Bug 473230

Summary: xine-lib,gxine,oxine,xine-plugin: CVE-2008-5235 CVE-2008-5236 CVE-2008-5237 CVE-2008-5239 CVE-2008-5240 CVE-2008-5241 CVE-2008-5242 CVE-2008-5243 CVE-2008-5244 CVE-2008-5247 xine-lib various flaws
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gauret
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-29 14:51:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2008-11-27 09:00:56 UTC 
Will Drewry has reported multiple security flaws present in the Xine multimedia
library (NOTE: mentioning only issues that were not addressed in latest upstream
1.1.15 version of the xine-lib library).

References (for more detailed analysis of each issue below proceed to the
following post):
http://www.ocert.org/analysis/2008-008/analysis.txt

================================================================================

CVE-2008-5235:

Heap-based buffer overflow in the demux_real_send_chunk function in
src/demuxers/demux_real.c in xine-lib before 1.1.15 allows remote
attackers to execute arbitrary code via a crafted Real Media file.
NOTE: some of these details are obtained from third party information.

Conclusion: 
demux_real_send_chunk function in src/demuxers/demux_real.c
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f
-- result: partially fixed in 1.1.15, fix is incomplete, see CVE-2008-5236 (2)
-- action: Check why the above patch is incomplete

================================================================================

CVE-2008-5236:

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
1.1.15 and earlier versions, allow remote attackers to execute
arbitrary code via vectors related to (1) a crafted EBML element
length processed by the parse_block_group function in
demux_matroska.c; (2) a certain combination of sps, w, and h values
processed by the real_parse_audio_specific_data and
demux_real_send_chunk functions in demux_real.c; and (3) an
unspecified combination of three values processed by the open_ra_file
function in demux_realaudio.c. NOTE: vector 2 reportedly exists
because of an incomplete fix in 1.1.15.

Conclusion: 
a, parse_group_block in demux_matroska.c:
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35
-- WD: "probably not fixed in 1.1.15; len changed to size_t but -1 will
     still match 0xffffffff when leaving read. fix not confirmed."
-- action: fix the patch to address the "-1" case too

b, parse_audio_specific_data, demux_real_send_chunk in demux_real.c:
-- result: incomplete fix for CVE-2008-5235
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f
-- action: check, what's the above patch missing

c, open_ra_file in demux_realaudio.c:
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35
-- WD: "1.1.15 changes frame_size to a size_t but doesn't appear to fix
     the numeric overflow"
-- action: prepare a post 1.1.15 patch to address the numeric overflow

===============================================================================

CVE-2008-5237:

Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.

Conclusion:
a, mymng_process_header
-- patch: ?
-- result: partially fixed in 1.1.15
-- WD: "missing malloc failure check fixed in 1.1.15" -- in patch:
            http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=35f09930323e46c92e521846b9ccdfd5e277ad16

-- action: see the issue description in above analysis.txt and prepare patch
           post 1.1.15 patch
        
b, parse_reference_atom  in demux_qt.c
-- patch: ?
-- result: need a patch
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5239:

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.

Conclusion:

improper handling (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c 
-- patch: ?
-- WD: "not directly addressed in 1.1.15"
--action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008:5240:

xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.

Conclusions:
(1) the MATROSKA_ID_TR_CODECPRIVATE track entry element processed by demux_matroska.c
-- patch: ?
-- WD: "not directly addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

(2) PROP_TAG, (3) MDPR_TAG, and (4) CONT_TAG chunks processed by the real_parse_headers function in demux_real.c
-- patch: ?
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5241:

Integer underflow in demux_qt.c in xine-lib 1.1.12, and other 1.1.15
and earlier versions, allows remote attackers to cause a denial of
service (crash) via a crafted media file that results in a small value
of moov_atom_size in a compressed MOV (aka CMOV_ATOM).

Conclusions:
Integer underflow in demux_qt.c via a crafted media file that results in a small value of moov_atom_size in a compressed MOV (aka CMOV_ATOM)
-- patch: ?
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5242:

demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions,
does not validate the count field before calling calloc for STSD_ATOM
atom allocation, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via a crafted media
file.

Conclusions:
demux_qt.c does not validate the count field before calling calloc for STSD_ATOM atom allocation
-- patch: ? 
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5243:

The real_parse_headers function in demux_real.c in xine-lib 1.1.12,
and other 1.1.15 and earlier versions, relies on an untrusted input
length value to "reindex into an allocated buffer," which allows
remote attackers to cause a denial of service (crash) via a crafted
value, probably an array index error.

Conclusions:
the real_parse_headers function in demux_real.c relies on an untrusted input length value to "reindex into an allocated buffer,"
-- patch: ?
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5244:

Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact
and attack vectors related to libfaad. NOTE: due to the lack of
details, it is not clear whether this is an issue in xine-lib or in
libfaad.

Conclusions:
We doesn't seem to ship src/libfaad/* and CVE description is too stingy on details. 

--action: doublecheck the presence of internal or external libfaad linkage against xine-lib and ignore if unaffected

===============================================================================

CVE-2008-5247:

The real_parse_audio_specific_data function in demux_real.c in
xine-lib 1.1.12, and other 1.1.15 and earlier versions, uses an
untrusted height (aka codec_data_length) value as a divisor, which
allow remote attackers to cause a denial of service (divide-by-zero
error and crash) via a zero value.

Conclusions:
The real_parse_audio_specific_data function in demux_real.c uses an untrusted height (aka codec_data_length)
-- patch: ?
-- WD: " [malloc failure check added in 1.1.15; some changes were made but
          overflows still seem likely due to sign issues with pos/fs]"
-- partial dupe of CVE-2008-5236 (2)
-- action: Check what's wrong with patch:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f

===============================================================================
Comment 1 Jan Lieskovsky 2008-11-29 14:51:30 UTC 
This one is duplicate of BZ#473234 - was filled in two times by mistake
due the Bugzilla service outage on 2008-11-27 (seems that filling bugs worked
well even when accessing them didn't).

*** This bug has been marked as a duplicate of bug 473234 ***