Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow.

Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0225)

Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function, different vectors than CVE-2008-0225. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0238)

Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and earlier might allow remote attackers to execute arbitrary code via a QuickTime MOV file with a crafted stsc atom tag. (CVE-2008-0485)

Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow.
(CVE-2008-0486)

Buffer overflow in stream_cddb.c in MPlayer 1.0rc2 and SVN before r25824 allows remote user-assisted attackers to execute arbitrary code via a CDDB database entry containing a long album title.
(CVE-2008-0629)

Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allows remote attackers to execute arbitrary code via a crafted URL that prevents the IPv6 parsing code from setting a pointer to NULL, which causes the buffer to be reused by the unescape code.
(CVE-2008-0630)

The updated packages have been patched to prevent these issues.

An array index vulnerability found in the FLAC audio demuxer might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. Although originally an MPlayer issue, it also affects xine-lib due to code similarity.

The updated packages have been patched to prevent this issue.

Update :

The previous update used a bad patch which made Amarok interface very unresponsive while playing FLAC files. This new update fixes the security issue with a better patch.

Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-0073)

Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238)

Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486)

It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110)

It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-1161)

Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-1482)

It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686)

Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program.
(CVE-2008-1878).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content.
The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-1246 / CVE-2007-1387     The DMO_VideoDecoder_Open function does not set the     biSize before use in a memcpy, which allows     user-assisted remote attackers to cause a buffer     overflow and possibly execute arbitrary code (applies to     sarge only).

  - CVE-2008-0073     Array index error in the sdpplin_parse function allows     remote RTSP servers to execute arbitrary code via a     large streamid SDP parameter.

  - CVE-2008-0486     Array index vulnerability in libmpdemux/demux_audio.c     might allow remote attackers to execute arbitrary code     via a crafted FLAC tag, which triggers a buffer overflow     (applies to etch only).

  - CVE-2008-1161     Buffer overflow in the Matroska demuxer allows remote     attackers to cause a denial of service (crash) and     possibly execute arbitrary code via a Matroska file with     invalid frame sizes.

This update of xine fixes a possible buffer overflow that can be triggered via FLAC tags to execute arbitrary code (CVE-2008-0486) and a possible buffer overflow in the matroska demuxer.

The remote host is affected by the vulnerability described in GLSA-200803-16 (MPlayer: Multiple buffer overflows)

    The following errors have been discovered in MPlayer:
    Felipe Manzano and Anibal Sacco (Core Security Technologies)     reported an array indexing error in the file libmpdemux/demux_mov.c     when parsing MOV file headers (CVE-2008-0485).
    Damian Frizza     and Alfredo Ortega (Core Security Technologies) reported a boundary     error in the file libmpdemux/demux_audio.c when parsing FLAC comments     (CVE-2008-0486).
    Adam Bozanich (Mu Security) reported boundary     errors in the cddb_parse_matches_list() and cddb_query_parse()     functions in the file stream_cddb.c when parsing CDDB album titles     (CVE-2008-0629) and in the url_scape_string() function in the file     stream/url.c when parsing URLS (CVE-2008-0630).
  Impact :

    A remote attacker could entice a user to open a specially crafted file,     possibly resulting in the execution of arbitrary code with the     privileges of the user running MPlayer.
  Workaround :

    There is no known workaround at this time.

The Mplayer team reports :

A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.

A buffer overflow was found in the code used to escape URL strings.
The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer.

A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.

xine Team reports :

A new xine-lib version is now available. This release contains a security fix (array index vulnerability which may lead to a stack buffer overflow.

The remote host is affected by the vulnerability described in GLSA-200802-12 (xine-lib: User-assisted execution of arbitrary code)

    Damian Frizza and Alfredo Ortega (Core Security Technologies)     discovered a stack-based buffer overflow within the open_flac_file()     function in the file demux_flac.c when parsing tags within a FLAC file     (CVE-2008-0486). A buffer overflow when parsing ASF headers, which is     similar to CVE-2006-1664, has also been discovered (CVE-2008-1110).
  Impact :

    A remote attacker could entice a user to play specially crafted FLAC or     ASF video streams with a player using xine-lib, potentially resulting     in the execution of arbitrary code with the privileges of the user     running the player.
  Workaround :

    There is no known workaround at this time.

- Fri Feb 8 2008 Ville Skytta <ville.skytta at iki.fi> -     1.1.10.1-1 - 1.1.10.1 (security update, #431541). * Sun     Jan 27 2008 Ville Skytta <ville.skytta at iki.fi> -     1.1.10-2 - Include spu, spucc, and spucmml decoders     (#213597). Upstream release notes:
    http://sourceforge.net/project/shownotes.php?group_id=96     55&release_id=574735

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-0485     Felipe Manzano and Anibal Sacco discovered a buffer     overflow in the demuxer for MOV files.

  - CVE-2008-0486     Reimar Doeffinger discovered a buffer overflow in the     FLAC header parsing.

  - CVE-2008-0629     Adam Bozanich discovered a buffer overflow in the CDDB     access code.

  - CVE-2008-0630     Adam Bozanich discovered a buffer overflow in URL     parsing.

ID	Name	Product	Family	Severity
37405	Mandriva Linux Security Advisory : mplayer (MDVSA-2008:045)	Nessus	Mandriva Local Security Checks	high
36358	Mandriva Linux Security Advisory : xine-lib (MDVSA-2008:046-1)	Nessus	Mandriva Local Security Checks	high
33940	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : xine-lib vulnerabilities (USN-635-1)	Nessus	Ubuntu Local Security Checks	high
31721	Debian DSA-1536-1 : libxine - several vulnerabilities	Nessus	Debian Local Security Checks	high
31460	SuSE 10 Security Update : xine (ZYPP Patch Number 5080)	Nessus	SuSE Local Security Checks	high
31459	openSUSE 10 Security Update : xine-devel (xine-devel-5078)	Nessus	SuSE Local Security Checks	high
31442	GLSA-200803-16 : MPlayer: Multiple buffer overflows	Nessus	Gentoo Local Security Checks	high
31378	FreeBSD : mplayer -- multiple vulnerabilities (de4d4110-ebce-11dc-ae14-0016179b2dd5)	Nessus	FreeBSD Local Security Checks	high
31304	FreeBSD : libxine -- buffer overflow vulnerability (e8a6a16d-e498-11dc-bb89-000bcdc1757a)	Nessus	FreeBSD Local Security Checks	high
31295	GLSA-200802-12 : xine-lib: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
31072	Fedora 7 : xine-lib-1.1.10.1-1.fc7 (2008-1581)	Nessus	Fedora Local Security Checks	high
31068	Fedora 8 : xine-lib-1.1.10.1-1.fc8 (2008-1543)	Nessus	Fedora Local Security Checks	high
31056	Debian DSA-1496-1 : mplayer - buffer overflows	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2008-0486

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high