Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 60692 - Xines_Mine.c
Summary: Xines_Mine.c
Status: RESOLVED DUPLICATE of bug 59948
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2004-08-17 10:24 UTC by c0ntex
Modified: 2005-07-17 13:06 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description c0ntex 2004-08-17 10:24:44 UTC

Any info you need please email as I'd love to help out!

You reacted to the Mplayer issue quickly, I think you deal with security issues on par with free/openbsd guys, certainly better than most Linux suppliers I've used. BTW I dont currently use Gentoo, I think I shall have a play.


Reproducible: Always
Steps to Reproduce:
1. compile and run code
2. launch xine against it, using any demuxor name ($ ./xine http://box/a.mp3,mpg,mpeg,avi,pls)
3. watch Xine window - attached POC for non-hardened stacks
Actual Results:  
execve("/bin/sh -c """) on remote client

Expected Results:  
used system calls correctly - complained and returned in a clean manner

The "severity" section below is relative I guess, I will let you guys define
this for your particular OS.

Xine seem uninterested to inform their community about this bug. I gave them 30
days, they ignored me then after tracking them down on irc, they stated they had
another 800 to fix. 

Comment 1 Chris White (RETIRED) gentoo-dev 2004-08-17 10:30:05 UTC
Great, you'll love how fast this goes then :P.

Already marked stable, already drafted the announcement, might even
release it today.

*** This bug has been marked as a duplicate of 59948 ***