SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Multimedia)  >   xine Vendors:   xinehq.de
xine-lib VideoCD Buffer Overflows Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1011336
SecurityTracker URL:  http://securitytracker.com/id/1011336
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 17 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1-rc2 through 1-rc5
Description:   Some stack overflows were reported in xine-lib. A remote user may be able to execute arbitrary code on the target system with the privileges of the target user.

The vendor reported that there are stack overflows in the processing of VideoCD media resource locators (MRLs), the reading of VideoCD disc labels, and the parsing of text subtitles.

It is reported that a remote user can create a specially crafted 'vcd://' MRL that, when loaded by the target user, will cause arbitrary code to be executed. The vendor credits c0ntex[at]open-security.org with reporting this flaw.

It is also reported that a remote user can create a specially crafted VideoCD with an unterminated disk label that, when loaded will trigger a buffer overflow. The affected code is located in libcdio code.

It is also reported that a remote user can create a specially crafted subtitle line as part of media that, when viewed via network streaming, will trigger an overflow and execute arbitrary code.

The affected xine plugins are part of the default xine installation.
Impact:   A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
Solution:   A fixed version (1-rc6) is available at:

http://xinehq.de/index.php/releases

The following patches are also available:

http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/xineplug_inp_vcd.c?r1=1.18&r2=1.22&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/libcdio/cd_types.c?r1=1.2&r2=1.3&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/demux_sputext.c?r1=1.36&r2=1.37&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/xine_decoder.c?r1=1.84&r2=1.85&diff_format=u
Vendor URL:  xinehq.de/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 23 2004 (Gentoo Issues Fix) xine-lib VideoCD Buffer Overflows Let Remote Users Execute Arbitrary Code   (Thierry Carrez <koon@gentoo.org>)
Gentoo has released a fix.
Oct 6 2004 (Mandrake Issues Fix) xine-lib VideoCD Buffer Overflows Let Remote Users Execute Arbitrary Code   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.


 Source Message Contents
Date:  Tue, 7 Sep 2004 11:53:40 +0200
Subject:  XSA-2004-4: multiple string overflows


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xine security announcement
==========================

Announcement-ID: XSA-2004-4

Summary:
Several string overflows on the stack have been fixed in xine-lib, some of
them can be used for remote buffer overflow exploits leading to the execution
of arbitrary code with the permissions of the user running a xine-lib based
media application.

Description:
Stack-based string overflows have been found
1. in the code which handles VideoCD MRLs
2. in VideoCD code reading the disc label
3. in the code which parses text subtitles and prepares them for display
We will briefly address each item individually:
1. MRLs (media resource locator) are a subset of URIs used by the xine-lib
   library to describe the location of the content to play. A string overflow
   in the parsing code for the VideoCD-specific MRLs (those starting with
   "vcd:/") has been found and reported to the xine-lib developers by
   c0ntex[at]open-security.org. Since xine frontends might accept to recieve
   MRLs from a remote location, this overflow is remotely exploitable by
   crafting a malicious reference or playlist file and tricking the user to
   download it.
2. The ISO disk label of a VideoCD is copied into an unprotected stack buffer
   of fixed size. An attacker can craft a malicious VideoCD containing an
   unterminated disk label, which would overrun the buffer. Since VideoCDs
   are not accepted from remote locations, this is not directly remotely
   exploitable. This error is located in code we copied from the libcdio
   project. Since xine-lib can also use this library dynamically linked,
   the vulnerability can depend on the version of an external libcdio
   library installed on the user's system. See the affected versions below.
3. The parsing and display preparation of text subtitles can be overflown
   with overly long subtitle lines. Text subtitles mostly come as separate
   files to translate DivX movies, but they can also be embedded into OGG or
   Matroska media containers. By crafting a malicious file and tricking the
   user to view it via network streaming, this is remotely exploitable.

Severity:
Several of these stack overflows are remotely exploitable and proof-of-concept
exploit code from c0ntex[at]open-security.org is available for item 1.
Malicious exploits have not been seen in the wild yet, but this would not be
difficult to achieve. Since the involved xine plugins are part of the
standard xine installation, a large number of users is affected. Given the
wide range of possible harm, we consider this problem to be highly critical.

Affected versions:
1-rc releases starting with and including 1-rc2 up to and including 1-rc5.

Unaffected versions:
All 0.9 releases or older.
All 1-alpha releases.
All 1-beta releases.
1-rc0 and 1-rc1 releases.
1-rc6 or newer.
xine-lib installations dynamically linking against libcdio will not be 
vulnerable to item 2, if the libcdio version installed is 0.69 or newer.

Solution:
The enclosed patches which have been applied to xine-lib CVS fix the problem
but should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of
xine-lib.
As a temporary workaround, you may delete the files "xineplug_inp_vcd.so",
"xineplug_dmx_sputext.so" and "xineplug_decode_sputext.so" from the xine-lib
plugin directory, losing the ability to play VideoCDs and to view text
subtitles with xine-lib.

Patches:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/xineplug_inp_vcd.c?r1=1.18&r2=1.22&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/libcdio/cd_types.c?r1=1.2&r2=1.3&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/demux_sputext.c?r1=1.36&r2=1.37&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/xine_decoder.c?r1=1.84&r2=1.85&diff_format=u

For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBPYUrjhx3hMVnyYsRAly7AJ0a8wbK7Xvu+ZujKv1P2SyrrcNOfACfcc5Y
4sC5Ynea8qIn+Os/OF54tBk=
=M97B
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC