Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200808-01 ] xine-lib: User-assisted execution of arbitrary code
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1471

PostPosted: Wed Aug 06, 2008 1:26 am    Post subject: [ GLSA 200808-01 ] xine-lib: User-assisted execution of arbi Reply with quote

Gentoo Linux Security Advisory

Title: xine-lib: User-assisted execution of arbitrary code (GLSA 200808-01)
Severity: normal
Exploitable: remote
Date: August 06, 2008
Bug(s): #213039, #214270, #218059
ID: 200808-01

Synopsis

xine-lib is vulnerable to multiple buffer overflows when processing media streams.

Background

xine-lib is the core library package for the xine media player, and other players such as Amarok, Codeine/Dragon Player and Kaffeine.

Affected Packages

Package: media-libs/xine-lib
Vulnerable: < 1.1.13
Unaffected: >= 1.1.13
Architectures: All supported architectures


Description

Multiple vulnerabilities have been discovered in xine-lib:
  • Alin Rad Pop of Secunia reported an array indexing vulnerability in the sdpplin_parse() function in the file input/libreal/sdpplin.c when processing streams from RTSP servers that contain a large "streamid" SDP parameter (CVE-2008-0073).
  • Luigi Auriemma reported multiple integer overflows that result in heap-based buffer overflows when processing ".FLV", ".MOV" ".RM", ".MVE", ".MKV", and ".CAK" files (CVE-2008-1482).
  • Guido Landi reported a stack-based buffer overflow in the demux_nsf_send_chunk() function when handling titles within NES Music (.NSF) files (CVE-2008-1878).


Impact

A remote attacker could entice a user to play a specially crafted video file or stream with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player.

Workaround

There is no known workaround at this time.

Resolution

All xine-lib users should upgrade to the latest version:
Code:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.13"


References

CVE-2008-0073
CVE-2008-1482
CVE-2008-1878


Last edited by GLSA on Mon Feb 09, 2009 4:19 am; edited 2 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum