xine security announcement ========================== Announcement-ID: XSA-2004-4 Summary: Several string overflows on the stack have been fixed in xine-lib, some of them can be used for remote buffer overflow exploits leading to the execution of arbitrary code with the permissions of the user running a xine-lib based media application. Description: Stack-based string overflows have been found 1. in the code which handles VideoCD MRLs 2. in VideoCD code reading the disc label 3. in the code which parses text subtitles and prepares them for display We will briefly address each item individually: 1. MRLs (media resource locator) are a subset of URIs used by the xine-lib library to describe the location of the content to play. A string overflow in the parsing code for the VideoCD-specific MRLs (those starting with "vcd:/") has been found and reported to the xine-lib developers by c0ntex[at]open-security.org. Since xine frontends might accept to recieve MRLs from a remote location, this overflow is remotely exploitable by crafting a malicious reference or playlist file and tricking the user to download it. 2. The ISO disk label of a VideoCD is copied into an unprotected stack buffer of fixed size. An attacker can craft a malicious VideoCD containing an unterminated disk label, which would overrun the buffer. Since VideoCDs are not accepted from remote locations, this is not directly remotely exploitable. This error is located in code we copied from the libcdio project. Since xine-lib can also use this library dynamically linked, the vulnerability can depend on the version of an external libcdio library installed on the user's system. See the affected versions below. 3. The parsing and display preparation of text subtitles can be overflown with overly long subtitle lines. Text subtitles mostly come as separate files to translate DivX movies, but they can also be embedded into OGG or Matroska media containers. By crafting a malicious file and tricking the user to view it via network streaming, this is remotely exploitable. Severity: Several of these stack overflows are remotely exploitable and proof-of-concept exploit code from c0ntex[at]open-security.org is available for item 1. Malicious exploits have not been seen in the wild yet, but this would not be difficult to achieve. Since the involved xine plugins are part of the standard xine installation, a large number of users is affected. Given the wide range of possible harm, we consider this problem to be highly critical. Affected versions: 1-rc releases starting with and including 1-rc2 up to and including 1-rc5. Unaffected versions: All 0.9 releases or older. All 1-alpha releases. All 1-beta releases. 1-rc0 and 1-rc1 releases. 1-rc6 or newer. xine-lib installations dynamically linking against libcdio will not be vulnerable to item 2, if the libcdio version installed is 0.69 or newer. Solution: The enclosed patches which have been applied to xine-lib CVS fix the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of xine-lib. As a temporary workaround, you may delete the files "xineplug_inp_vcd.so", "xineplug_dmx_sputext.so" and "xineplug_decode_sputext.so" from the xine-lib plugin directory, losing the ability to play VideoCDs and to view text subtitles with xine-lib. Patches: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/xineplug_inp_vcd.c?r1=1.18&r2=1.22&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/vcd/libcdio/cd_types.c?r1=1.2&r2=1.3&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/demux_sputext.c?r1=1.36&r2=1.37&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libsputext/xine_decoder.c?r1=1.84&r2=1.85&diff_format=u For further information and in case of questions, please contact the xine team. Our website is http://xinehq.de/