what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

xineFormat.txt

xineFormat.txt
Posted Oct 8, 2005
Authored by Ulf Harnhammar | Site debian.org

The xine/gxine CD player is susceptible to a remote format string bug. The vulnerable code is found in the xine-lib library that both xine and gxine use. The vulnerable versions are at least xine-lib-0.9.13, 1.0, 1.0.1, 1.0.2 and 1.1.0. Patch available here.

tags | advisory, remote
advisories | CVE-2005-2967
SHA-256 | 1aea14a58fd32bca633044be383cec8a50c14ce68e2981888d358c4b5a246842

xineFormat.txt

Change Mirror Download
xine/gxine CD Player Remote Format String Bug


BACKGROUND


"xine is a free multimedia player. It plays back CDs, DVDs, and
VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3
from local disk drives, and displays multimedia streamed over the
Internet. It interprets many of the most common multimedia formats
available - and some of the most uncommon formats, too."

gxine is a "gtk-based media player style gui + mozilla plugin".

( from http://www.xinehq.de/ )

Both programs are available in many Linux distributions and *BSD
ports collections.


BUG


When you use xine or gxine to play a CD, the programs will connect to
a CDDB server to retrieve the record's artist/band and title as well
as the song titles. The programs write this information to a cache
file, and the code in xine-lib that performs this action suffers from
a format string bug, allowing remote execution of arbitrary code.

It is worth noting that CDDB servers allow any user to add or
modify information about records. It is also worth noting that the
vulnerable code in xine-lib writes all information about a record
that the server sends to it to the cache file, including comments.

Thus, this bug could be used for automated mass attacks against
anyone in the world who listens to a particular CD in xine or
gxine. There is also a potential for social engineering attacks.

The vulnerable code is found in the xine-lib library that both xine
and gxine use. The vulnerable versions are at least xine-lib-0.9.13,
1.0, 1.0.1, 1.0.2 and 1.1.0.

The bug has the identifier CAN-2005-2967.


WORKAROUND


To avoid this vulnerability, the user can switch off CDDB lookups
under Settings / Setup - change Configuration experience level to
Advanced, press Apply, go to the Media tab, deselect Query CDDB,
press Apply and finally OK.


TESTING AND PATCHING


I have attached a fake CDDB server that exhibits this problem. (You
do not need to change server to get hit by this bug, as the CDDB
servers allow anyone to add or modify information, but I think it
was nicer to test it this way.)

You run this server, then you start xine or gxine, change
Configuration experience level to Master of the known universe,
press Apply, go to the Media tab, enter the malicious CDDB server's
host name under CDDB server name, press Apply and then OK. Finally,
you put a CD in the computer's CD drive and press the CD button in
the programs. The format string bug will then crash xine or gxine.

Apart from the server, I have also attached a patch that corrects
the problem.

The upstream developers as well as the vendor-sec mailing list
were contacted, and the 8th of October was agreed upon as the
release date.


// Ulf Harnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close