| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 26 Dec 2004 16:56:07 +0100 From: Michael Roitzsch <mroi@...rs.sourceforge.net> To: bugtraq@...urityfocus.com Subject: XSA-2004-7: stack overflow in AIFF demultiplexer -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 xine security announcement ========================== Announcement-ID: XSA-2004-7 Summary: A stack buffer overflow vulnerability in the AIFF demultiplexer has been found by Ariel Berkman and was reported to the xine team by D. J. Bernstein. This can be used for an exploit, leading to attacker-chosen code being executed with the permissions of the user running a xine-lib based media application. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-1300 to this issue. Description: AIFF is a file format supported by the xine-lib media library. During opening and header parsing of an AIFF file, data of arbitrary length is read into an unprotected stack buffer. This can lead to a stack overflow, which can be used to the execution of attacker-chosen code. An attacker can craft a malicious AIFF file and trick the user into playing it. Since AIFF files can also be provided through network streaming, this can be as easy as publishing a link on a website. It should also be noted that due to xine-lib's way of detecting file formats by querying each available demultiplexer in turn, this problem is not limited to AIFF files. The vulnerable code in the AIFF demultiplexer will also be executed on non-AIFF files. Severity: Since the involved xine plugin is part of the standard xine installation and the vulnerability can be used directly to write attacker-chosen code on the stack, we consider this problem to be critical. Affected versions: All 1-alpha releases. All 1-beta releases. All 1-rc releases. Unaffected versions: All releases older than 1-alpha0. 1.0 or newer. Solution: The enclosed patch which has been applied to xine-lib CVS fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1.0 release of xine-lib. As a temporary workaround, you may delete the file "xineplug_dmx_audio.so" for xine-lib versions starting with and including 1-beta3 or "xineplug_dmx_aiff.so" for xine-lib versions older than 1-beta3 from the xine-lib plugin directory, losing the ability to play AIFF files. Patch: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/demuxers/demux_aiff.c?r1=1.39&r2=1.40&diff_format=u For further information and in case of questions, please contact the xine team. Our website is http://xinehq.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBzt8djhx3hMVnyYsRAobrAKCsmcS1aTwsKvMurvhdsZ5lYGRNEwCff/OK 5LGNn5euSeQrIUiXA0PmWJo= =RGD/ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists