Bug 120088 (CVE-2005-2967)

Summary: VUL-0: CVE-2005-2967: xine: remotely exploitable format string bug
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P1 - Urgent CC: hvogel, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2967: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: xine-lib.formatstring.patch
stable-bugfixes.patch

Description Thomas Biege 2005-10-04 12:59:23 UTC 
Hello Adrian,
we received this via vendor-sec.  (not public)

From: Ulf Harnhammar <metaur@telia.com>
To: vendor-sec@lst.de
Cc: miguel@cetuc.puc-rio.br, mroi@users.sourceforge.net,
        siggi@users.sourceforge.net
Reply-To: metaur@telia.com
User-Agent: Mutt/1.5.9i
Subject: [vendor-sec] xine/gxine CD Player Remote Format String Bug
Errors-To: vendor-sec-admin@lst.de
Date: Sun, 2 Oct 2005 02:06:17 +0200

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, GröÃe: 1,9K --]

xine/gxine CD Player Remote Format String Bug

When you use xine or gxine to play a CD, the programs will connect
to a CDDB server to retrieve the record's artist/band and title as
well as the song titles. The programs write this information to
a cache file, and the code in xine-lib that performs this action
suffers from a format string security bug, allowing remote execution
of arbitrary code.

It is worth noting that CDDB servers allow any user to add or modify
information about records.

It is also worth noting that the vulnerable code in xine-lib writes
all information about a record that the server sends to it to the
cache file, including comments.

This bug could be used for automated attacks against anyone who
listens to particular CD's in xine or gxine.

The vulnerable code is found in the xine-lib library that both xine
and gxine use. The vulnerable versions are at least xine-lib-0.9.13,
1.0, 1.0.1, 1.0.2 and 1.1.0.

To avoid this vulnerability, the user can switch off CDDB lookups
under Settings / Setup - change Configuration experience level to
Advanced, press Apply, go to the Media tab, deselect Query CDDB,
press Apply and finally OK.

I have attached a fake CDDB server that exhibits this problem. (You
do not need to change server to get hit by this bug, as the CDDB
servers allow anyone to add or modify information, but I think it
was nicer to test it this way.)

You run this server, then you start xine or gxine, change
Configuration experience level to Master of the known universe,
press Apply, go to the Media tab, enter the malicious CDDB server's
host name under CDDB server name, press Apply and then OK. Finally,
you put a CD in the computer's CD drive and press the CD button.
The format string bug will crash xine or gxine.

I have also attached a patch that corrects the problem.

I hope that we can co-ordinate our respective updates of xine-lib.

// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/
Comment 1 Thomas Biege 2005-10-04 13:04:36 UTC 
CAN-2005-2967
Comment 2 Thomas Biege 2005-10-04 13:45:47 UTC 
From: Ulf Harnhammar <metaur@operamail.com>
To: Martin Schulze <joey@infodrom.org>
Cc: Free Software Distribution Vendors <vendor-sec@lst.de>,
        miguel@cetuc.puc-rio.br, mroi@users.sourceforge.net,
        siggi@users.sourceforge.net
Subject: [vendor-sec] Re: xine/gxine CD Player Remote Format String Bug
Errors-To: vendor-sec-admin@lst.de
Date: Mon, 03 Oct 2005 10:22:17 +0100

> > I have also attached a patch that corrects the problem.
> This attachment was missing.

OK. I can't generate a new patch from my parents' place, but it's the file
src/input/input_cdda.c in xine-lib. It has a line looking like this:

fprintf(fd, filecontent);

It should be:

fprintf(fd, "%s", filecontent);

// Ulf Harnhammar
Comment 3 Thomas Biege 2005-10-04 13:47:23 UTC 
Created attachment 51396 [details]
xine-lib.formatstring.patch
Comment 4 Thomas Biege 2005-10-04 13:48:17 UTC 
From: "Siggi (SourceForge)" <siggi@users.sourceforge.net>
To: Michael Roitzsch <mroi@users.sourceforge.net>
Cc: Thierry Carrez <koon@gentoo.org>, Ulf Harnhammar <metaur@operamail.com>,
        Martin Schulze <joey@infodrom.org>,
        Free Software Distribution Vendors <vendor-sec@lst.de>,
        Miguel Freitas <miguel@cetuc.puc-rio.br>
Subject: Re: [vendor-sec] Re: xine/gxine CD Player Remote Format String Bug
Errors-To: vendor-sec-admin@lst.de
Date: Tue, 4 Oct 2005 13:42:08 +0200 (CEST)

