Bug 152873

Summary: CAN-2004-0372,1379: multiple xine vulns
Product: [Retired] Fedora Legacy Reporter: David Lawrence <dkl>
Component: xineAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rhl7.3CC: donjr, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: LEGACY, rh73
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-04-05 00:25:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
FLSA-2006-152873 proposed security advisory. none

Description David Lawrence 2005-03-30 23:30:32 UTC 
Shaun Colley's xine-check/xine-bugreport symlink vulnerability (CAN-2004-0372)
from http://www.securityfocus.com/archive/1/358199
===
Due to the ongoing, and sometimes experimental
addition of features added to xine, a script (*there
is two copies of the script: /usr/bin/xine-bugreport
and /usr/bin/xine-check - they are *exactly* the
same*) is included in xine distributions to allow a
user to possibly remedy a problem, or report a bug if
their problem could not be solved.  However, in the
bug-reporting code, the bug report email is dumped to
a file in the /tmp directory for a user to use later
or send manually - this file is written in a insecure
manner, presenting a symlink vulnerability.
===

Ariel Berkman's xine-lib open_aiff_file buffer overflows (no CVE CAN, yet)
from http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt
===
Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in xine-lib. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.

You are at risk if you take a file from the web (or email or any other
source that could be controlled by an attacker) and feed that file
through xine or any other xine-lib frontend. Whoever provides that file
then has complete control over your account: he can read and modify your
files, watch the programs you're running, etc.
...
Here's the bug: In demux_aiff.c, open_aiff_file() reads an
input-specified amount of data into a 100-byte buffer[] array.
===



------- Additional Comments From pekkas 2004-12-19 23:46:51 ----

Only RHL73 ships with xine.

RHL73 has 0.9.8, which is very old.  The first problem can be straightforwardly
fixed.  The latter problem does not appear to exist in releases this old, but it
is difficult to say.

I suggest we wait for a couple of weeks to see which course Debian stable (for
example) takes for problem #2.



------- Additional Comments From bugzilla.fedora.us 2004-12-21 23:33:37 ----

tow more problems reported by iDefense:
http://www.idefense.com/application/poi/display?id=177&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=176&type=vulnerabilities

CAN-2004-1187, CAN-2004-1188



------- Additional Comments From bugzilla.fedora.us 2004-12-28 12:26:28 ----

berkman's bug has been assigned CVE id CAN-2004-1300



------- Additional Comments From bugzilla.fedora.us 2004-12-28 12:44:18 ----

according to http://xinehq.de/index.php/security/XSA-2004-7 , xine 0.9.8 which
shipped with rh73 shouldn't be vulnerable to CAN-2004-1300:
==
Unaffected versions:
All releases older than 1-alpha0.
==

http://xinehq.de/index.php/security/XSA-2004-5 describes a difficult to exploit
vuln that should be fixed.

patch at
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u


according to http://xinehq.de/index.php/security/XSA-2004-6 , rh73's version
also shouldn't be vulnerable to CAN-2004-1187 and CAN-2004-1188:
==
Unaffected versions:
All releases older than 1-alpha2.
==



------- Additional Comments From pekkas 2005-01-11 20:57:03 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
RHL73 xine update:
 - fixes CAN-2004-0372, adopted from Debian:
   http://www.debian.org/security/2004/dsa-477
 - fixes XSA-2004-5 (testing this wouldn't hurt) as noted in #4
 
This version is unaffected by CAN-2004-1187, CAN-2004-1188, CAN-2004-1300.
(Is there a CAN for XSA-2004-5?)
 
http://www.netcore.fi/pekkas/linux/xine-0.9.8-4.1.legacy.i386.rpm
http://www.netcore.fi/pekkas/linux/xine-0.9.8-4.1.legacy.src.rpm
http://www.netcore.fi/pekkas/linux/xine-devel-0.9.8-4.1.legacy.i386.rpm
 
a3d9c789313ccb761256accddf89ae9fa6746663  xine-0.9.8-4.1.legacy.i386.rpm
87dfc7b246b52abbfdc91d712e8389309cfe09f9  xine-0.9.8-4.1.legacy.src.rpm
e24eeb025b30d4154835f8229220f399fc762ab2  xine-devel-0.9.8-4.1.legacy.i386.rpm
 
* Wed Jan 12 2005 Pekka Savola <pekkas> 1:0.9.8-4.1.legacy
- - fix CAN-2004-0372 and XSA-2004-5 (#2348)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFB5MnrGHbTkzxSL7QRAv1AAJ4nvz7JjXYnHoHU/er01rDOlOdCewCghA5t
8wI7dW/8zi5JGz4420zMQvA=
=Ixvw
-----END PGP SIGNATURE-----




------- Additional Comments From bugzilla.fedora.us 2005-01-31 11:28:04 ----

CVE entry for XSA-2004-5 is CAN-2004-1379



------- Bug moved to this database by dkl 2005-03-30 18:30 -------

This bug previously known as bug 2348 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2348
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown operating system Windows XP. Setting to default OS "Linux".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was bugzilla.fedora.us.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 Pekka Savola 2006-01-12 05:43:25 UTC 
Need to check whether
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048 affects us, from
Gentoo advisory:

Description
===========
                                                                               
                                                                   
Simon Kilvington has reported a vulnerability in FFmpeg libavcodec. The
flaw is due to a buffer overflow error in the
"avcodec_default_get_buffer()" function. This function doesn't properly
handle specially crafted PNG files as a result of a heap overflow.
                                                                               
                                                                   
Impact
======
                                                                               
                                                                   
A remote attacker could entice a user to run an FFmpeg based
application on a maliciously crafted PNG file, resulting in the
execution of arbitrary code with the permissions of the user running
the application.
Comment 2 Pekka Savola 2006-01-31 11:15:26 UTC 
xine-0.98 is so ancient that the code is completely different, and I'm not sure
if PNGs are even supported.  I don't think we're affected.
Comment 3 Donald Maner 2006-02-17 21:57:38 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following package:

87dfc7b246b52abbfdc91d712e8389309cfe09f9  xine-0.9.8-4.1.legacy.src.rpm

Used rpm-build-compare.sh

 source looks ok
 spec file changes appropriate
 patches look good

+PUBLISH rh73

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFD9kfbpxMPKJzn2lIRAsaWAJ0cfKlGNSmjBP82bhUAolnYzTq/IQCgrSMg
of4CoaoJUlPHfQZorDqMdqA=
=K+4k
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2006-02-17 21:59:43 UTC 
Thanks!
Comment 5 Marc Deslauriers 2006-03-16 01:26:01 UTC 
Packages were pushed to updates-testing.
Comment 6 Pekka Savola 2006-03-31 05:26:29 UTC 
Timeout over.
Comment 7 David Eisenstein 2006-04-02 20:37:12 UTC 
Created attachment 127213 [details]
FLSA-2006-152873 proposed security advisory.

Proposed security advisory text for this issue.
Comment 8 David Eisenstein 2006-04-02 21:34:34 UTC 
Just for completeness, I looked up "xine" in cve.mitre.org, and found some
other potential issues for xine.

Summary:  We may yet be vulnerable to CVE-2004-1455, and I couldn't conclude
from Bugtraq whether or not we are vulnerable to CVE-2004-1951 without
digging into the xine package...

Details:

  CVE-2004-0433 - "Multiple buffer overflows in the Real-Time Streaming Protocol
(RTSP) client for (1) MPlayer before 1.0pre4 and (2) xine lib (xine-lib) before
1-rc4, when playing Real RTSP (realrtsp) streams, allow remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code via (a)
long URLs, (b) long Real server responses, or (c) long Real Data Transport (RDT)
packets."
(Also XSA-2004-3, http://www.xinehq.de/index.php/security/XSA-2004-3). 
According to XSA-2004-3, this issue does not affect xine-lib 1-beta0 and below.

  CVE-2004-1187,1188 - (Already determined to not affect this old version of xine.)

  CVE-2004-1455 - "Stack-based buffer overflow in Xine-lib-rc5 in xine-lib
1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via
crafted playlists that result in a long vcd:// URL."
(Also Bugtraq BID 10890, http://www.securityfocus.com/bid/10890).
According to BID 10890, xine-0.9.9 and earlier is vulnerable to this.

  CVE-2004-1475 - "Multiple stack-based buffer overflows in xine-lib 1-rc2
through 1-rc5 allow attackers to execute arbitrary code via (1) long VideoCD
vcd:// MRLs or (2) long subtitle lines."
(Also XSA-2004-4, http://xinehq.de/index.php/security/XSA-2004-4).
According to XSA-2004-4, all 0.9 releases or older are NOT affected by this.

  CVE-2004-1476 - "Stack-based buffer overflow in the VideoCD (VCD) code in
xine-lib 1-rc2 through 1-rc5, as derived from libcdio, allows attackers to
execute arbitrary code via a VideoCD with an unterminated disk label."
(Also XSA-2004-4, http://xinehq.de/index.php/security/XSA-2004-4).
According to XSA-2004-4, all 0.9 releases or older are NOT affected by this.

  CVE-2004-1951 - "xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and
xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files
via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link."
(Also Bugtraq BID 10193, http://www.securityfocus.com/bid/10193).
According to BID 10193, xine xine-0.9.8 is both vulnerable and NOT vulnerable to
this. (?)

  CVE-2005-1195 - "Multiple heap-based buffer overflows in the code used to
handle (1) MMS over TCP (MMST) streams or (2) RealMedia RTSP streams in xine-lib
before 1.0, and other products that use xine-lib such as MPlayer 1.0pre6 and
earlier, allow remote malicious servers to execute arbitrary code."
(Also XSA-2004-8, http://xinehq.de/index.php/security/XSA-2004-8).
According to XSA-2004-8, xine-0.9.8 is NOT vulnerable to this (.. I think).

If any of these are valid issues for RHL 7.3's xine, should we open a new bug
report for them?
Comment 9 Pekka Savola 2006-04-03 05:37:50 UTC 
In the text, the Keywords field should probably be 'security'.

...


CVE-2004-1455 - "Stack-based buffer overflow in Xine-lib-rc5 in xine-lib
1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via
crafted playlists that result in a long vcd:// URL."
(Also Bugtraq BID 10890, http://www.securityfocus.com/bid/10890).
According to BID 10890, xine-0.9.9 and earlier is vulnerable to this.

==> According to http://xinehq.de/index.php/security/XSA-2004-2, we are not
vulnerable to this one.

 CVE-2004-1951 - "xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and
xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files
via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link."
(Also Bugtraq BID 10193, http://www.securityfocus.com/bid/10193).
According to BID 10193, xine xine-0.9.8 is both vulnerable and NOT vulnerable to
this. (?)

==> according to http://xinehq.de/index.php/security/XSA-2004-1, we are not
vulnerable to this either.
Comment 10 David Eisenstein 2006-04-03 23:42:02 UTC 
Excellent, Pekka!  Thanks!  :-)  

Marc, if the Keywords:  line ought to say "security," can you take care of
that when you publish it?  Thanks!
Comment 11 Marc Deslauriers 2006-04-05 00:25:21 UTC 
Packages were released to updates.