Gentoo Logo

xine-lib: User-assisted execution of arbitrary code

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200808-01 / xine-lib
Release Date August 06, 2008
Latest Revision August 06, 2008: 01
Impact normal
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
media-libs/xine-lib < 1.1.13 >= 1.1.13 All supported architectures

Related bugreports: #213039, #214270, #218059

Synopsis

xine-lib is vulnerable to multiple buffer overflows when processing media streams.

2.  Impact Information

Background

xine-lib is the core library package for the xine media player, and other players such as Amarok, Codeine/Dragon Player and Kaffeine.

Description

Multiple vulnerabilities have been discovered in xine-lib:

  • Alin Rad Pop of Secunia reported an array indexing vulnerability in the sdpplin_parse() function in the file input/libreal/sdpplin.c when processing streams from RTSP servers that contain a large "streamid" SDP parameter (CVE-2008-0073).
  • Luigi Auriemma reported multiple integer overflows that result in heap-based buffer overflows when processing ".FLV", ".MOV" ".RM", ".MVE", ".MKV", and ".CAK" files (CVE-2008-1482).
  • Guido Landi reported a stack-based buffer overflow in the demux_nsf_send_chunk() function when handling titles within NES Music (.NSF) files (CVE-2008-1878).

Impact

A remote attacker could entice a user to play a specially crafted video file or stream with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All xine-lib users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.13"

4.  References



Print

Page updated August 06, 2008

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.