xine security announcement ========================== Announcement-ID: XSA-2004-4 Summary: Several string overflows on the stack have been fixed in xine-lib, some of them can be used for remote buffer overflow exploits leading to the execution of arbitrary code with the permissions of the user running a xine-lib based media application. Description: Stack-based string overflows have been found 1. in the code which handles VideoCD MRLs 2. in VideoCD code reading the disc label 3. in the code which parses text subtitles and prepares them for display We will briefly address each item individually: 1. MRLs (media resource locator) are a subset of URIs used by the xine-lib library to describe the location of the content to play. A string overflow in the parsing code for the VideoCD-specific MRLs (those starting with "vcd:/") has been found and reported to the xine-lib developers by c0ntex[at]open-security.org. Since xine frontends might accept to recieve MRLs from a remote location, this overflow is remotely exploitable by crafting a malicious reference or playlist file and tricking the user to download it. 2. The ISO disk label of a VideoCD is copied into an unprotected stack buffer of fixed size. An attacker can craft a malicious VideoCD containing an unterminated disk label, which would overrun the buffer. Since VideoCDs are not accepted from remote locations, this is not directly remotely exploitable. This error is located in code we copied from the libcdio project. Since xine-lib can also use this library dynamically linked, the vulnerability can depend on the version of an external libcdio library installed on the user's system. See the affected versions below. 3. The parsing and display preparation of text subtitles can be overflown with overly long subtitle lines. Text subtitles mostly come as separate files to translate DivX movies, but they can also be embedded into OGG or Matroska media containers. By crafting a malicious file and tricking the user to view it via network streaming, this is remotely exploitable. Severity: Several of these stack overflows are remotely exploitable and proof-of-concept exploit code from c0ntex[at]open-security.org is available for item 1. Malicious exploits have not been seen in the wild yet, but this would not be difficult to achieve. Since the involved xine plugins are part of the standard xine installation, a large number of users is affected. Given the wide range of possible harm, we consider this problem to be highly critical. Affected versions: 1-rc releases starting with and including 1-rc2 up to and including 1-rc5. Unaffected versions: All 0.9 releases or older. All 1-alpha releases. All 1-beta releases. 1-rc0 and 1-rc1 releases. 1-rc6 or newer. xine-lib installations dynamically linking against libcdio will not be vulnerable to item 2, if the libcdio version installed is 0.69 or newer. Solution: The enclosed patches which have been applied to xine-lib CVS fix the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of xine-lib. As a temporary workaround, you may delete the files "xineplug_inp_vcd.so", "xineplug_dmx_sputext.so" and "xineplug_decode_sputext.so" from the xine-lib plugin directory, losing the ability to play VideoCDs and to view text subtitles with xine-lib. Patches: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/xineplug_inp_vcd.c?r1=1.18&r2=1.22&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/libcdio/cd_types.c?r1=1.2&r2=1.3&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/demux_sputext.c?r1=1.36&r2=1.37&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/xine_decoder.c?r1=1.84&r2=1.85&diff_format=u
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 xine security announcement ========================== Announcement-ID: XSA-2004-5 Summary: A heap overflow has been found in the DVD subpicture decoder of xine-lib. This can be used for a remote heap overflow exploit, which can, on some systems, lead to or help in executing malicious code with the permissions of the user running a xine-lib based media application. Description: When a xine-lib based media application is playing content including DVD subpictures, the subtitle decoder converts the DVD subpictures, which are essentially run-length encoded bitmaps, into xine-lib's own internal subpicture format. The result of this conversion is written to a dynamically allocated memory block on the heap. This memory block can overrun with certain subpictures: DVD subpictures are stored in two fields. The first containing the odd numbered lines, the