|Summary:||CAN-2004-0372,1379: multiple xine vulns|
|Product:||[Retired] Fedora Legacy||Reporter:||David Lawrence <dkl>|
|Component:||xine||Assignee:||Fedora Legacy Bugs <bugs>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-04-05 00:25:21 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description David Lawrence 2005-03-30 23:30:32 UTC
Shaun Colley's xine-check/xine-bugreport symlink vulnerability (CAN-2004-0372) from http://www.securityfocus.com/archive/1/358199 === Due to the ongoing, and sometimes experimental addition of features added to xine, a script (*there is two copies of the script: /usr/bin/xine-bugreport and /usr/bin/xine-check - they are *exactly* the same*) is included in xine distributions to allow a user to possibly remedy a problem, or report a bug if their problem could not be solved. However, in the bug-reporting code, the bug report email is dumped to a file in the /tmp directory for a user to use later or send manually - this file is written in a insecure manner, presenting a symlink vulnerability. === Ariel Berkman's xine-lib open_aiff_file buffer overflows (no CVE CAN, yet) from http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt === Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has discovered a remotely exploitable security hole in xine-lib. I'm publishing this notice, but all the discovery credits should be assigned to Berkman. You are at risk if you take a file from the web (or email or any other source that could be controlled by an attacker) and feed that file through xine or any other xine-lib frontend. Whoever provides that file then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. ... Here's the bug: In demux_aiff.c, open_aiff_file() reads an input-specified amount of data into a 100-byte buffer array. === ------- Additional Comments From firstname.lastname@example.org 2004-12-19 23:46:51 ---- Only RHL73 ships with xine. RHL73 has 0.9.8, which is very old. The first problem can be straightforwardly fixed. The latter problem does not appear to exist in releases this old, but it is difficult to say. I suggest we wait for a couple of weeks to see which course Debian stable (for example) takes for problem #2. ------- Additional Comments From email@example.com 2004-12-21 23:33:37 ---- tow more problems reported by iDefense: http://www.idefense.com/application/poi/display?id=177&type=vulnerabilities http://www.idefense.com/application/poi/display?id=176&type=vulnerabilities CAN-2004-1187, CAN-2004-1188 ------- Additional Comments From firstname.lastname@example.org 2004-12-28 12:26:28 ---- berkman's bug has been assigned CVE id CAN-2004-1300 ------- Additional Comments From email@example.com 2004-12-28 12:44:18 ---- according to http://xinehq.de/index.php/security/XSA-2004-7 , xine 0.9.8 which shipped with rh73 shouldn't be vulnerable to CAN-2004-1300: == Unaffected versions: All releases older than 1-alpha0. == http://xinehq.de/index.php/security/XSA-2004-5 describes a difficult to exploit vuln that should be fixed. patch at http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u according to http://xinehq.de/index.php/security/XSA-2004-6 , rh73's version also shouldn't be vulnerable to CAN-2004-1187 and CAN-2004-1188: == Unaffected versions: All releases older than 1-alpha2. == ------- Additional Comments From firstname.lastname@example.org 2005-01-11 20:57:03 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RHL73 xine update: - fixes CAN-2004-0372, adopted from Debian: http://www.debian.org/security/2004/dsa-477 - fixes XSA-2004-5 (testing this wouldn't hurt) as noted in #4 This version is unaffected by CAN-2004-1187, CAN-2004-1188, CAN-2004-1300. (Is there a CAN for XSA-2004-5?) http://www.netcore.fi/pekkas/linux/xine-0.9.8-4.1.legacy.i386.rpm http://www.netcore.fi/pekkas/linux/xine-0.9.8-4.1.legacy.src.rpm http://www.netcore.fi/pekkas/linux/xine-devel-0.9.8-4.1.legacy.i386.rpm a3d9c789313ccb761256accddf89ae9fa6746663 xine-0.9.8-4.1.legacy.i386.rpm 87dfc7b246b52abbfdc91d712e8389309cfe09f9 xine-0.9.8-4.1.legacy.src.rpm e24eeb025b30d4154835f8229220f399fc762ab2 xine-devel-0.9.8-4.1.legacy.i386.rpm * Wed Jan 12 2005 Pekka Savola <email@example.com> 1:0.9.8-4.1.legacy - - fix CAN-2004-0372 and XSA-2004-5 (#2348) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFB5MnrGHbTkzxSL7QRAv1AAJ4nvz7JjXYnHoHU/er01rDOlOdCewCghA5t 8wI7dW/8zi5JGz4420zMQvA= =Ixvw -----END PGP SIGNATURE----- ------- Additional Comments From firstname.lastname@example.org 2005-01-31 11:28:04 ---- CVE entry for XSA-2004-5 is CAN-2004-1379 ------- Bug moved to this database by email@example.com 2005-03-30 18:30 ------- This bug previously known as bug 2348 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2348 Originally filed under the Fedora Legacy product and Package request component. Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". Unknown operating system Windows XP. Setting to default OS "Linux". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, firstname.lastname@example.org. Previous reporter was email@example.com. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
Comment 1 Pekka Savola 2006-01-12 05:43:25 UTC
Need to check whether http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048 affects us, from Gentoo advisory: Description =========== Simon Kilvington has reported a vulnerability in FFmpeg libavcodec. The flaw is due to a buffer overflow error in the "avcodec_default_get_buffer()" function. This function doesn't properly handle specially crafted PNG files as a result of a heap overflow. Impact ====== A remote attacker could entice a user to run an FFmpeg based application on a maliciously crafted PNG file, resulting in the execution of arbitrary code with the permissions of the user running the application.