On Tue, 4 Oct 2005, Michael Roitzsch wrote:

>>>What about releasing this on the 8th of October? Is that enough time for
>>>everyone?
>>
>>We usually prefer weekdays... October 11th, 1400 UTC ?
>
>I think the xine team can prepare a new release of xine-lib until then
>(most likely over the course of the weekend).
>
>To the xine team:
>Should we make another release from the 1.0 tree for this? It might be too
>little time to release from 1.1 (which AFAIR has not been declared stable
>by us anyway).

Well, we'd commit the fix to both trees of course, and we'd have to
release from both trees. The 1.1 release has lower priority, though, as it
is officially unstable.
Note that this will appear in public CVS as soon as the fix is committed
(possibly with a 24h SourceForge delay on the public CVS servers), so this
is likely to go public on saturday, even though gentoo security prefers
weekdays. (Sorry, I definitely won't be able to do any work on
monday/tuesday...)

        -siggi [xine]
Comment 5 Thomas Biege 2005-10-05 13:49:33 UTC 
Maintenance-Tracker-2516
Comment 6 Thomas Biege 2005-10-05 13:50:15 UTC 
This bug needs to be fixed quickly.
Comment 7 Thomas Biege 2005-10-07 09:41:01 UTC 
ping
Comment 8 Thomas Biege 2005-10-10 08:55:12 UTC 
Cc: Thierry Carrez <koon@gentoo.org>,
        "Siggi (SourceForge)" <siggi@users.sourceforge.net>,
        Martin Schulze <joey@infodrom.org>,
        Free Software Distribution Vendors <vendor-sec@lst.de>,
        Miguel Freitas <miguel@cetuc.puc-rio.br>
From: Michael Roitzsch <mroi@users.sourceforge.net>
Subject: Re: [vendor-sec] Re: xine/gxine CD Player Remote Format String Bug
To: Ulf Harnhammar <metaur@operamail.com>
Errors-To: vendor-sec-admin@lst.de
Date: Sat, 8 Oct 2005 16:47:44 +0200

[-- PGP Ausgabe folgt (aktuelle Zeit: Mo 10 Okt 2005 10:53:27 CEST) --]
gpg: Unterschrift vom Sa 08 Okt 2005 16:47:44 CEST, DSA SchlÃŒssel ID 7A560AB6
gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden
[-- Ende der PGP-Ausgabe --]

[-- Die folgenden Daten sind signiert --]

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, GröÃe: 0,8K --]

Hi all,

>So did we decide on Saturday?

I committed the fix to xine-lib's CVS, so it will be publicly visible
in some hours anyway. I think you can just go ahead and release your
advisories. We will release xine-lib 1.0.3 soon and most likely xine-
lib 1.1.2 later. Both will fix this problem.

To the xine team members:
I just collected all the *BUGFIX* marked patches (mostly win32 build
system changes) from xine-lib HEAD and prepared a patch to backport
them (incuding the fix for this vulnerability and the necessary
version number changes) to the xine-1_0 branch. I don't know, if this
patch works correctly, since I have to leave now. So if someone wants
to go ahead and make the 1.0.3 release, you don't have to start from
scratch.

Michael
Comment 9 Thomas Biege 2005-10-10 08:56:52 UTC 
Created attachment 52066 [details]
stable-bugfixes.patch
Comment 10 Hendrik Vogelsang 2005-10-10 09:16:43 UTC 
ill do it.
Comment 11 Hendrik Vogelsang 2005-10-10 10:44:48 UTC 
done for 9.* and 10.0

patchinfos submitted
Comment 12 Thomas Biege 2005-10-10 10:46:07 UTC 
Thanks a lot.
Comment 13 Thomas Biege 2005-10-17 06:36:22 UTC 
packages approved
Comment 14 Thomas Biege 2009-10-13 21:38:55 UTC 
CVE-2005-2967: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)