Multiple heap-based buffer overflows in xine-lib 1.1.12, and other versions before 1.1.15, allow remote attackers to execute arbitrary code via vectors related to (1) a crafted metadata atom size processed by the parse_moov_atom function in demux_qt.c and (2) frame reading in the id3v23_interp_frame function in id3.c. NOTE: as of 20081122, it is possible that vector 1 has not been fixed in 1.1.15.

This update of xine fixes multiple buffer overflows while parsing files :

  - CVE-2008-3231

  - CVE-2008-5233

  - CVE-2008-5234

  - CVE-2008-5235

  - CVE-2008-5236

  - CVE-2008-5237

  - CVE-2008-5238

  - CVE-2008-5239

  - CVE-2008-5240

  - CVE-2008-5241

  - CVE-2008-5242

  - CVE-2008-5243

  - CVE-2008-5244

  - CVE-2008-5245

  - CVE-2008-5246

  - CVE-2008-5247

  - These bugs can lead to remote code execution.
    (CVE-2008-5248)

The remote host is affected by the vulnerability described in GLSA-201006-04 (xine-lib: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been reported in xine-lib. Please review     the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to play a specially crafted video     file or stream with a player using xine-lib, potentially resulting in     the execution of arbitrary code with the privileges of the user running     the application.
  Workaround :

    There is no known workaround at this time.

Vulnerabilities have been discovered and corrected in xine-lib :

Failure on Ogg files manipulation can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-3231).

Failure on manipulation of either MNG or Real or MOD files can lead remote attackers to cause a denial of service by using crafted files (CVE: CVE-2008-5233).

Heap-based overflow allows remote attackers to execute arbitrary code by using Quicktime media files holding crafted metadata (CVE-2008-5234).

Heap-based overflow allows remote attackers to execute arbitrary code by using either crafted Matroska or Real media files (CVE-2008-5236).

Failure on manipulation of either MNG or Quicktime files can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-5237).

Multiple heap-based overflow on input plugins (http, net, smb, dvd, dvb, rtsp, rtp, pvr, pnm, file, gnome_vfs, mms) allow attackers to execute arbitrary code by handling that input channels. Further this problem can even lead attackers to cause denial of service (CVE-2008-5239).

Heap-based overflow allows attackers to execute arbitrary code by using crafted Matroska media files (MATROSKA_ID_TR_CODECPRIVATE track entry element). Further a failure on handling of Real media files (CONT_TAG header) can lead to a denial of service attack (CVE-2008-5240).

Integer underflow allows remote attackers to cause denial of service by using Quicktime media files (CVE-2008-5241).

Failure on manipulation of Real media files can lead remote attackers to cause a denial of service by indexing an allocated buffer with a certain input value in a crafted file (CVE-2008-5243).

Vulnerabilities of unknown impact - possibly buffer overflow - caused by a condition of video frame preallocation before ascertaining the required length in V4L video input plugin (CVE-2008-5245).

Heap-based overflow allows remote attackers to execute arbitrary code by using crafted media files. This vulnerability is in the manipulation of ID3 audio file data tagging mainly used in MP3 file formats (CVE-2008-5246).

Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow (CVE-2009-1274)

Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385 (CVE-2009-0698)

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers

This update fixes these issues.

This update of xine fixes multiple buffer overflows while parsing files :

  - CVE-2008-3231

  - CVE-2008-5233

  - CVE-2008-5234

  - CVE-2008-5235

  - CVE-2008-5236

  - CVE-2008-5237

  - CVE-2008-5238

  - CVE-2008-5239

  - CVE-2008-5240

  - CVE-2008-5241

  - CVE-2008-5242

  - CVE-2008-5243

  - CVE-2008-5244

  - CVE-2008-5245

  - CVE-2008-5246

  - CVE-2008-5247

  - CVE-2008-5248 These bugs can lead to remote code     execution.

Multiple vulnerabilities were fixed in libxine 1.1.16.2.

Tobias Klein reports :

FFmpeg contains a type conversion vulnerability while parsing malformed 4X movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of FFmpeg or an application using the FFmpeg library.

Note: A similar issue also affects xine-lib < version 1.1.16.2.

xine developers report :

- Fix broken size checks in various input plugins (ref.
CVE-2008-5239).

- More malloc checking (ref. CVE-2008-5240).

It was discovered that xine-lib did not correctly handle certain malformed Ogg and Windows Media files. If a user or automated system were tricked into opening a specially crafted Ogg or Windows Media file, an attacker could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)

It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not correctly handle memory allocation failures. If a user or automated system were tricked into opening a specially crafted MNG, MOD, or Real file, an attacker could crash xine-lib or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5233)

It was discovered that the QT demuxer in xine-lib did not correctly handle an invalid metadata atom size, resulting in a heap-based buffer overflow. If a user or automated system were tricked into opening a specially crafted MOV file, an attacker could execute arbitrary code as the user invoking the program. (CVE-2008-5234, CVE-2008-5242)

It was discovered that the Real, RealAudio, and Matroska demuxers in xine-lib did not correctly handle malformed files, resulting in heap-based buffer overflows. If a user or automated system were tricked into opening a specially crafted Real, RealAudio, or Matroska file, an attacker could execute arbitrary code as the user invoking the program. (CVE-2008-5236)

It was discovered that the MNG and QT demuxers in xine-lib did not correctly handle malformed files, resulting in integer overflows. If a user or automated system were tricked into opening a specially crafted MNG or MOV file, an attacker could execute arbitrary code as the user invoking the program. (CVE-2008-5237)

It was discovered that the Matroska, MOD, Real, and Real Audio demuxers in xine-lib did not correctly handle malformed files, resulting in integer overflows. If a user or automated system were tricked into opening a specially crafted Matroska, MOD, Real, or Real Audio file, an attacker could execute arbitrary code as the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5238)

It was discovered that the input handlers in xine-lib did not correctly handle certain error codes, resulting in out-of-bounds reads and heap-based buffer overflows. If a user or automated system were tricked into opening a specially crafted file, stream, or URL, an attacker could execute arbitrary code as the user invoking the program. (CVE-2008-5239)

It was discovered that the Matroska and Real demuxers in xine-lib did not correctly handle memory allocation failures. If a user or automated system were tricked into opening a specially crafted Matroska or Real file, an attacker could crash xine-lib or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-5240)

It was discovered that the QT demuxer in xine-lib did not correctly handle an invalid metadata atom size in a compressed MOV file, resulting in an integer underflow. If a user or automated system were tricked into opening a specially crafted MOV file, an attacker could an attacker could cause xine-lib to crash, creating a denial of service. (CVE-2008-5241)

It was discovered that the Real demuxer in xine-lib did not correctly handle certain malformed files. If a user or automated system were tricked into opening a specially crafted Real file, an attacker could could cause xine-lib to crash, creating a denial of service.
(CVE-2008-5243)

It was discovered that xine-lib did not correctly handle certain malformed AAC files. If a user or automated system were tricked into opening a specially crafted AAC file, an attacker could could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 7.10, and 8.04 LTS. (CVE-2008-5244)

It was discovered that the id3 tag handler in xine-lib did not correctly handle malformed tags, resulting in heap-based buffer overflows. If a user or automated system were tricked into opening a media file containing a specially crafted id3 tag, an attacker could execute arbitrary code as the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5246)

It was discovered that xine-lib did not correctly handle MP3 files with metadata consisting only of separators. If a user or automated system were tricked into opening a specially crafted MP3 file, an attacker could could cause xine-lib to crash, creating a denial of service. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5248)

It was discovered that the Matroska demuxer in xine-lib did not correctly handle an invalid track type. If a user or automated system were tricked into opening a specially crafted Matroska file, an attacker could could cause xine-lib to crash, creating a denial of service.

It was discovered that the ffmpeg video decoder in xine-lib did not correctly handle media with certain image heights, resulting in a heap-based buffer overflow. If a user or automated system were tricked into opening a specially crafted video file, an attacker could crash xine-lib or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only applied to Ubuntu 7.10, 8.04 LTS, and 8.10.

It was discovered that the ffmpeg audio decoder in xine-lib did not correctly handle malformed media, resulting in a integer overflow. If a user or automated system were tricked into opening a specially crafted media file, an attacker could crash xine-lib or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only applied to Ubuntu 8.10.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Failure on Ogg files manipulation can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-3231).

Failure on manipulation of either MNG or Real or MOD files can lead remote attackers to cause a denial of service by using crafted files (CVE: CVE-2008-5233).

Heap-based overflow allows remote attackers to execute arbitrary code by using Quicktime media files holding crafted metadata (CVE-2008-5234).

Heap-based overflow allows remote attackers to execute arbitrary code by using either crafted Matroska or Real media files (CVE-2008-5236).

Failure on manipulation of either MNG or Quicktime files can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-5237).

Multiple heap-based overflow on input plugins (http, net, smb, dvd, dvb, rtsp, rtp, pvr, pnm, file, gnome_vfs, mms) allow attackers to execute arbitrary code by handling that input channels. Further this problem can even lead attackers to cause denial of service (CVE-2008-5239).

Heap-based overflow allows attackers to execute arbitrary code by using crafted Matroska media files (MATROSKA_ID_TR_CODECPRIVATE track entry element). Further a failure on handling of Real media files (CONT_TAG header) can lead to a denial of service attack (CVE-2008-5240).

Integer underflow allows remote attackers to cause denial of service by using Quicktime media files (CVE-2008-5241).

Failure on manipulation of Real media files can lead remote attackers to cause a denial of service by indexing an allocated buffer with a certain input value in a crafted file (CVE-2008-5243).

Vulnerabilities of unknown impact - possibly buffer overflow - caused by a condition of video frame preallocation before ascertaining the required length in V4L video input plugin (CVE-2008-5245).

Heap-based overflow allows remote attackers to execute arbitrary code by using crafted media files. This vulnerability is in the manipulation of ID3 audio file data tagging mainly used in MP3 file formats (CVE-2008-5246).

This update provides the fix for all these security issues found in xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities:
CVE-2008-5234, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240, CVE-2008-5243 are found in xine-lib 1.1.15 of Mandriva 2009.0 and are also fixed by this update.

This updates xine-lib to the upstream 1.1.16 release. This fixes several bugs, including the security issues CVE-2008-5234 vector 1, CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240 vectors 3 & 4 and CVE-2008-5243. See http://sourceforge.net/project/shownotes.php?release_id=652075&group_i d=9655 for the full list of changes. In addition, the Fedora xine-lib package now includes the demuxers for the MPEG container format, which are not patent- encumbered. (The decoders for actual MPEG video and audio data are still excluded due to software patents.)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This release fixes multiple bugs and security issues: - DoS via corrupted Ogg files (CVE-2008-3231) - multiple possible buffer overflows detailed in oCERT-2008-008 For more details, see:
http://sourceforge.net/project/shownotes.php?release_id=619869&group_i d=9655 http://www.ocert.org/advisories/ocert-2008-008.html NOTE: A coordinated release with 3rd-party repos was not possible, so this update may result in dependency issues with currently-installed xine-lib-extras-* rpms. This temporary problem will be rectified asap.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
51768	SuSE 10 Security Update : xine (ZYPP Patch Number 5965)	Nessus	SuSE Local Security Checks	critical
46771	GLSA-201006-04 : xine-lib: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	critical
43022	Mandriva Linux Security Advisory : xine-lib (MDVSA-2009:319)	Nessus	Mandriva Local Security Checks	critical
40156	openSUSE Security Update : xine-devel (xine-devel-483)	Nessus	SuSE Local Security Checks	critical
38803	FreeBSD : libxine -- multiple vulnerabilities (51d1d428-42f0-11de-ad22-000e35248ad7)	Nessus	FreeBSD Local Security Checks	high
37469	Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : xine-lib vulnerabilities (USN-710-1)	Nessus	Ubuntu Local Security Checks	critical
36846	Mandriva Linux Security Advisory : xine-lib (MDVSA-2009:020)	Nessus	Mandriva Local Security Checks	critical
35599	openSUSE 10 Security Update : xine-devel (xine-devel-5966)	Nessus	SuSE Local Security Checks	critical
35399	Fedora 9 : xine-lib-1.1.16-1.fc9.1 (2009-0542)	Nessus	Fedora Local Security Checks	critical
34136	Fedora 8 : xine-lib-1.1.15-1.fc8 (2008-7572)	Nessus	Fedora Local Security Checks	critical
34133	Fedora 9 : xine-lib-1.1.15-1.fc9 (2008-7512)	Nessus	Fedora Local Security Checks	critical

Detections

Analytics

CVE-2008-5234

high

Tenable Plugins

critical

critical

critical

critical

high

critical

critical

critical

critical

critical

critical