|
|
|
|
| |
| Xine is "a multimedia player which runs on multiple platforms". Remote exploitation of two buffer overflow in xine could allow execution of arbitrary code. |
| |
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=177&type=vulnerabilities and: http://www.idefense.com/application/poi/display?id=176&type=vulnerabilities
|
| |
PNM Handler PNA_TAG:
The vulnerability specifically exists in the PNA_TAG handling code of the pnm_get_chunk() function. The function does not check the if the length of an input to be stored in a fixed size buffer is larger than the buffer size.
Analysis:
Exploitation of this vulnerability allows execution of arbitrary code with the privileges of the targeted user.
In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a connection to a malicious PNM server with xine, using a pnm://address/ URL. Depending on configuration options, this may be exploitable simply by clicking on a link, or it may require the user to launch the application, specifically requesting the malicious content.
Detection:
iDEFENSE Labs has confirmed the existence of this vulnerability in xine version 0.99.2. It is suspected that earlier versions of xine also contain this vulnerability.
This vulnerability also affects MPlayer prior to MPlayer 1.0pre5try2.
Vendor response:
xine-lib 1-rc8 was released to address this vulnerability and is available for download at: http://xinehq.de/index.php/releases
An xine patch for this vulnerability is available at: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21
An MPlayer patch for this vulnerability is available at: http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff
CVE Information:
CAN-2004-1187
PNM Handler Negative Read Length:
The vulnerability specifically exists in the RMF_TAG, DATA_TAG, PROP_TAG, MDPR_TAG and CONT_TAG handling code of the pnm_get_chunk() function. These tags are all handled by the same code. The code does not perform correct checking on the chunk size before reading data in. If the size given is less than the PREAMBLE_SIZE, a negative length read is made into a fixed length buffer. Because the read length parameter is an unsigned value, the negative length is interpreted as a very large length, allowing a buffer overflow to occur.
Analysis:
Exploitation of this vulnerability allows execution of arbitrary code with the privileges of the targeted user.
In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a connection to a malicious PNM server with xine, using a pnm://address/ URL. Depending on configuration options, this may be exploitable simply by clicking on a link, or it may require the user to launch the application, specifically requesting the malicious content.
Detection:
iDEFENSE Labs has confirmed the existence of this vulnerability in xine version 0.99.2. It is suspected that earlier versions of xine also contain this vulnerability.
This vulnerability also affects MPlayer prior to MPlayer 1.0pre5try2.
Vendor response:
xine-lib 1-rc8 was released to address this vulnerability and is available for download at: http://xinehq.de/index.php/releases
An xine patch for this vulnerability is available at: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21
An MPlayer patch for this vulnerability is available at: http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff
CVE Information:
CAN-2004-1188
|
|
|
|
|
