Bug 473234 (CVE-2008-5235)

Summary: xine-lib: various flaws (CVE-2008-5234 CVE-2008-5235 CVE-2008-5236 CVE-2008-5237 CVE-2008-5239 CVE-2008-5240 CVE-2008-5241 CVE-2008-5242 CVE-2008-5243 CVE-2008-5244 CVE-2008-5247)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gauret, kevin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:06:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2008-11-27 10:03:59 UTC 
Will Drewry (WD) has reported multiple security flaws present in the Xine multimedia library (NOTE: mentioning only issues that were not addressed in latest upstream 1.1.15 version of the xine-lib library).

References (for more detailed analysis of each issue below proceed to the
following post):
http://www.ocert.org/analysis/2008-008/analysis.txt

================================================================================

CVE-2008-5235:

Heap-based buffer overflow in the demux_real_send_chunk function in
src/demuxers/demux_real.c in xine-lib before 1.1.15 allows remote
attackers to execute arbitrary code via a crafted Real Media file.
NOTE: some of these details are obtained from third party information.

Conclusion: 
demux_real_send_chunk function in src/demuxers/demux_real.c
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f
-- result: partially fixed in 1.1.15, fix is incomplete, see CVE-2008-5236 (2)
-- action: Check why the above patch is incomplete

================================================================================

CVE-2008-5236:

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
1.1.15 and earlier versions, allow remote attackers to execute
arbitrary code via vectors related to (1) a crafted EBML element
length processed by the parse_block_group function in
demux_matroska.c; (2) a certain combination of sps, w, and h values
processed by the real_parse_audio_specific_data and
demux_real_send_chunk functions in demux_real.c; and (3) an
unspecified combination of three values processed by the open_ra_file
function in demux_realaudio.c. NOTE: vector 2 reportedly exists
because of an incomplete fix in 1.1.15.

Conclusion: 
a, parse_group_block in demux_matroska.c:
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35
-- WD: "probably not fixed in 1.1.15; len changed to size_t but -1 will
     still match 0xffffffff when leaving read. fix not confirmed."
-- action: fix the patch to address the "-1" case too

b, parse_audio_specific_data, demux_real_send_chunk in demux_real.c:
-- result: incomplete fix for CVE-2008-5235
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f
-- action: check, what's the above patch missing

c, open_ra_file in demux_realaudio.c:
-- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35
-- WD: "1.1.15 changes frame_size to a size_t but doesn't appear to fix
     the numeric overflow"
-- action: prepare a post 1.1.15 patch to address the numeric overflow

===============================================================================

CVE-2008-5237:

Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.

Conclusion:
a, mymng_process_header
-- patch: ?
-- result: partially fixed in 1.1.15
-- WD: "missing malloc failure check fixed in 1.1.15" -- in patch:
            http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=35f09930323e46c92e521846b9ccdfd5e277ad16

-- action: see the issue description in above analysis.txt and prepare patch
           post 1.1.15 patch
        
b, parse_reference_atom  in demux_qt.c
-- patch: ?
-- result: need a patch
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5239:

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.

Conclusion:

improper handling (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c 
-- patch: ?
-- WD: "not directly addressed in 1.1.15"
--action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008:5240:

xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.

Conclusions:
(1) the MATROSKA_ID_TR_CODECPRIVATE track entry element processed by demux_matroska.c
-- patch: ?
-- WD: "not directly addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

(2) PROP_TAG, (3) MDPR_TAG, and (4) CONT_TAG chunks processed by the real_parse_headers function in demux_real.c
-- patch: ?
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5241:

Integer underflow in demux_qt.c in xine-lib 1.1.12, and other 1.1.15
and earlier versions, allows remote attackers to cause a denial of
service (crash) via a crafted media file that results in a small value
of moov_atom_size in a compressed MOV (aka CMOV_ATOM).

Conclusions:
Integer underflow in demux_qt.c via a crafted media file that results in a small value of moov_atom_size in a compressed MOV (aka CMOV_ATOM)
-- patch: ?
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5242:

demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions,
does not validate the count field before calling calloc for STSD_ATOM
atom allocation, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via a crafted media
file.

