A stack buffer overflow vulnerability in the AIFF demultiplexer has been found by Ariel Berkman and was reported to the xine team by D. J. Bernstein. This can be used for an exploit, leading to attacker-chosen code being executed with the permissions of the user running a xine-lib based media application.
Vulnerable Systems:
* All xine version 1-alpha releases
* All xine version 1-beta releases
* All xine version 1-rc releases
Immune Systems:
* All xine version releases older than 1-alpha0
* xine version 1.0 or newer
AIFF is a file format supported by the xine-lib media library. During opening and header parsing of an AIFF file, data of arbitrary length is read into an unprotected stack buffer. This can lead to a stack overflow, which can be used to the execution of attacker-chosen code. An attacker can craft a malicious AIFF file and trick the user into playing it. Since AIFF files can also be provided through network streaming, this can be as easy as publishing a link on a website. It should also be noted that due to xine-lib's way of detecting file formats by querying each available demultiplexer in turn, this problem is not limited to AIFF files. The vulnerable code in the AIFF demultiplexer will also be executed on non-AIFF files.
Severity:
Since the involved xine plugin is part of the standard xine installation and the vulnerability can be used directly to write attacker-chosen code on the stack, we consider this problem to be critical.
Solution:
The enclosed patch which has been applied to xine-lib CVS fixes the problem but should only be used by distributors who do not want to upgrade. Otherwise, we strongly advise everyone to upgrade to the 1.0 release of xine-lib. As a temporary workaround, you may delete the file "xineplug_dmx_audio.so" for xine-lib versions starting with and including 1-beta3 or "xineplug_dmx_aiff.so" for xine-lib versions older than 1-beta3 from the xine-lib plugin directory, losing the ability to play AIFF files.
