Bug 64324 (CVE-2004-1300)

Summary: VUL-0: CVE-2004-1300: xine-lib buffer overflow in aiff file handling
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: adrian.schroeter, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1300: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2004-12-16 22:51:41 UTC 
We received the following report via vendor-sec.
The issue is public.

From djb@cr.yp.to Wed Dec 15 14:21:26 2004
Date: 15 Dec 2004 08:19:21 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, xine-user@lists.sourceforge.net
Subject: [remote] [control] xine-lib open_aiff_file overflows buffer

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in xine-lib. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.

You are at risk if you take a file from the web (or email or any other
source that could be controlled by an attacker) and feed that file
through xine or any other xine-lib frontend. Whoever provides that file
then has complete control over your account: he can read and modify your
files, watch the programs you're running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/multimedia/xine
   make install

to download and compile the xine-lib library, version 1-rc5, and the
xine program. (Version 1-rc5 has other problems but is the latest ports
version. Version 1-rc7 fixes several bugs but does not fix the bug used
here.) Then save the file 20.avi attached to this message, and type

   xine 20.avi

with the unauthorized result that a file named EXPLOITED is created in
the current directory. (I tested this with a 577-byte environment, as
reported by printenv | wc -c; beware that 20.avi is sensitive to the
environment size.)

Here's the bug: In demux_aiff.c, open_aiff_file() reads an
input-specified amount of data into a 100-byte buffer[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

    [ Part 2, Video/X-MSVIDEO  1.3KB. ]
    [ Unable to print this part. ]
Comment 1 Marcus Meissner 2004-12-21 22:56:46 UTC 
======================================================                           
Candidate: CAN-2004-1300                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1300                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt                
                                                                                 
Buffer overflow in the open_aiff_file function in demux_aiff.c for               
xine-lib (libxine) 1-rc7 allows remote attackers to execute arbitrary            
code via a crafted AIFF file.
Comment 2 Marcus Meissner 2005-01-03 19:13:13 UTC 
======================================================                           
Candidate: CAN-2004-1300                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1300                 
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt                
                                                                                 
Buffer overflow in the open_aiff_file function in demux_aiff.c for               
xine-lib (libxine) 1-rc7 allows remote attackers to execute arbitrary            
code via a crafted AIFF file.
Comment 3 Adrian Schröter 2005-01-05 20:52:29 UTC 
packages and patchinfos are submitted
Comment 4 Marcus Meissner 2005-01-21 20:43:47 UTC 
approved packages.
Comment 5 Thomas Biege 2009-10-13 20:05:47 UTC 
CVE-2004-1300: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)