none video_cards_nvidia" Unset: CTARGET, INSTALL_MASK, PORTAGE_RSYNC_EXTRA_OPTS
Adding myself so I won't forget of this, anyway problem reproduced, working on identifying it.
Okay, point identified, fixed, patched, new ebuild in portage, xine-lib-1.1.2_pre20060328-r9, ready for stable marking (a lot more fixes in it too, so users will be happy). Although up to -r8 it needed -fvisibility=hidden support, now it will build even without (for arches stuck with gcc 3.3), although then there will be some corner cases where it might die of an horrible dead like trying to play AAC files with external ffmpeg and aac enabled in ffmpeg, or in amarok with support for aac), but alas can't do much about those arches, for most of the uses it's fine tho.
arches, please test and stable xine-lib-1.1.2_pre20060328-r9, thanks
i've done some testing with media-libs/xine-lib-1.1.2_pre20060328-r9 +X +a52 +aac +aalib +alsa (-altivec) -arts +asf -debug -directfb +dts +dvd -dxr3 -esd +fbcon +ffmpeg +flac +gnome +imagemagick +ipv6 -libcaca +mad +mng -modplug +nls +opengl -oss -samba +sdl +speex +theora -v4l +vcd -video_cards_i810 +video_cards_nvidia -video_cards_via +vidix +vorbis +win32codecs -xinerama +xv -xvmc using media-video/totem-1.2.1 +a52 -debug +dvd +flac +gnome -lirc +mad +mpeg -nsplugin +ogg +theora +vorbis +win32codecs +xine +xv and media-video/xine-ui-0.99.4-r5 +X +aalib +curl -libcaca -lirc +ncurses +nls +readline -vdr -xinerama video playback seems to be ok in both players. i've experienced some 'The Application "totem" has quit unexpectedly.' directly after opening a file after the player was allready running and i had done the same at least 3 times before. as these crashes are not connected to a particular file and nothing indicates that this is a xine-lib bug, i guess that this is a totem bug i've just not noticed before. i'm gonna try if recomiling totem helps .... to cut a long story short: xine-lib-1.1.2_pre20060328-r9 is ok in my opinion for x86. PS: i'll post 'emerge --info' on request.
well, that totem bug still remains after rebuilding; i think it has nothing to do with xine-lib.
I'm not saying that the current version is exempt from bugs, there are at least three I know of, but for those I need more inspections, I will try to fix them ASAP and call another stable, but not it's mostly about the security issue :/
amd64 is happy... marked stable
xine-lib-1.1.2_pre20060328-r9 stable on alpha.
SPARC stable
I experienced a side effect since I upgraded to xine-lib-1.1.2_pre20060328-r9 as I am no longer able to play mp3 streaming audio files in gxine-0.5.6. The error returned is ---The xine engine failed to start. No input plugin was found. Maybe the file does not exist or cannot be accessed, or there is an error in the URL. AND ---Permission error http://www.reprisesdupont.com/2006-06-01-Dupont_Le_Midi.mp3 Prior to this version (xine-lib-1.1.2_pre20060328-r8 and lower) I never had problem playing mp3 files on this website. NOTE : Downloading the mp3 file & playing it locally works fine so it's not a problem with a missing plug-in either with a bad URL. I tried to recompile gxine w/o success (gxine compile but the problem remains). Portage 2.1_rc3-r5 (default-linux/x86/2006.0, gcc-4.1.1, glibc-2.4-r3, 2.6.17-rc5! i686) ================================================================= System uname: 2.6.17-rc5! i686 Intel(R) Pentium(R) 4 Mobile CPU 1.60GHz Gentoo Base System version 1.12.0 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r5 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4m -O2 -fomit-frame-pointer -pipe -mmmx -msse -msse2 -mno-sse3 -mno-3dnow" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/env.d" CXXFLAGS="-march=pentium4m -O2 -fomit-frame-pointer -pipe -mmmx -msse -msse2 -mno-sse3 -mno-3dnow" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://mirror.pacific.net.au/linux/Gentoo ftp://mirror.isp.net.au/pub/gentoo" LANG="C" LINGUAS="en en_AU en_CA en_GB en_US" PKGDIR="/home/Linux" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.au.gentoo.org/gentoo-portage" USE="x86 X alsa apache2 apm arts avi berkdb bitmap-fonts cli crypt cups dri eds emboss encode esd foomaticdb fortran gdbm gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre pdflib perl png pppd python qt quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev vorbis xml xmms xorg xv zlib elibc_glibc input_devices_joystick input_devices_keyboard input_devices_mouse kernel_linux linguas_en linguas_en_AU linguas_en_CA linguas_en_GB linguas_en_US userland_GNU video_cards_savage" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
ppc stable
x86 done
stable on hppa
Supplementary notes to Comment #15 o) Problem is still present in xine-lib-1.1.2_pre20060328-r10 but not in xine-lib-1.1.2_pre20060328-r1 (I downgraded xine-lib just to test it). o) I think the latest version w/o this bug was xine-lib-1.1.2_pre20060328-r8 but I'm not absolutely sure.
Sounds like playing mp3 files rather than shoutcast streams via HTTP relied on the buffer being overflowing. Intersting, eh? Let's stable this and then I'll ask a quick stable with a couple more fixes.
(In reply to comment #20) > Sounds like playing mp3 files rather than shoutcast streams via HTTP relied on > the buffer being overflowing. Intersting, eh? > Let's stable this and then I'll ask a quick stable with a couple more fixes. > You're probably right. The problem should probably a side effect of one of the numerous Gentoo patches between -r2 and -r10 and not related to the overflow problem addressed in this bug. BTW, I noticed this problem just with this website (funny, no ?). As stated in comment #15, I have a workaround to avoid this issue. I just need to download the file first & play it as usual in gxine OR 2) I just need to open MRL using totem-1.4 compiled, of coarse, w/o xine support).
ppc64 stable
Buff overflow -> B2 -> s/[stable]/[glsa] and adding to the glsamaker pool
add it's CVE-2006-2802 , please update the summary & whiteboard ;)
Stupid thing but bug reported on Comment #15 is now fixed with the clean-up you have done in xine-lib-1.1.2_pre20060606. Thanks.
Good to hear, although it's probably simpler to wait for 1.1.2 final release and stable that when it's time anyway :)
GLSA draft only talks about DoS. This would be a client-side DoS so not really a security issue (a malicious server can deny service in all cases).
Auditing team, can you figure out whether there's arbitrary code exec might be possible, or does it "just crash" without sideeffects?
Setting to glsa? until we decide wether this is only a crash issue.
Personnaly i really don't know. Debian and Mitre reference this as a simple DoS I would vote NO-glsa since xine-* has very often GLSAs concerning code execution, and we won't start to send GLSA for a xine DoS. Futhermore, it's a client DoS by enticing the user to play a specially crafted file, which is not very common, and really not dangerous at all.
No GLSA for me.
Voting NO, closing and GLSAmaker cleaned up. Feel free to reopen if you disagree.
