Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
xine-lib DVD Subpicture Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011337 |
|
SecurityTracker URL: http://securitytracker.com/id/1011337
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 17 2004
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 0.5.2 - 0.5.x; 0.9.x; 1-alpha.x; 1-beta.x; 1-rc - 1-rc5
|
Description:
A vulnerability was reported in xine-lib in the processing of DVD subpictures. A remote user may be able to execute arbitrary code on the target user's system with the privileges of the target user.
The vendor reported that the DVD subpicture decoder contains a heap overflow. A remote user can create a specially crafted file that, when processed by xine-lib, will trigger the overflow and execute arbitrary code.
If the two DVD subpicture fields are stored in an overlapping manner, the conversion software may exceed the memory allocation when writing the fields.
MPEG files that contain subpictures can also be used to exploit the flaw.
The vendor indicates that the vulnerability is difficult to exploit.
|
Impact:
A remote user can cause arbitrary code to be executed on the target user's system with the privileges of the target user.
|
Solution:
A fixed version (1-rc6) is available at:
http://xinehq.de/index.php/releases
The following patche is also available:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u
|
Vendor URL: xinehq.de/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 6 Sep 2004 21:38:29 +0200
Subject: XSA-2004-5: heap overflow in DVD subpicture decoder
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
xine security announcement
==========================
Announcement-ID: XSA-2004-5
Summary:
A heap overflow has been found in the DVD subpicture decoder of xine-lib. This
can be used for a remote heap overflow exploit, which can, on some systems,
lead to or help in executing malicious code with the permissions of the user
running a xine-lib based media application.
Description:
When a xine-lib based media application is playing content including DVD
subpictures, the subtitle decoder converts the DVD subpictures, which are
essentially run-length encoded bitmaps, into xine-lib's own internal
subpicture format. The result of this conversion is written to a dynamically
allocated memory block on the heap. This memory block can overrun with
certain subpictures:
DVD subpictures are stored in two fields. The first containing the odd
numbered lines, the second containing the even numbered lines. Offsets in the
subpicture header indicate the beginning of each field in the RLE data. When
these two fields are now stored in an overlapping manor, so that the
beginning of the second field reuses RLE data from the end of the first, the
resulting xine overlay will use up more space than previously allocated,
because the allocation did not take this possibility into account.
Since DVD subpictures do not only occur on DVDs, but may also be used in
standalone MPEG files, an attacker can craft a malicious MPEG file containing
such a subpicture with overlapping fields. This can be used to overflow the
heap buffer, which can, with certain implementations of heap management, lead
to attacker chosen data written to the stack. By placing such a MPEG file on
the internet and tricking users to view it using network streaming, this is
remotely exploitable.
Severity:
This is very difficult to exploit, because multiple indirections are involved:
Firstly, the DVD subpicture data is expanded to xine-lib's internal
subpicture format before it is written to the heap. Secondly, the heap
overlow needs to alter heap management information in a way so that a return
adress on the stack is modified. Thirdly, this adress must lead to some
malicious code to be executed, which needs to be injected somehow.
Although the involved xine plugin is part of the standard xine installation,
we consider this problem to be only moderately severe, because of the
difficulty in exploiting it.
Affected versions:
All 0.5 releases starting with and including 0.5.2.
All 0.9 releases.
All 1-alpha releases.
All 1-beta releases.
All 1-rc releases up to and including 1-rc5.
Unaffected versions:
All releases older than 0.5.2.
1-rc6 or newer.
Solution:
The enclosed patch which has been applied to xine-lib CVS fixes the problem
but should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of
xine-lib.
As a temporary workaround, you may delete the file "xineplug_decode_spu.so"
from the xine-lib plugin directory, losing the ability to decode DVD
subpictures with xine-lib.
Patch:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u
For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBPLy1jhx3hMVnyYsRAngbAJ0Vy0F9wde/qafkBiB58xI4hb+tfwCgi7Fn
5qKEG8iA7EG/f2Cm03YMtzU=
=wto9
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
