Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74475 - media-libs/xine-lib: open_aiff_file overflows buffer
Summary: media-libs/xine-lib: open_aiff_file overflows buffer
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa] koon
Keywords:
: 74962 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-12-15 05:13 UTC by Sascha Silbe
Modified: 2005-01-06 04:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
20.avi from the advisory (bug74475-20.avi,1.02 KB, video/x-msvideo)
2004-12-15 05:13 UTC, Sascha Silbe
no flags Details
CAN-2004-1300.patch (djb_demux_aiff.patch,991 bytes, patch)
2004-12-22 07:45 UTC, Thierry Carrez (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Silbe 2004-12-15 05:13:19 UTC
Advisory from securesoftware@list.cr.yp.to:

Date: 15 Dec 2004 08:19:21 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
Subject: [remote] [control] xine-lib open_aiff_file overflows buffer
To: securesoftware@list.cr.yp.to, xine-user@lists.sourceforge.net
X-HELOcheck: OK: FQDN
Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Mail-Followup-To: securesoftware@list.cr.yp.to,
        xine-user@lists.sourceforge.net
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.

[-- Attachment #1 [details] --]
[-- Type: text/plain, Encoding: 7bit, Size: 1.4K --]

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in xine-lib. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.

You are at risk if you take a file from the web (or email or any other
source that could be controlled by an attacker) and feed that file
through xine or any other xine-lib frontend. Whoever provides that file
then has complete control over your account: he can read and modify your
files, watch the programs you're running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/multimedia/xine
   make install

to download and compile the xine-lib library, version 1-rc5, and the
xine program. (Version 1-rc5 has other problems but is the latest ports
version. Version 1-rc7 fixes several bugs but does not fix the bug used
here.) Then save the file 20.avi attached to this message, and type

   xine 20.avi

with the unauthorized result that a file named EXPLOITED is created in
the current directory. (I tested this with a 577-byte environment, as
reported by printenv | wc -c; beware that 20.avi is sensitive to the
environment size.)

Here's the bug: In demux_aiff.c, open_aiff_file() reads an
input-specified amount of data into a 100-byte buffer[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
Comment 1 Sascha Silbe 2004-12-15 05:13:55 UTC
Created attachment 46028 [details]
20.avi from the advisory
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-16 03:29:45 UTC
xine-lib-1_rc8 is out :
https://sourceforge.net/project/shownotes.php?group_id=9655&release_id=290099

media-video: please bump.
Comment 3 Chris White (RETIRED) gentoo-dev 2004-12-20 12:07:40 UTC
I'll just copy marking from the last ebuild :P:

alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86

are the intended keywords (I'm cc-ing mips because they marked _rc6 but not anything else above it, so mark it ~mips for your benifit).

x86 is already done.  Ensured compilation under ~x86 and hardened gcc as well (so I know that the hardened patches would work).  That's all for today :P.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-12-20 12:20:18 UTC
*** Bug 74962 has been marked as a duplicate of this bug. ***
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2004-12-20 13:02:29 UTC
stable on ppc64
Comment 6 Jason Wever (RETIRED) gentoo-dev 2004-12-21 06:07:24 UTC
This appears to be having libtool issues similar to earlier versions of xine-lib on SPARC where the .so in libxine.so.1 gets dropped (so the filename is resulting in libxine.1).  I'll look into it more tonight after work unless someone beats me to it.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 07:04:34 UTC
======================================================
Candidate: CAN-2004-1300
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1300
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt

Buffer overflow in the open_aiff_file function in demux_aiff.c for
xine-lib (libxine) 1-rc7 allows remote attackers to execute arbitrary
code via a crafted AIFF file.
======================================================
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-21 07:27:17 UTC
Stable on alpha.
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-12-21 21:40:26 UTC
Did manage to get xine-lib-1_rc8 to build correctly for sparc, but xine-ui always generates bus errors on startup.  strace reveals nothing of use and gdb cores when trying to debug it.

How hard would this fix be to backport to 1_rc7?
Comment 10 Simon Stelling (RETIRED) gentoo-dev 2004-12-22 04:26:10 UTC
a user has got a problem with -fPIC on amd64 (bug #75247), but i can't reproduce it. perhaps anybody else?
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-12-22 07:42:42 UTC
Hmmm in fact xine-lib 1_rc8 fixes :

CAN-2004-1187
Multiple Vendor Xine 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=176&type=vulnerabilities

CAN-2004-1188
Multiple Vendor Xine 0.99.2 PNM Handler Negative Read Length Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=177&type=vulnerabilities

But it doesn't fix the DJB one. For that you need the following patch :
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/demuxers/demux_aiff.c?r1=1.39&r2=1.40

media-video team, please bump ebuild with patch. Maybe also see if a backport of all those patches for 1_rc7 looks possible and/or see with sparc what can be done about xine-ui.

