| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200409062138.29633.mroi@users.sourceforge.net> Date: Mon, 6 Sep 2004 21:38:29 +0200 From: Michael Roitzsch <mroi@...rs.sourceforge.net> To: bugtraq@...urityfocus.com Subject: XSA-2004-5: heap overflow in DVD subpicture decoder -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 xine security announcement ========================== Announcement-ID: XSA-2004-5 Summary: A heap overflow has been found in the DVD subpicture decoder of xine-lib. This can be used for a remote heap overflow exploit, which can, on some systems, lead to or help in executing malicious code with the permissions of the user running a xine-lib based media application. Description: When a xine-lib based media application is playing content including DVD subpictures, the subtitle decoder converts the DVD subpictures, which are essentially run-length encoded bitmaps, into xine-lib's own internal subpicture format. The result of this conversion is written to a dynamically allocated memory block on the heap. This memory block can overrun with certain subpictures: DVD subpictures are stored in two fields. The first containing the odd numbered lines, the second containing the even numbered lines. Offsets in the subpicture header indicate the beginning of each field in the RLE data. When these two fields are now stored in an overlapping manor, so that the beginning of the second field reuses RLE data from the end of the first, the resulting xine overlay will use up more space than previously allocated, because the allocation did not take this possibility into account. Since DVD subpictures do not only occur on DVDs, but may also be used in standalone MPEG files, an attacker can craft a malicious MPEG file containing such a subpicture with overlapping fields. This can be used to overflow the heap buffer, which can, with certain implementations of heap management, lead to attacker chosen data written to the stack. By placing such a MPEG file on the internet and tricking users to view it using network streaming, this is remotely exploitable. Severity: This is very difficult to exploit, because multiple indirections are involved: Firstly, the DVD subpicture data is expanded to xine-lib's internal subpicture format before it is written to the heap. Secondly, the heap overlow needs to alter heap management information in a way so that a return adress on the stack is modified. Thirdly, this adress must lead to some malicious code to be executed, which needs to be injected somehow. Although the involved xine plugin is part of the standard xine installation, we consider this problem to be only moderately severe, because of the difficulty in exploiting it. Affected versions: All 0.5 releases starting with and including 0.5.2. All 0.9 releases. All 1-alpha releases. All 1-beta releases. All 1-rc releases up to and including 1-rc5. Unaffected versions: All releases older than 0.5.2. 1-rc6 or newer. Solution: The enclosed patch which has been applied to xine-lib CVS fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of xine-lib. As a temporary workaround, you may delete the file "xineplug_decode_spu.so" from the xine-lib plugin directory, losing the ability to decode DVD subpictures with xine-lib. Patch: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u For further information and in case of questions, please contact the xine team. Our website is http://xinehq.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBPLy1jhx3hMVnyYsRAngbAJ0Vy0F9wde/qafkBiB58xI4hb+tfwCgi7Fn 5qKEG8iA7EG/f2Cm03YMtzU= =wto9 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists