Will Drewry (WD) has reported multiple security flaws present in the Xine multimedia library (NOTE: mentioning only issues that were not addressed in latest upstream 1.1.15 version of the xine-lib library). References (for more detailed analysis of each issue below proceed to the following post): http://www.ocert.org/analysis/2008-008/analysis.txt ================================================================================ CVE-2008-5235: Heap-based buffer overflow in the demux_real_send_chunk function in src/demuxers/demux_real.c in xine-lib before 1.1.15 allows remote attackers to execute arbitrary code via a crafted Real Media file. NOTE: some of these details are obtained from third party information. Conclusion: demux_real_send_chunk function in src/demuxers/demux_real.c -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f -- result: partially fixed in 1.1.15, fix is incomplete, see CVE-2008-5236 (2) -- action: Check why the above patch is incomplete ================================================================================ CVE-2008-5236: Multiple heap-based buffer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to execute arbitrary code via vectors related to (1) a crafted EBML element length processed by the parse_block_group function in demux_matroska.c; (2) a certain combination of sps, w, and h values processed by the real_parse_audio_specific_data and demux_real_send_chunk functions in demux_real.c; and (3) an unspecified combination of three values processed by the open_ra_file function in demux_realaudio.c. NOTE: vector 2 reportedly exists because of an incomplete fix in 1.1.15. Conclusion: a, parse_group_block in demux_matroska.c: -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35 -- WD: "probably not fixed in 1.1.15; len changed to size_t but -1 will still match 0xffffffff when leaving read. fix not confirmed." -- action: fix the patch to address the "-1" case too b, parse_audio_specific_data, demux_real_send_chunk in demux_real.c: -- result: incomplete fix for CVE-2008-5235 -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f -- action: check, what's the above patch missing c, open_ra_file in demux_realaudio.c: -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35 -- WD: "1.1.15 changes frame_size to a size_t but doesn't appear to fix the numeric overflow" -- action: prepare a post 1.1.15 patch to address the numeric overflow =============================================================================== CVE-2008-5237: Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) crafted width and height values that are not validated by the mymng_process_header function in demux_mng.c before use in an allocation calculation or (2) crafted current_atom_size and string_size values processed by the parse_reference_atom function in demux_qt.c. Conclusion: a, mymng_process_header -- patch: ? -- result: partially fixed in 1.1.15 -- WD: "missing malloc failure check fixed in 1.1.15" -- in patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=35f09930323e46c92e521846b9ccdfd5e277ad16 -- action: see the issue description in above analysis.txt and prepare patch post 1.1.15 patch b, parse_reference_atom in demux_qt.c -- patch: ? -- result: need a patch -- WD: "not addressed in 1.1.15" -- action: prepare a post 1.1.15 patch =============================================================================== CVE-2008-5239: xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not properly handle (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c, and input_http.c, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via vectors such as (1) a file or (2) an HTTP response, which triggers consequences such as out-of-bounds reads and heap-based buffer overflows. Conclusion: improper handling (a) negative and (b) zero values during unspecified read function calls in input_file.c, input_net.c, input_smb.c -- patch: ? -- WD: "not directly addressed in 1.1.15" --action: prepare a post 1.1.15 patch =============================================================================== CVE-2008:5240: xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an untrusted input value to determine the memory allocation and does not check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG, and (4) CONT_TAG chunks processed by the real_parse_headers function in demux_real.c; which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) or possibly execute arbitrary code via a crafted value. Conclusions: (1) the MATROSKA_ID_TR_CODECPRIVATE track entry element processed by demux_matroska.c -- patch: ? -- WD: "not directly addressed in 1.1.15" -- action: prepare a post 1.1.15 patch (2) PROP_TAG, (3) MDPR_TAG, and (4) CONT_TAG chunks processed by the real_parse_headers function in demux_real.c -- patch: ? -- WD: "not addressed in 1.1.15" -- action: prepare a post 1.1.15 patch =============================================================================== CVE-2008-5241: Integer underflow in demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allows remote attackers to cause a denial of service (crash) via a crafted media file that results in a small value of moov_atom_size in a compressed MOV (aka CMOV_ATOM). Conclusions: Integer underflow in demux_qt.c via a crafted media file that results in a small value of moov_atom_size in a compressed MOV (aka CMOV_ATOM) -- patch: ? -- WD: "not addressed in 1.1.15" -- action: prepare a post 1.1.15 patch =============================================================================== CVE-2008-5242: demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not validate the count field before calling calloc for STSD_ATOM atom allocation, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted media file. Conclusions: demux_qt.c does not validate the count field before calling calloc for STSD_ATOM atom allocation -- patch: ? -- WD: "not addressed in 1.1.15" -- action: prepare a post 1.1.15 patch =============================================================================== CVE-2008-5243: The real_parse_headers function in demux_real.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an untrusted input length value to "reindex into an allocated buffer," which allows remote attackers to cause a denial of service (crash) via a crafted value, probably an array index error. Conclusions: the real_parse_headers function in demux_real.c relies on an untrusted input length value to "reindex into an allocated buffer," -- patch: ? -- WD: "not addressed in 1.1.15" -- action: prepare a post 1.1.15 patch =============================================================================== CVE-2008-5244: Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact and attack vectors related to libfaad. NOTE: due to the lack of details, it is not clear whether this is an issue in xine-lib or in libfaad. Conclusions: We doesn't seem to ship src/libfaad/* and CVE description is too stingy on details. --action: doublecheck the presence of internal or external libfaad linkage against xine-lib and ignore if unaffected =============================================================================== CVE-2008-5247: The real_parse_audio_specific_data function in demux_real.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, uses an untrusted height (aka codec_data_length) value as a divisor, which allow remote attackers to cause a denial of service (divide-by-zero error and crash) via a zero value. Conclusions: The real_parse_audio_specific_data function in demux_real.c uses an untrusted height (aka codec_data_length) -- patch: ? -- WD: " [malloc failure check added in 1.1.15; some changes were made but overflows still seem likely due to sign issues with pos/fs]" -- partial dupe of CVE-2008-5236 (2) -- action: Check what's wrong with patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=1f961a5d8a7f ===============================================================================
These issues affects all versions of the xine-lib package as shipped with Fedora releases of 9, 10 and devel. These issues may also partly affect other packages (such as gxine, oxine and xine-plugin), which rely on functionality provided by the xine-lib package.
Adding also list of new CVE ids reported against xine-lib, which has been already fixed in the 1.1.15 upstream release of xine (just for completeness): CVE-2008-5233 = FIXED xine-lib does not check for failure of malloc in circumstances including (1) the mymng_process_header function in demux_mng.c, -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=35f09930323e46c92e521846b9ccdfd5e277ad16;style=gitweb -- result: fixed in 1.1.15 (2) the open_mod_file function in demux_mod.c, and -- patch: the same as above -- result: fixed in 1.1.15 (3) frame_buffer allocation in the real_parse_audio_specific_data function in demux_real.c -- patch: the same as above -- result: fixed in 1.1.15 ------------------------------------------------------------------------------- CVE-2008-5234 = FIXED Multiple heap-based buffer overflows via vectors related to (1) a crafted metadata atom size processed by the parse_moov_atom function in demux_qt.c and -- patch: ? -- WD: "fixed in 1.1.15" (2) frame reading in the id3v23_interp_frame function in id3.c. (partial dupe of CVE-2008-5246) -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d7 -- fixed in 1.1.15 ------------------------------------------------------------------------------- CVE-2008-5238 = FIXED real_parse_mdpr function in demux_real.c: -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35;style=gitweb -- result: fixed in 1.1.15 -- WD: "fixed in 1.1.15. stream_name_size is now size_t" ------------------------------------------------------------------------------- CVE-2008-5245 = FIXED to a buffer overflow in the open_video_capture_device function in src/input/input_v4l.c. -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=d48b28d89d229458b2068e047f00cc56de4f4c2f;style=gitweb -- fixed in 1.1.15 ------------------------------------------------------------------------------- CVE-2008-5246 = FIXED Multiple heap-based buffer overflows via vectors that send ID3 data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame -- patch: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d7 -- fixed in 1.1.15 ------------------------------------------------------------------------------- CVE-2008-5248 = FIXED xine-lib Dos (crash) via "MP3 files with metadata consisting only of separators. -- patch: Changelog change - http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=803b99d8a4b8f0ff7cf5f617a8f7e648780fefe8;style=gitweb Real fix: - http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=60ab5d2bdd82f00b10205f816a545337c9363134;style=gitweb -- fixed in 1.1.15 -------------------------------------------------------------------------------
Is upstream aware of this analysis yet? They don't seem to have patches available yet for any of these issues.
*** Bug 473230 has been marked as a duplicate of this bug. ***
(In reply to comment #3) > Is upstream aware of this analysis yet? They don't seem to have patches > available yet for any of these issues. Upstream is aware and they are planning to release new version, probably soon: http://www.openwall.com/lists/oss-security/2008/11/27/1
CVE-2008-5234 = demux_qt.c not fixed Multiple heap-based buffer overflows via vectors related to (1) a crafted metadata atom size processed by the parse_moov_atom function in demux_qt.c and -- patch: ? -- WD: "fixed in 1.1.15" demux-qt.issue still not fixed in 1.1.15 (<=F10): Patch: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-for-ocert-2008-008-1a.diff;att=1;bug=507165
Bunch of these issues fixed in 1.1.16: http://sourceforge.net/project/shownotes.php?release_id=652075&group_id=9655
Yeah, we have updates submitted already: https://admin.fedoraproject.org/updates/xine-lib-1.1.16-1.fc10 https://admin.fedoraproject.org/updates/xine-lib-1.1.16-1.fc9.1 but not queued for anywhere yet. Can you or some other security team member please have a look, add Bugzilla references where appropriate and then make sure the stuff gets pushed out?
My main question is: should this bug be used as the tracker? Should there be another one?
Yes, I've seen those update requests. I didn't want to add this bug to those requests, as all the CVEs in the summary would then make it to announcement mails sent by bodhi, that may cause confusion elsewhere. I did not have time to go through all the CVEs to see if all issues are addressed now in 1.1.16. This bug makes it bit hard to follow by listing all the "fixed in 1.1.15" issues too.
Well, I'll just push them as is then.
CVE-2008-5239 and CVE-2008-5240 were fixed in 1.1.16.1: http://sourceforge.net/project/shownotes.php?release_id=653149 and further fixed in 1.1.16.2: http://sourceforge.net/project/shownotes.php?release_id=660071 So CVE-2008-5235, CVE-2008-5241, CVE-2008-5242, CVE-2008-5244, and CVE-2008-5247 are not noted as fixed anywhere. This entry might be CVE-2008-5241 and CVE-2008-5242: - Avoid underflow (compressed atoms) in the Qt demuxer. Sounds like CVE-2008-5244 doesn't affect us (no libfaab support) CVE-2008-5235 and CVE-2008-5247 may have been fixed together with the fix for CVE-2008-5236 (they all seem related and upstream may not have singled them out). Additional fixes noted as security fixes in 1.1.16 that do not have CVE names noted: - Integer overflows in the ffmpeg audio decoder and the CDDA server. - Heap buffer overflow in the ffmpeg video decoder. - Avoid segfault on invalid track type in Matroska files. The question now is... these are two years old. We have 1.19 in Fedora 14 now (1.1.16 is in EPEL5 and 1.1.18 in Fedora 13). Do we want to pursue these to ensure they are fixed or assume/hope upstream has addressed them? I have not gone digging through any code to verify the existence of patches, etc. as I don't have the time to do so. Does anyone plan or care to look into these further? If not, we should close this bug. I've looked in the 1.1.19 Changelog file and those four CVEs are not noted anywhere.