Conclusions:
demux_qt.c does not validate the count field before calling calloc for STSD_ATOM atom allocation
-- patch: ? 
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5243:

The real_parse_headers function in demux_real.c in xine-lib 1.1.12,
and other 1.1.15 and earlier versions, relies on an untrusted input
length value to "reindex into an allocated buffer," which allows
remote attackers to cause a denial of service (crash) via a crafted
value, probably an array index error.

Conclusions:
the real_parse_headers function in demux_real.c relies on an untrusted input length value to "reindex into an allocated buffer,"
-- patch: ?
-- WD: "not addressed in 1.1.15"
-- action: prepare a post 1.1.15 patch

===============================================================================

CVE-2008-5244:

Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact
and attack vectors related to libfaad. NOTE: due to the lack of
details, it is not clear whether this is an issue in xine-lib or in
libfaad.

Conclusions:
We doesn't seem to ship src/libfaad/* and CVE description is too stingy on details. 

--action: doublecheck the presence of internal or external libfaad linkage against xine-lib and ignore if unaffected

===============================================================================

CVE-2008-5247:

The real_parse_audio_specific_data function in demux_real.c in
xine-lib 1.1.12, and other 1.1.15 and earlier versions, uses an
untrusted height (aka codec_data_length) value as a divisor, which
allow remote attackers to cause a denial of service (divide-by-zero
error and crash) via a zero value.

Conclusions:
The real_parse_audio_specific_data function in demux_real.c uses an untrusted height (aka codec_data_length)
-- patch: ?
-- WD: " [malloc failure check added in 1.1.15; some changes were made but
          overflows still seem likely due to sign issues with pos/fs]"
-- partial dupe of CVE-2008-5236 (2)
-- action: Check what's wrong with patch:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f

===============================================================================
Comment 1 Jan Lieskovsky 2008-11-27 10:10:40 UTC 
These issues affects all versions of the xine-lib package as shipped
with Fedora releases of 9, 10 and devel. 

These issues may also partly affect other packages (such as gxine, oxine
and xine-plugin), which rely on functionality provided by the xine-lib
package.
Comment 2 Jan Lieskovsky 2008-11-27 11:15:25 UTC 
Adding also list of new CVE ids reported against xine-lib, which has been
already fixed in the 1.1.15 upstream release of xine (just for completeness):

CVE-2008-5233 = FIXED
  xine-lib does not check for failure of malloc in circumstances including
  (1) the mymng_process_header function in demux_mng.c,
    -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=35f09930323e46c92e521846b9ccdfd5e277ad16;style=gitweb
    -- result: fixed in 1.1.15
  (2) the open_mod_file function in demux_mod.c, and
    -- patch: the same as above
    -- result: fixed in 1.1.15
  (3) frame_buffer allocation in the real_parse_audio_specific_data function in demux_real.c  
    -- patch: the same as above
    -- result: fixed in 1.1.15

-------------------------------------------------------------------------------

CVE-2008-5234 = FIXED
  Multiple heap-based buffer overflows via vectors related to
  (1) a crafted metadata atom size processed by the parse_moov_atom function in demux_qt.c and
   -- patch: ?
   -- WD: "fixed in 1.1.15"
  (2) frame reading in the id3v23_interp_frame function in id3.c. (partial dupe of CVE-2008-5246)
   -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d7
   -- fixed in 1.1.15

-------------------------------------------------------------------------------

CVE-2008-5238 = FIXED
  real_parse_mdpr function in demux_real.c:
     -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35;style=gitweb
     -- result: fixed in 1.1.15
     -- WD: "fixed in 1.1.15.  stream_name_size is now size_t"

-------------------------------------------------------------------------------

CVE-2008-5245 = FIXED
  to a buffer overflow in the open_video_capture_device function in src/input/input_v4l.c.
  -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=d48b28d89d229458b2068e047f00cc56de4f4c2f;style=gitweb
  -- fixed in 1.1.15

-------------------------------------------------------------------------------

CVE-2008-5246 = FIXED
  Multiple heap-based buffer overflows via vectors that send ID3 data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame
  -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d7
  -- fixed in 1.1.15

-------------------------------------------------------------------------------

CVE-2008-5248 = FIXED
  xine-lib Dos (crash) via "MP3 files with metadata consisting only of separators.
  -- patch: Changelog change - http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=803b99d8a4b8f0ff7cf5f617a8f7e648780fefe8;style=gitweb
            Real fix: - http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=60ab5d2bdd82f00b10205f816a545337c9363134;style=gitweb
  -- fixed in 1.1.15

