+ Home
+ News
+ About xine
+ Documentation
+ Screenshots
+ Download
+ Developer's Corner
+ Quality Assurance
  + Bugs
  + Security (XSA)
  + Test Suite
+ Sponsors
+ Mailinglists
+ SF Project Page
+ Freshmeat Page
+ Login
+ Polls
Sourceforge Logo
Security (XSA) 
xine security announcement
==========================

Announcement-ID: XSA-2004-6

Summary:
Multiple heap overflow vulnerabilities have been found by iDEFENSE in the code
for handling the PNM and Real RTSP streaming protocols. This can be used for a
heap overflow exploit, which can, on some systems, lead to or help in executing
attacker-chosen malicious code with the permissions of the user running a
xine-lib based media application.
The individual issues have been assigned the names CAN-2004-1187 and
CAN-2004-1188 by the Common Vulnerabilities and Exposures (CVE) project.

Description:
Both the PNM and Real RTSP streaming client code made some too strong
assumptions on the streamed content. Several critical bounds checks were
missing, resulting in the possibility of heap over- or underflows (negative
overflows), should the streamed content not adhere to these assumptions.
An attacker can setup a server delivering malicious content to the users. This
can be used to overflow a heap buffer, which can, with certain implementations
of heap management, lead to attacker chosen data written to the stack. This
can cause attacker-chosen code being executed with the permissions of the
user running the application. By tricking users to retrieve the stream, which
can be as easy as providing a link on a website, this vulnerability can be
exploited remotely.

Severity:
This is difficult to exploit remotely, because the indirection involved requires
precision and knowledge of the target machine: The heap overlow needs to alter
heap management information in a way so that a return adress on the stack is
modified. This adress must lead to some malicious code to be executed, which
needs to be injected somehow.
The involved xine plugin is part of the standard xine installation, so we
consider this problem to be moderately severe.

Affected versions:
All 1-alpha releases starting with and including 1-alpha2.
All 1-beta releases.
All 1-rc releases up to and including 1-rc7.

Unaffected versions:
All releases older than 1-alpha2.
1-rc8.
1.0 or newer.

Solution:
The enclosed patches which have been applied to xine-lib CVS fix the problem
but should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1.0 release of
xine-lib.
As a temporary workaround, you may delete the files "xineplug_inp_pnm.so" and
"xineplug_inp_rtsp.so" from the xine-lib plugin directory, losing the ability to
use PNM or Real RTSP streaming content.

Patches:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/libreal/real.c?r1=1.19&r2=1.20&diff_format=u

For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/
Copyright © 2002-2004 The xine-Project Pageimpressions since July 2000: 1349587