Gentoo Logo

xine-lib: User-assisted execution of arbitrary code

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200801-12 / xine-lib
Release Date January 27, 2008
Latest Revision January 27, 2008: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
media-libs/xine-lib < 1.1.9.1 >= 1.1.9.1 All supported architectures

Related bugreports: #205197

Synopsis

xine-lib is vulnerable to multiple heap-based buffer overflows when processing RTSP streams.

2.  Impact Information

Background

xine-lib is the core library package for the xine media player.

Description

Luigi Auriemma reported that xine-lib does not properly check boundaries when processing SDP attributes of RTSP streams, leading to heap-based buffer overflows.

Impact

An attacker could entice a user to play specially crafted RTSP video streams with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All xine-lib users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.9.1"

4.  References

Print

Page updated January 27, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.