-------------------------------------------------------------------------------
Comment 3 Kevin Kofler 2008-11-27 11:34:44 UTC 
Is upstream aware of this analysis yet? They don't seem to have patches available yet for any of these issues.
Comment 4 Jan Lieskovsky 2008-11-29 14:51:30 UTC 
*** Bug 473230 has been marked as a duplicate of this bug. ***
Comment 5 Tomas Hoger 2008-12-01 08:50:12 UTC 
(In reply to comment #3)
> Is upstream aware of this analysis yet? They don't seem to have patches
> available yet for any of these issues.

Upstream is aware and they are planning to release new version, probably soon:
  http://www.openwall.com/lists/oss-security/2008/11/27/1
Comment 6 Jan Lieskovsky 2008-12-10 12:18:32 UTC 
CVE-2008-5234 = demux_qt.c not fixed
  Multiple heap-based buffer overflows via vectors related to
  (1) a crafted metadata atom size processed by the parse_moov_atom function in
      demux_qt.c and 
   -- patch: ?
   -- WD: "fixed in 1.1.15"

demux-qt.issue still not fixed in 1.1.15 (<=F10):
Patch: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-for-ocert-2008-008-1a.diff;att=1;bug=507165
Comment 7 Tomas Hoger 2009-01-09 08:31:20 UTC 
Bunch of these issues fixed in 1.1.16:
http://sourceforge.net/project/shownotes.php?release_id=652075&group_id=9655
Comment 8 Kevin Kofler 2009-01-09 08:36:41 UTC 
Yeah, we have updates submitted already:
https://admin.fedoraproject.org/updates/xine-lib-1.1.16-1.fc10
https://admin.fedoraproject.org/updates/xine-lib-1.1.16-1.fc9.1
but not queued for anywhere yet. Can you or some other security team member please have a look, add Bugzilla references where appropriate and then make sure the stuff gets pushed out?
Comment 9 Kevin Kofler 2009-01-09 08:39:29 UTC 
My main question is: should this bug be used as the tracker? Should there be another one?
Comment 10 Tomas Hoger 2009-01-09 16:34:42 UTC 
Yes, I've seen those update requests.  I didn't want to add this bug to those requests, as all the CVEs in the summary would then make it to announcement mails sent by bodhi, that may cause confusion elsewhere.  I did not have time to go through all the CVEs to see if all issues are addressed now in 1.1.16.  This bug makes it bit hard to follow by listing all the "fixed in 1.1.15" issues too.
Comment 11 Kevin Kofler 2009-01-09 16:48:54 UTC 
Well, I'll just push them as is then.
Comment 12 Vincent Danen 2010-12-24 02:37:52 UTC 
CVE-2008-5239 and CVE-2008-5240 were fixed in 1.1.16.1:

http://sourceforge.net/project/shownotes.php?release_id=653149

and further fixed in 1.1.16.2:

http://sourceforge.net/project/shownotes.php?release_id=660071

So CVE-2008-5235, CVE-2008-5241, CVE-2008-5242, CVE-2008-5244, and CVE-2008-5247 are not noted as fixed anywhere.

This entry might be CVE-2008-5241 and CVE-2008-5242:

- Avoid underflow (compressed atoms) in the Qt demuxer.

Sounds like CVE-2008-5244 doesn't affect us (no libfaab support)

CVE-2008-5235 and CVE-2008-5247 may have been fixed together with the fix for CVE-2008-5236 (they all seem related and upstream may not have singled them out).

Additional fixes noted as security fixes in 1.1.16 that do not have CVE names noted:

- Integer overflows in the ffmpeg audio decoder and the CDDA server.
- Heap buffer overflow in the ffmpeg video decoder.
- Avoid segfault on invalid track type in Matroska files.

The question now is... these are two years old.  We have 1.19 in Fedora 14 now (1.1.16 is in EPEL5 and 1.1.18 in Fedora 13).  Do we want to pursue these to ensure they are fixed or assume/hope upstream has addressed them?

I have not gone digging through any code to verify the existence of patches, etc. as I don't have the time to do so.  Does anyone plan or care to look into these further?  If not, we should close this bug.

I've looked in the 1.1.19 Changelog file and those four CVEs are not noted anywhere.