xine security announcement ========================== Announcement-ID: XSA-2005-1 Summary: By setting up a malicious CDDB server, an attacker can overwrite arbitrary memory locations with arbitrary data. This can be used to execute attacker-chosen malicious code with the permissions of the user running a xine-lib based media application. This problem was reported by Ulf Harnhammar from the Debian Security Audit Project. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2967 to this issue. Description: When playing an Audio CD, a xine-lib based media application contacts a CDDB server to retrieve metadata like the title and artist's name. During processing of this data, a response from the server, which is located in memory on the stack, is passed to the fprintf() function as a format string. An attacker can set up a malicious CDDB server and trick the client into using this server instead of the pre-configured one. Alternatively, any user and therefore the attacker can modify entries in the official CDDB server. Using this format string vulnerability, attacker-chosen data can be written to an attacker-chosen memory location. This allows the attacker to alter the control flow and to execute malicious code with the permissions of the user running the application. Although it requires the user to play an Audio CD, this vulnerability can still be exploited remotely, because a xine Audio CD MRL (media resource locator) could be embedded into a website. Severity: The difficulty to exploit this depends on the operating environment. In an environment, where it is easy for the attacker to divert network traffic intended for the original CDDB server to a malicious server, this is easy to exploit. Because no assumptions on the operating environment can be made and because the involved xine plugin is part of the standard xine installation, we consider this problem to be severe. Affected versions: All 1-beta releases starting with and including 1-beta3. All 1-rc releases. All 1.0 releases up to and including 1.0.2. The 1.1.0 release. Unaffected versions: All 0.9 and older releases. All 1-alpha releases. All 1-beta releases older than 1-beta3. All 1.0 releases starting with and including 1.0.3. 1.1.1 or newer. Solution: The enclosed patch which has been applied to xine-lib CVS fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1.0.3 release of xine-lib. As a temporary workaround, you may delete the file "xineplug_inp_cdda.so" from the xine-lib plugin directory, losing the ability to play Audio CDs. Patch: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/input_cdda.c?r1=1.77&r2=1.78&diff_format=u For further information and in case of questions, please contact the xine team. Our website is http://xinehq.de/