Bug 438182 (CVE-2008-0073)

Summary: CVE-2008-0073 xine-lib: sdpplin_parse() Array Indexing Vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan, gauret, rdieter, ville.skytta
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0073
Whiteboard:
Fixed In Version: 1.1.11.1-1.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-09 05:16:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 438191, 438192, 438193    
Bug Blocks:    

Description Tomas Hoger 2008-03-19 15:49:07 UTC 
Alin Rad Pop of Secunia Research discovered following flaw affecting xine-lib:

SA28694:

Description:
Secunia Research has discovered a vulnerability in xine-lib, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the
"sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to
overwrite arbitrary memory regions via an overly large "streamid" SDP parameter
included in a malicious RTSP stream.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 1.1.10.1. Other versions may also be
affected.

Solution:
Do not open untrusted RTSP streams.
A patch or updated version should be available shortly.

References:
http://secunia.com/advisories/28694/
http://secunia.com/secunia_research/2008-10/advisory/
http://bugs.xine-project.org/show_bug.cgi?id=58
http://bugs.gentoo.org/show_bug.cgi?id=213039


According to Gentoo bug, this issue also affects VLC.

Issue should be addressed in next upstream version 1.1.11 (not yet available).
Patch is aviable in the xine bugzilla.
Comment 1 Tomas Hoger 2008-03-19 15:53:00 UTC 
Direct link to patch:

http://bugs.xine-project.org/attachment.cgi?id=25
Comment 3 Ville Skyttä 2008-03-19 18:22:48 UTC 
I'm working on updating F-8+ to 1.1.11.
Comment 4 Fedora Update System 2008-03-19 22:45:13 UTC 
xine-lib-1.1.11-1.fc8 has been submitted as an update for Fedora 8
Comment 5 Ville Skyttä 2008-03-19 22:46:43 UTC 
Rawhide build is waiting for aalib to be fixed (#438250).
Comment 6 Fedora Update System 2008-03-21 22:05:20 UTC 
xine-lib-1.1.11-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-04-06 08:59:57 UTC 
xine-lib-1.1.11.1-1.fc7 has been submitted as an update for Fedora 7
Comment 8 Fedora Update System 2008-04-09 05:16:36 UTC 
xine-lib-1.1.11.1-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.