Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 205197 - media-libs/xine-lib < 1.1.9.1 "rmff_dump_cont()" Buffer Overflow Vulnerabilities (CVE-2008-0225, CVE-2008-0238)
Summary: media-libs/xine-lib < 1.1.9.1 "rmff_dump_cont()" Buffer Overflow Vulnerabilit...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/28384/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-10 13:05 UTC by Lars Hartmann
Modified: 2011-10-20 05:04 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-01-10 13:05:12 UTC
The vulnerabilities are caused due to boundary errors within the "rmff_dump_cont()" function in input/libreal/rmff.c when processing the SDP "Title", "Author", Copyright", and "Abstract" attributes. These can be exploited to cause a heap-based buffer overflow by tricking the user into connecting to a malicious RTSP server.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are confirmed in version 1.1.9. Other versions may also be affected.

Solution: no upstream fix avaible, so "Do not connect to untrusted streaming servers."...
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-10 13:55:32 UTC
Media-video, please advise.
Comment 2 Alexis Ballier gentoo-dev 2008-01-11 18:02:42 UTC
xine-lib 1.1.9.1 is in the tree and candidate for stable, see changelog why there is a -r1 too...
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-13 14:15:24 UTC
Arches please test and mark stable. Target keywords are:

xine-lib-1.1.9.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2008-01-13 19:07:23 UTC
ppc64 done
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-13 19:52:00 UTC
(In reply to comment #3)
> Arches please test and mark stable. Target keywords are:
> 
> xine-lib-1.1.9.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
> ~x86-fbsd"
> 

which should be 1.1.9.1 according to the changelog, re-adding ppc64

xine-lib-1.1.9.1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 6 Brent Baude (RETIRED) gentoo-dev 2008-01-13 20:02:12 UTC
1.1.9.1 done now too. ppc64 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-13 20:08:14 UTC
ppc stable
Comment 8 Markus Meier gentoo-dev 2008-01-13 21:04:52 UTC
x86 stable
Comment 9 Jeroen Roovers gentoo-dev 2008-01-15 06:18:32 UTC
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-01-16 12:18:30 UTC
alpha/ia64/sparc stable
Comment 11 Peter Weller (RETIRED) gentoo-dev 2008-01-16 15:51:41 UTC
amd64 done.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2008-01-16 19:08:43 UTC
GLSA request filed.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-01-27 16:36:29 UTC
GLSA 200801-12, thanks.