Comment 2 Pekka Savola 2006-01-31 11:15:26 UTC
xine-0.98 is so ancient that the code is completely different, and I'm not sure if PNGs are even supported. I don't think we're affected.
Comment 3 Donald Maner 2006-02-17 21:57:38 UTC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following package: 87dfc7b246b52abbfdc91d712e8389309cfe09f9 xine-0.9.8-4.1.legacy.src.rpm Used rpm-build-compare.sh source looks ok spec file changes appropriate patches look good +PUBLISH rh73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFD9kfbpxMPKJzn2lIRAsaWAJ0cfKlGNSmjBP82bhUAolnYzTq/IQCgrSMg of4CoaoJUlPHfQZorDqMdqA= =K+4k -----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2006-02-17 21:59:43 UTC
Comment 5 Marc Deslauriers 2006-03-16 01:26:01 UTC
Packages were pushed to updates-testing.
Comment 6 Pekka Savola 2006-03-31 05:26:29 UTC
Comment 7 David Eisenstein 2006-04-02 20:37:12 UTC
Created attachment 127213 [details] FLSA-2006-152873 proposed security advisory. Proposed security advisory text for this issue.
Comment 8 David Eisenstein 2006-04-02 21:34:34 UTC
Just for completeness, I looked up "xine" in cve.mitre.org, and found some other potential issues for xine. Summary: We may yet be vulnerable to CVE-2004-1455, and I couldn't conclude from Bugtraq whether or not we are vulnerable to CVE-2004-1951 without digging into the xine package... Details: CVE-2004-0433 - "Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) client for (1) MPlayer before 1.0pre4 and (2) xine lib (xine-lib) before 1-rc4, when playing Real RTSP (realrtsp) streams, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (a) long URLs, (b) long Real server responses, or (c) long Real Data Transport (RDT) packets." (Also XSA-2004-3, http://www.xinehq.de/index.php/security/XSA-2004-3). According to XSA-2004-3, this issue does not affect xine-lib 1-beta0 and below. CVE-2004-1187,1188 - (Already determined to not affect this old version of xine.) CVE-2004-1455 - "Stack-based buffer overflow in Xine-lib-rc5 in xine-lib 1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via crafted playlists that result in a long vcd:// URL." (Also Bugtraq BID 10890, http://www.securityfocus.com/bid/10890). According to BID 10890, xine-0.9.9 and earlier is vulnerable to this. CVE-2004-1475 - "Multiple stack-based buffer overflows in xine-lib 1-rc2 through 1-rc5 allow attackers to execute arbitrary code via (1) long VideoCD vcd:// MRLs or (2) long subtitle lines." (Also XSA-2004-4, http://xinehq.de/index.php/security/XSA-2004-4). According to XSA-2004-4, all 0.9 releases or older are NOT affected by this. CVE-2004-1476 - "Stack-based buffer overflow in the VideoCD (VCD) code in xine-lib 1-rc2 through 1-rc5, as derived from libcdio, allows attackers to execute arbitrary code via a VideoCD with an unterminated disk label." (Also XSA-2004-4, http://xinehq.de/index.php/security/XSA-2004-4). According to XSA-2004-4, all 0.9 releases or older are NOT affected by this. CVE-2004-1951 - "xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link." (Also Bugtraq BID 10193, http://www.securityfocus.com/bid/10193). According to BID 10193, xine xine-0.9.8 is both vulnerable and NOT vulnerable to this. (?) CVE-2005-1195 - "Multiple heap-based buffer overflows in the code used to handle (1) MMS over TCP (MMST) streams or (2) RealMedia RTSP streams in xine-lib before 1.0, and other products that use xine-lib such as MPlayer 1.0pre6 and earlier, allow remote malicious servers to execute arbitrary code." (Also XSA-2004-8, http://xinehq.de/index.php/security/XSA-2004-8). According to XSA-2004-8, xine-0.9.8 is NOT vulnerable to this (.. I think). If any of these are valid issues for RHL 7.3's xine, should we open a new bug report for them?
Comment 9 Pekka Savola 2006-04-03 05:37:50 UTC
In the text, the Keywords field should probably be 'security'. ... CVE-2004-1455 - "Stack-based buffer overflow in Xine-lib-rc5 in xine-lib 1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via crafted playlists that result in a long vcd:// URL." (Also Bugtraq BID 10890, http://www.securityfocus.com/bid/10890). According to BID 10890, xine-0.9.9 and earlier is vulnerable to this. ==> According to http://xinehq.de/index.php/security/XSA-2004-2, we are not vulnerable to this one. CVE-2004-1951 - "xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link." (Also Bugtraq BID 10193, http://www.securityfocus.com/bid/10193). According to BID 10193, xine xine-0.9.8 is both vulnerable and NOT vulnerable to this. (?) ==> according to http://xinehq.de/index.php/security/XSA-2004-1, we are not vulnerable to this either.
Comment 10 David Eisenstein 2006-04-03 23:42:02 UTC
Excellent, Pekka! Thanks! :-) Marc, if the Keywords: line ought to say "security," can you take care of that when you publish it? Thanks!
Comment 11 Marc Deslauriers 2006-04-05 00:25:21 UTC
Packages were released to updates.