Removing arches for now. Sorry for the interference.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-12-22 07:45:11 UTC
Created attachment 46631 [details, diff]
CAN-2004-1300.patch

Patch taken from xine CVS
Comment 13 Chris White (RETIRED) gentoo-dev 2004-12-22 20:45:39 UTC
patch applied and ebuild bumped to -r1

intended KEYWORDS are:

alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86

x86 is done.
Comment 14 Chris White (RETIRED) gentoo-dev 2004-12-22 22:05:43 UTC
*pause*

somehow something weird happened with cvs and the djb patch, so pardon while I fix all that.  I'm also fixing an apparent error that some other people are having with the latest xorg-x11 and x86/amd64.  I'll update this in a bit.
Comment 15 Chris White (RETIRED) gentoo-dev 2004-12-22 22:34:25 UTC
*unpause* fixed stuff.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2004-12-22 23:33:34 UTC
stable on ppc64
Comment 17 Jochen Maes (RETIRED) gentoo-dev 2004-12-23 11:51:20 UTC
stable on ppc
Comment 18 Bryan Østergaard (RETIRED) gentoo-dev 2004-12-23 13:17:46 UTC
Stable on alpha.
Comment 19 Simon Stelling (RETIRED) gentoo-dev 2004-12-23 13:20:54 UTC
amd64 stable
Comment 20 Chris White (RETIRED) gentoo-dev 2004-12-27 06:16:44 UTC
Weeve is working on some issues arrising in xine-lib, so that's what's taking time.
Comment 21 Jason Wever (RETIRED) gentoo-dev 2004-12-27 12:01:50 UTC
Sorry for the delay here.  Still looking into these issues.  Unstable sparc is running into problems with libtool mismatches between what is installed on the system and what xine-lib is trying to use from its own source.  This will need to be corrected as well.  My preference would be to have the package maintainer fix this issue as it keeps the version with the fix from being built and happens on more than just SPARC.

I will still keep working on trying to diagnose the issues with xine-lib at runtime.
Comment 22 Jeremy Huddleston (RETIRED) gentoo-dev 2004-12-27 19:37:26 UTC
weeve: cvs update for the libtool stuff

I'm having trouble with xine-lib rc8-r1 on sparc being unresponsive (xine-ui hangs on startup).  I'll try 1.0 with the new xine-ui as well...
Comment 23 SpanKY gentoo-dev 2005-01-02 02:40:58 UTC
arm/hppa/ia64 stable
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-01-03 02:55:18 UTC
What's the status on sparc ? Does xine-lib still fail with eradicator's cvs update  ? Does 1.0 solve those issues ?
Comment 25 Hardave Riar (RETIRED) gentoo-dev 2005-01-04 02:45:12 UTC
Stable on mips.
Comment 26 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-04 04:51:45 UTC
koon: sparc is still unable to mark rc8 or greater stable.  Chriswhite, can you backport the security fix to rc6?
Comment 27 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-05 03:35:32 UTC
weeve: I bumped to xine-lib-1_rc6-r1.ebuild with the attached patch.  My sparc is a bit occupied at the moment, can you test it out when you get the chance... otherwise I'll test it in the morning... worked on my amd64, and since rc6 worked for sparc before, I'm fairly confident it'll work...
Comment 28 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-05 12:22:38 UTC
Weeve is away until jan 7.
I gave rc6-r1 a spin here and it seems to work with mpeg, but not avi (tried the infamous dancemonkeyboy.avi) with one of those horrible bus errors.
1.0 final doesn't work with anything.
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-01-05 13:47:29 UTC
Gustavo: please confirm that it's a regression (i.e. that dancemonkeyboy.avi worked with the previous stable). If it's not (=known bug) then mark stable anyway.
Comment 30 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-05 16:52:00 UTC
it's not a regression (not here atleast).  marked stable on sparc.  It looks like a problem with ffmpeg, not xine-lib...
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2005-01-06 01:13:20 UTC
Could you please remove affected versions from portage (at least the "rc7" and "rc8") ?
Comment 32 Thierry Carrez (RETIRED) gentoo-dev 2005-01-06 04:44:20 UTC
GLSA 200501-07