Guido Landi reported following xine-lib issue to Full-Disclosure mailing list: xine-lib <= 1.1.12 is prone to a stack-based buffer overflow in the NES Sound Format demuxer(demux_nsf.c). - Code open_nsf_file(): 109: this->title = strdup(&header[0x0E]); demux_nsf_send_chunk(): 122: char title[100]; 162: sprintf(title, "%s, song %d/%d", this->title, this->current_song, this->total_songs); - Affected applications http://xinehq.de/index.php/releases - PoC perl -e 'print "\x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" . "\x41" x 114' > evil.mp3 Reference: http://marc.info/?l=full-disclosure&m=120839374812553&w=4 Does not seem to be fixed upstream yet. Overflow is caught by stack protector.
Created attachment 302736 [details] Reporter's PoC
Exploit is now also on milw0rm: http://milw0rm.com/exploits/5458
Upstream patches: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=d0ced21e0cf2;style=gitweb http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=2d5efbbeb882;style=gitweb Secunia advisory ChangeLog message refers to: http://secunia.com/advisories/29850
xine-lib-1.1.11.1-1.fc7.2 has been submitted as an update for Fedora 7
xine-lib-1.1.12-2.fc8 has been submitted as an update for Fedora 8
Another issue was reported as affecting nsf demuxer, however, it was disputed as invalid shortly. CVE id CVE-2008-1964 was assigned anyway: CVE-2008-1964 ** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf.c in xine-lib allows remote attackers to have an unknown impact via a long copyright field in an NSF header in an NES Sound file, a different issue than CVE-2008-1878. NOTE: a third party claims that the copyright field always has a safe length. References: http://www.securityfocus.com/archive/1/archive/1/491274/100/0/threaded http://www.securityfocus.com/archive/1/archive/1/491248/100/0/threaded http://www.securityfocus.com/bid/28908 xine-lib-1.1.12-CVE-2008-1878.patch applied to Fedora packages adds more explicit limits on copyright field length.
xine-lib-1.1.11.1-1.fc7.2 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
xine-lib-1.1.12-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-3326 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-3353