<<< Date Index >>>     <<< Thread Index >>>

XSA-2004-4: multiple string overflows



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xine security announcement
==========================

Announcement-ID: XSA-2004-4

Summary:
Several string overflows on the stack have been fixed in xine-lib, some of
them can be used for remote buffer overflow exploits leading to the execution
of arbitrary code with the permissions of the user running a xine-lib based
media application.

Description:
Stack-based string overflows have been found
1. in the code which handles VideoCD MRLs
2. in VideoCD code reading the disc label
3. in the code which parses text subtitles and prepares them for display
We will briefly address each item individually:
1. MRLs (media resource locator) are a subset of URIs used by the xine-lib
   library to describe the location of the content to play. A string overflow
   in the parsing code for the VideoCD-specific MRLs (those starting with
   "vcd:/") has been found and reported to the xine-lib developers by
   c0ntex[at]open-security.org. Since xine frontends might accept to recieve
   MRLs from a remote location, this overflow is remotely exploitable by
   crafting a malicious reference or playlist file and tricking the user to
   download it.
2. The ISO disk label of a VideoCD is copied into an unprotected stack buffer
   of fixed size. An attacker can craft a malicious VideoCD containing an
   unterminated disk label, which would overrun the buffer. Since VideoCDs
   are not accepted from remote locations, this is not directly remotely
   exploitable. This error is located in code we copied from the libcdio
   project. Since xine-lib can also use this library dynamically linked,
   the vulnerability can depend on the version of an external libcdio
   library installed on the user's system. See the affected versions below.
3. The parsing and display preparation of text subtitles can be overflown
   with overly long subtitle lines. Text subtitles mostly come as separate
   files to translate DivX movies, but they can also be embedded into OGG or
   Matroska media containers. By crafting a malicious file and tricking the
   user to view it via network streaming, this is remotely exploitable.

Severity:
Several of these stack overflows are remotely exploitable and proof-of-concept
exploit code from c0ntex[at]open-security.org is available for item 1.
Malicious exploits have not been seen in the wild yet, but this would not be
difficult to achieve. Since the involved xine plugins are part of the
standard xine installation, a large number of users is affected. Given the
wide range of possible harm, we consider this problem to be highly critical.

Affected versions:
1-rc releases starting with and including 1-rc2 up to and including 1-rc5.

Unaffected versions:
All 0.9 releases or older.
All 1-alpha releases.
All 1-beta releases.
1-rc0 and 1-rc1 releases.
1-rc6 or newer.
xine-lib installations dynamically linking against libcdio will not be 
vulnerable to item 2, if the libcdio version installed is 0.69 or newer.

Solution:
The enclosed patches which have been applied to xine-lib CVS fix the problem
but should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of
xine-lib.
As a temporary workaround, you may delete the files "xineplug_inp_vcd.so",
"xineplug_dmx_sputext.so" and "xineplug_decode_sputext.so" from the xine-lib
plugin directory, losing the ability to play VideoCDs and to view text
subtitles with xine-lib.

Patches:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/xineplug_inp_vcd.c?r1=1.18&r2=1.22&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/libcdio/cd_types.c?r1=1.2&r2=1.3&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/demux_sputext.c?r1=1.36&r2=1.37&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/xine_decoder.c?r1=1.84&r2=1.85&diff_format=u

For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBPYUrjhx3hMVnyYsRAly7AJ0a8wbK7Xvu+ZujKv1P2SyrrcNOfACfcc5Y
4sC5Ynea8qIn+Os/OF54tBk=
=M97B
-----END PGP SIGNATURE-----