xine security announcement ========================== Announcement-ID: XSA-2004-6 Summary: Multiple heap overflow vulnerabilities have been found by iDEFENSE in the code for handling the PNM and Real RTSP streaming protocols. This can be used for a heap overflow exploit, which can, on some systems, lead to or help in executing attacker-chosen malicious code with the permissions of the user running a xine-lib based media application. The individual issues have been assigned the names CAN-2004-1187 and CAN-2004-1188 by the Common Vulnerabilities and Exposures (CVE) project. Description: Both the PNM and Real RTSP streaming client code made some too strong assumptions on the streamed content. Several critical bounds checks were missing, resulting in the possibility of heap over- or underflows (negative overflows), should the streamed content not adhere to these assumptions. An attacker can setup a server delivering malicious content to the users. This can be used to overflow a heap buffer, which can, with certain implementations of heap management, lead to attacker chosen data written to the stack. This can cause attacker-chosen code being executed with the permissions of the user running the application. By tricking users to retrieve the stream, which can be as easy as providing a link on a website, this vulnerability can be exploited remotely. Severity: This is difficult to exploit remotely, because the indirection involved requires precision and knowledge of the target machine: The heap overlow needs to alter heap management information in a way so that a return adress on the stack is modified. This adress must lead to some malicious code to be executed, which needs to be injected somehow. The involved xine plugin is part of the standard xine installation, so we consider this problem to be moderately severe. Affected versions: All 1-alpha releases starting with and including 1-alpha2. All 1-beta releases. All 1-rc releases up to and including 1-rc7. Unaffected versions: All releases older than 1-alpha2. 1-rc8. 1.0 or newer. Solution: The enclosed patches which have been applied to xine-lib CVS fix the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1.0 release of xine-lib. As a temporary workaround, you may delete the files "xineplug_inp_pnm.so" and "xineplug_inp_rtsp.so" from the xine-lib plugin directory, losing the ability to use PNM or Real RTSP streaming content. Patches: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/libreal/real.c?r1=1.19&r2=1.20&diff_format=u For further information and in case of questions, please contact the xine team. Our website is http://xinehq.de/