second containing the even numbered lines. Offsets in the subpicture header indicate the beginning of each field in the RLE data. When these two fields are now stored in an overlapping manor, so that the beginning of the second field reuses RLE data from the end of the first, the resulting xine overlay will use up more space than previously allocated, because the allocation did not take this possibility into account. Since DVD subpictures do not only occur on DVDs, but may also be used in standalone MPEG files, an attacker can craft a malicious MPEG file containing such a subpicture with overlapping fields. This can be used to overflow the heap buffer, which can, with certain implementations of heap management, lead to attacker chosen data written to the stack. By placing such a MPEG file on the internet and tricking users to view it using network streaming, this is remotely exploitable. Severity: This is very difficult to exploit, because multiple indirections are involved: Firstly, the DVD subpicture data is expanded to xine-lib's internal subpicture format before it is written to the heap. Secondly, the heap overlow needs to alter heap management information in a way so that a return adress on the stack is modified. Thirdly, this adress must lead to some malicious code to be executed, which needs to be injected somehow. Although the involved xine plugin is part of the standard xine installation, we consider this problem to be only moderately severe, because of the difficulty in exploiting it. Affected versions: All 0.5 releases starting with and including 0.5.2. All 0.9 releases. All 1-alpha releases. All 1-beta releases. All 1-rc releases up to and including 1-rc5. Unaffected versions: All releases older than 0.5.2. 1-rc6 or newer. Solution: The enclosed patch which has been applied to xine-lib CVS fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of xine-lib. As a temporary workaround, you may delete the file "xineplug_decode_spu.so" from the xine-lib plugin directory, losing the ability to decode DVD subpictures with xine-lib. Patch: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u For further information and in case of questions, please contact the xine team. Our website is http://xinehq.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBPLy1jhx3hMVnyYsRAngbAJ0Vy0F9wde/qafkBiB58xI4hb+tfwCgi7Fn 5qKEG8iA7EG/f2Cm03YMtzU= =wto9 -----END PGP SIGNATURE-----
Please update ebuild. Still nothing at http://xinehq.de/index.php/security though likely just a matter of time. ChrisWhite please check wether it is a new VCD MRL iusse or just the one from GLSA 200408-18.
This is the VCD issue AND then some. I'll update the ebuild on Saturday (still very busy with school). Intended path of upgrade is to -r6 in order to fix all the bugs at once. I do think however that B2 would be more suitable as I don't think xine-lib is considered a "system package", though correct me if I'm wrong.
Ok, the ebuild has been commited. Stable markings should be: xine-lib-1_rc5-r3.ebuild:KEYWORDS="x86 ppc sparc alpha hppa amd64 ~ia64 ~ppc64" as this was the last security related xine-lib release, I strongly believe it has what should be stable marked fairly well listed. Version to mark is: xine-lib-1_rc6 Please feel free to let me know if there's anything that comes up.
Strange there is a release note on their main page but no mention of the security fixes and still nothing under XSAs. The original BugTraq postings can be found here: http://www.securityfocus.com/archive/1/375485/2004-09-02/2004-09-08/0 http://www.securityfocus.com/archive/1/375482/2004-09-02/2004-09-08/0
Thx ChrisWhite. Arches please test and mark xine-lib-1_rc6 stable.
Stable on alpha.
Stable on x86
stable on amd64
Tried to emerge for stable marking: get this error witch is obvious as i don't have gcc 3.4.2. grep: /usr/lib/gcc/powerpc-unknown-linux-gnu/3.4.2/libstdc++.la: No such file or directory /bin/sed: can't read /usr/lib/gcc/powerpc-unknown-linux-gnu/3.4.2/libstdc++.la: No such file or directory libtool-nofpic: link: `/usr/lib/gcc/powerpc-unknown-linux-gnu/3.4.2/libstdc++.la' is not a valid libtool archive make[4]: *** [xineplug_vo_out_sdl.la] Error 1 greetings
fix_libtool_files.sh 3.4.2 should fix it
thanks luca, stable on ppc
Sparc stable. Sparc32 users please test, since i pushed a little change that disables VIS based on PROFILE_ARCH. Before this it enabled VIS on ARCH=sparc which is wrong IMHO. This may require an additional patch for binutils, YMMV.
hppa/ia64 stable
GLSA 200409-30
Thanks, stable on ppc64