+ Home
+ News
+ About xine
+ Documentation
+ Screenshots
+ Download
+ Developer's Corner
+ Quality Assurance
  + Bugs
  + Security (XSA)
  + Test Suite
+ Sponsors
+ Mailing lists
+ SF Project Page
+ Freshmeat Page
+ Login
+ Polls
Sourceforge Logo
Security (XSA) 
xine security announcement
==========================

Announcement-ID: XSA-2005-1

Summary:
By setting up a malicious CDDB server, an attacker can overwrite arbitrary 
memory locations with arbitrary data. This can be used to execute 
attacker-chosen malicious code with the permissions of the user running a 
xine-lib based media application. This problem was reported by Ulf Harnhammar 
from the Debian Security Audit Project.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name 
CAN-2005-2967 to this issue.

Description:
When playing an Audio CD, a xine-lib based media application contacts a CDDB 
server to retrieve metadata like the title and artist's name. During processing 
of this data, a response from the server, which is located in memory on the 
stack, is passed to the fprintf() function as a format string.
An attacker can set up a malicious CDDB server and trick the client into using 
this server instead of the pre-configured one. Alternatively, any user and 
therefore the attacker can modify entries in the official CDDB server. Using 
this format string vulnerability, attacker-chosen data can be written to an 
attacker-chosen memory location. This allows the attacker to alter the control 
flow and to execute malicious code with the permissions of the user running the 
application.
Although it requires the user to play an Audio CD, this vulnerability can still 
be exploited remotely, because a xine Audio CD MRL (media resource locator) 
could be embedded into a website.

Severity:
The difficulty to exploit this depends on the operating environment. In an 
environment, where it is easy for the attacker to divert network traffic 
intended for the original CDDB server to a malicious server, this is easy to 
exploit. Because no assumptions on the operating environment can be made and 
because the involved xine plugin is part of the standard xine installation, we 
consider this problem to be severe.

Affected versions:
All 1-beta releases starting with and including 1-beta3.
All 1-rc releases.
All 1.0 releases up to and including 1.0.2.
The 1.1.0 release.

Unaffected versions:
All 0.9 and older releases.
All 1-alpha releases.
All 1-beta releases older than 1-beta3.
All 1.0 releases starting with and including 1.0.3.
1.1.1 or newer.

Solution:
The enclosed patch which has been applied to xine-lib CVS fixes the problem but 
should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1.0.3 release of 
xine-lib.
As a temporary workaround, you may delete the file "xineplug_inp_cdda.so" from 
the xine-lib plugin directory, losing the ability to play Audio CDs.

Patch:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/input_cdda.c?r1=1.77&r2=1.78&diff_format=u

For further information and in case of questions, please contact the xine team. 
Our website is http://xinehq.de/
Copyright © 2002-2005 The xine-Project Page impressions since July 2000: 2015669