Bug 442882 (CVE-2008-1878)
| Summary: | CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer (CVE-2008-1964) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | gauret, rdieter, ville.skytta | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-06-19 12:56:30 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 443054, 443055, 443056, 443969 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Created attachment 302736 [details]
Reporter's PoC
Exploit is now also on milw0rm: http://milw0rm.com/exploits/5458 Upstream patches: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=d0ced21e0cf2;style=gitweb http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=2d5efbbeb882;style=gitweb Secunia advisory ChangeLog message refers to: http://secunia.com/advisories/29850 xine-lib-1.1.11.1-1.fc7.2 has been submitted as an update for Fedora 7 xine-lib-1.1.12-2.fc8 has been submitted as an update for Fedora 8 Another issue was reported as affecting nsf demuxer, however, it was disputed as invalid shortly. CVE id CVE-2008-1964 was assigned anyway: CVE-2008-1964 ** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf.c in xine-lib allows remote attackers to have an unknown impact via a long copyright field in an NSF header in an NES Sound file, a different issue than CVE-2008-1878. NOTE: a third party claims that the copyright field always has a safe length. References: http://www.securityfocus.com/archive/1/archive/1/491274/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/491248/100/0/threaded http://www.securityfocus.com/bid/28908 xine-lib-1.1.12-CVE-2008-1878.patch applied to Fedora packages adds more explicit limits on copyright field length. xine-lib-1.1.11.1-1.fc7.2 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. xine-lib-1.1.12-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3326 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3353 |
Guido Landi reported following xine-lib issue to Full-Disclosure mailing list: xine-lib <= 1.1.12 is prone to a stack-based buffer overflow in the NES Sound Format demuxer(demux_nsf.c). - Code open_nsf_file(): 109: this->title = strdup(&header[0x0E]); demux_nsf_send_chunk(): 122: char title[100]; 162: sprintf(title, "%s, song %d/%d", this->title, this->current_song, this->total_songs); - Affected applications http://xinehq.de/index.php/releases - PoC perl -e 'print "\x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" . "\x41" x 114' > evil.mp3 Reference: http://marc.info/?l=full-disclosure&m=120839374812553&w=4 Does not seem to be fixed upstream yet. Overflow is caught by stack protector.