[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200409071153.47512.mroi@users.sourceforge.net>
Date: Tue, 7 Sep 2004 11:53:40 +0200
From: Michael Roitzsch <mroi@...rs.sourceforge.net>
To: bugtraq@...urityfocus.com
Subject: XSA-2004-4: multiple string overflows
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
xine security announcement
==========================
Announcement-ID: XSA-2004-4
Summary:
Several string overflows on the stack have been fixed in xine-lib, some of
them can be used for remote buffer overflow exploits leading to the execution
of arbitrary code with the permissions of the user running a xine-lib based
media application.
Description:
Stack-based string overflows have been found
1. in the code which handles VideoCD MRLs
2. in VideoCD code reading the disc label
3. in the code which parses text subtitles and prepares them for display
We will briefly address each item individually:
1. MRLs (media resource locator) are a subset of URIs used by the xine-lib
library to describe the location of the content to play. A string overflow
in the parsing code for the VideoCD-specific MRLs (those starting with
"vcd:/") has been found and reported to the xine-lib developers by
c0ntex[at]open-security.org. Since xine frontends might accept to recieve
MRLs from a remote location, this overflow is remotely exploitable by
crafting a malicious reference or playlist file and tricking the user to
download it.
2. The ISO disk label of a VideoCD is copied into an unprotected stack buffer
of fixed size. An attacker can craft a malicious VideoCD containing an
unterminated disk label, which would overrun the buffer. Since VideoCDs
are not accepted from remote locations, this is not directly remotely
exploitable. This error is located in code we copied from the libcdio
project. Since xine-lib can also use this library dynamically linked,
the vulnerability can depend on the version of an external libcdio
library installed on the user's system. See the affected versions below.
3. The parsing and display preparation of text subtitles can be overflown
with overly long subtitle lines. Text subtitles mostly come as separate
files to translate DivX movies, but they can also be embedded into OGG or
Matroska media containers. By crafting a malicious file and tricking the
user to view it via network streaming, this is remotely exploitable.
Severity:
Several of these stack overflows are remotely exploitable and proof-of-concept
exploit code from c0ntex[at]open-security.org is available for item 1.
Malicious exploits have not been seen in the wild yet, but this would not be
difficult to achieve. Since the involved xine plugins are part of the
standard xine installation, a large number of users is affected. Given the
wide range of possible harm, we consider this problem to be highly critical.
Affected versions:
1-rc releases starting with and including 1-rc2 up to and including 1-rc5.
Unaffected versions:
All 0.9 releases or older.
All 1-alpha releases.
All 1-beta releases.
1-rc0 and 1-rc1 releases.
1-rc6 or newer.
xine-lib installations dynamically linking against libcdio will not be
vulnerable to item 2, if the libcdio version installed is 0.69 or newer.
Solution:
The enclosed patches which have been applied to xine-lib CVS fix the problem
but should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of
xine-lib.
As a temporary workaround, you may delete the files "xineplug_inp_vcd.so",
"xineplug_dmx_sputext.so" and "xineplug_decode_sputext.so" from the xine-lib
plugin directory, losing the ability to play VideoCDs and to view text
subtitles with xine-lib.
Patches:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/xineplug_inp_vcd.c?r1=1.18&r2=1.22&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/libcdio/cd_types.c?r1=1.2&r2=1.3&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/demux_sputext.c?r1=1.36&r2=1.37&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/xine_decoder.c?r1=1.84&r2=1.85&diff_format=u
For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBPYUrjhx3hMVnyYsRAly7AJ0a8wbK7Xvu+ZujKv1P2SyrrcNOfACfcc5Y
4sC5Ynea8qIn+Os/OF54tBk=
=M97B
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists