xine/gxine CD Player Remote Format String Bug


BACKGROUND


"xine is a free multimedia player. It plays back CDs, DVDs, and
VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3
from local disk drives, and displays multimedia streamed over the
Internet. It interprets many of the most common multimedia formats
available - and some of the most uncommon formats, too."

gxine is a "gtk-based media player style gui + mozilla plugin".

( from http://www.xinehq.de/ )

Both programs are available in many Linux distributions and *BSD
ports collections.


BUG


When you use xine or gxine to play a CD, the programs will connect to
a CDDB server to retrieve the record's artist/band and title as well
as the song titles. The programs write this information to a cache
file, and the code in xine-lib that performs this action suffers from
a format string bug, allowing remote execution of arbitrary code.

It is worth noting that CDDB servers allow any user to add or
modify information about records. It is also worth noting that the
vulnerable code in xine-lib writes all information about a record
that the server sends to it to the cache file, including comments.

Thus, this bug could be used for automated mass attacks against
anyone in the world who listens to a particular CD in xine or
gxine. There is also a potential for social engineering attacks.

The vulnerable code is found in the xine-lib library that both xine
and gxine use. The vulnerable versions are at least xine-lib-0.9.13,
1.0, 1.0.1, 1.0.2 and 1.1.0.

The bug has the identifier CAN-2005-2967.


WORKAROUND


To avoid this vulnerability, the user can switch off CDDB lookups
under Settings / Setup - change Configuration experience level to
Advanced, press Apply, go to the Media tab, deselect Query CDDB,
press Apply and finally OK.


TESTING AND PATCHING


I have attached a fake CDDB server that exhibits this problem. (You
do not need to change server to get hit by this bug, as the CDDB
servers allow anyone to add or modify information, but I think it
was nicer to test it this way.)

You run this server, then you start xine or gxine, change
Configuration experience level to Master of the known universe,
press Apply, go to the Media tab, enter the malicious CDDB server's
host name under CDDB server name, press Apply and then OK. Finally,
you put a CD in the computer's CD drive and press the CD button in
the programs. The format string bug will then crash xine or gxine.

Apart from the server, I have also attached a patch that corrects
the problem.

The upstream developers as well as the vendor-sec mailing list
were contacted, and the 8th of October was agreed upon as the
release date.


// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/