Secunia: Luigi Auriemma has reported some vulnerabilities in xine-lib, which potentially can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to integer overflow errors when allocating memory in src/demuxers/demux_flv.c, src/demuxers/demux_qt.c, src/demuxers/demux_real.c, src/demuxers/demux_wc3movie.c, src/demuxers/ebml.c, and src/demuxers/demux_film.c. These can be exploited to cause heap-based buffer overflows via overly large fields included in e.g. FLV, MOV, RM, MVE, MKV, and CAK files. The vulnerabilities are reported in version 1.1.11. Other versions may also be affected. SOLUTION: Do not open untrusted files using xine-lib. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/xinehof-adv.txt
flameeyes, are these fixed upstream?
These were not known to upstream until now, and it's now freakin' easter, don't expect me to find a way to fix them before tuesday... incidentally I decided to use easter as timeframe to clean up my office's cabling -_-;
FWIW, they should _all_ be fixed in 1.2 series, I suppose backporting the relevant changes, if possible, would solve the issue. 1.2 makes good use of calloc rather than using malloc directly.
Diego, is there any update here?
Upstream is handling it as bug 71: http://bugs.xine-project.org/show_bug.cgi?id=71 There is a patch but I wasn't able to doublecheck its commit status yet, sorry I'm behind with my own schedule.
Merged here: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a3f2772fd14b;style=gitweb http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=08bb2b5bfddd;style=gitweb Although it seems this here is worth merging too: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=6f9e9feb84e5;style=gitweb
ping, flamy and others?
Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please bump.
(In reply to comment #8) > Ok, I should have checked before. Fixes released as 1.1.11.1 (omg!). Please > bump. > bumped; there was two (known to me) regressions in this release, they're patched.
Arches, please test and mark stable: =media-libs/xine-lib-1.1.11.1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
Stable for HPPA.
ppc64 stable
Stable on alpha.
Tested =media-libs/xine-lib-1.1.11.1 USE="X a52 aac aalib alsa dts dvd flac gnome gtk mad mng musepack nls opengl samba sdl speex theora truetype vcd vidix vorbis xcb xinerama xv (-altivec) -arts -debug (-directfb) -dxr3 -esd -fbcon -imagemagick -ipv6 -jack -libcaca -mmap (-modplug) -oss -pulseaudio (-real) -v4l -wavpack (-win32codecs) (-xvmc)" on sparc. - compiles fine - no test failures - no collisions - works fine using dvds and vcds # emerge --info Portage 2.1.4.4 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r4 sparc64) ================================================================= System uname: 2.6.24-gentoo-r4 sparc64 sun4u Timestamp of tree: Tue, 08 Apr 2008 21:00:01 +0000 app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r9 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="sparc" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -ggdb" DISTDIR="/tmp/distfiles" FEATURES="collision-protect distlocks installsources metadata-transfer parallel-fetch sandbox splitdebug strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en de" MAKEOPTS="-j10" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/portage/local/layman/gnash-cvs /usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="64bit 7zip X a52 aac aalib ace agg alsa artworkextra audacious blender-game bluetooth bzip2 c++ caps clock-screen cups curl custom-cflags cvs cxx dbus devhelp dga disk-partition divx doc dri dts dv dvd dvdread eds encode evo exif fastcgi fat festival ffmpeg flac ftp fuse gd gif gimp gimpprint glade gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 imap ithreads javascript jpeg jpeg2k key-screen libsexy lyrics lzo mad mbrola memcache midi mikmod mjpeg mng mouse mp2 mp3 mpeg mpeg2 mplayer musepack musicbrainz nautilus ncurses network network-cron networking nls nptl nptlonly nsplugin offensive ogg openal opengl openmp opera pam parallel pcre pdf png pnm ppds qt3support quicktime raw realmedia regex ruby samba sasl sdl sdl-image search-screen slang smartcard smp sms sound soundex source sourceview sparc speex spell sqlite3 ssl subversion svg symlink taglib tagwriting theora threads tiff timidity truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf wmp wordexp x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_CARDS="CS4231" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="mach64 fbdev mga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ia64/sparc/x86 stable, thanks Friedrich
amd64 stable
ppc stable
Fixed in release snapshot.
GLSA 200808-01