Bugzilla – Bug 120088
VUL-0: CVE-2005-2967: xine: remotely exploitable format string bug
Last modified: 2021-11-10 14:51:59 UTC
Hello Adrian, we received this via vendor-sec. (not public) From: Ulf Harnhammar <metaur@telia.com> To: vendor-sec@lst.de Cc: miguel@cetuc.puc-rio.br, mroi@users.sourceforge.net, siggi@users.sourceforge.net Reply-To: metaur@telia.com User-Agent: Mutt/1.5.9i Subject: [vendor-sec] xine/gxine CD Player Remote Format String Bug Errors-To: vendor-sec-admin@lst.de Date: Sun, 2 Oct 2005 02:06:17 +0200 [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, GröÃe: 1,9K --] xine/gxine CD Player Remote Format String Bug When you use xine or gxine to play a CD, the programs will connect to a CDDB server to retrieve the record's artist/band and title as well as the song titles. The programs write this information to a cache file, and the code in xine-lib that performs this action suffers from a format string security bug, allowing remote execution of arbitrary code. It is worth noting that CDDB servers allow any user to add or modify information about records. It is also worth noting that the vulnerable code in xine-lib writes all information about a record that the server sends to it to the cache file, including comments. This bug could be used for automated attacks against anyone who listens to particular CD's in xine or gxine. The vulnerable code is found in the xine-lib library that both xine and gxine use. The vulnerable versions are at least xine-lib-0.9.13, 1.0, 1.0.1, 1.0.2 and 1.1.0. To avoid this vulnerability, the user can switch off CDDB lookups under Settings / Setup - change Configuration experience level to Advanced, press Apply, go to the Media tab, deselect Query CDDB, press Apply and finally OK. I have attached a fake CDDB server that exhibits this problem. (You do not need to change server to get hit by this bug, as the CDDB servers allow anyone to add or modify information, but I think it was nicer to test it this way.) You run this server, then you start xine or gxine, change Configuration experience level to Master of the known universe, press Apply, go to the Media tab, enter the malicious CDDB server's host name under CDDB server name, press Apply and then OK. Finally, you put a CD in the computer's CD drive and press the CD button. The format string bug will crash xine or gxine. I have also attached a patch that corrects the problem. I hope that we can co-ordinate our respective updates of xine-lib. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/
CAN-2005-2967
From: Ulf Harnhammar <metaur@operamail.com> To: Martin Schulze <joey@infodrom.org> Cc: Free Software Distribution Vendors <vendor-sec@lst.de>, miguel@cetuc.puc-rio.br, mroi@users.sourceforge.net, siggi@users.sourceforge.net Subject: [vendor-sec] Re: xine/gxine CD Player Remote Format String Bug Errors-To: vendor-sec-admin@lst.de Date: Mon, 03 Oct 2005 10:22:17 +0100 > > I have also attached a patch that corrects the problem. > This attachment was missing. OK. I can't generate a new patch from my parents' place, but it's the file src/input/input_cdda.c in xine-lib. It has a line looking like this: fprintf(fd, filecontent); It should be: fprintf(fd, "%s", filecontent); // Ulf Harnhammar
Created attachment 51396 [details] xine-lib.formatstring.patch
From: "Siggi (SourceForge)" <siggi@users.sourceforge.net> To: Michael Roitzsch <mroi@users.sourceforge.net> Cc: Thierry Carrez <koon@gentoo.org>, Ulf Harnhammar <metaur@operamail.com>, Martin Schulze <joey@infodrom.org>, Free Software Distribution Vendors <vendor-sec@lst.de>, Miguel Freitas <miguel@cetuc.puc-rio.br> Subject: Re: [vendor-sec] Re: xine/gxine CD Player Remote Format String Bug Errors-To: vendor-sec-admin@lst.de Date: Tue, 4 Oct 2005 13:42:08 +0200 (CEST) On Tue, 4 Oct 2005, Michael Roitzsch wrote: >>>What about releasing this on the 8th of October? Is that enough time for >>>everyone? >> >>We usually prefer weekdays... October 11th, 1400 UTC ? > >I think the xine team can prepare a new release of xine-lib until then >(most likely over the course of the weekend). > >To the xine team: >Should we make another release from the 1.0 tree for this? It might be too >little time to release from 1.1 (which AFAIR has not been declared stable >by us anyway). Well, we'd commit the fix to both trees of course, and we'd have to release from both trees. The 1.1 release has lower priority, though, as it is officially unstable. Note that this will appear in public CVS as soon as the fix is committed (possibly with a 24h SourceForge delay on the public CVS servers), so this is likely to go public on saturday, even though gentoo security prefers weekdays. (Sorry, I definitely won't be able to do any work on monday/tuesday...) -siggi [xine]
Maintenance-Tracker-2516
This bug needs to be fixed quickly.
ping
Cc: Thierry Carrez <koon@gentoo.org>, "Siggi (SourceForge)" <siggi@users.sourceforge.net>, Martin Schulze <joey@infodrom.org>, Free Software Distribution Vendors <vendor-sec@lst.de>, Miguel Freitas <miguel@cetuc.puc-rio.br> From: Michael Roitzsch <mroi@users.sourceforge.net> Subject: Re: [vendor-sec] Re: xine/gxine CD Player Remote Format String Bug To: Ulf Harnhammar <metaur@operamail.com> Errors-To: vendor-sec-admin@lst.de Date: Sat, 8 Oct 2005 16:47:44 +0200 [-- PGP Ausgabe folgt (aktuelle Zeit: Mo 10 Okt 2005 10:53:27 CEST) --] gpg: Unterschrift vom Sa 08 Okt 2005 16:47:44 CEST, DSA SchlÃŒssel ID 7A560AB6 gpg: Unterschrift kann nicht geprÃŒft werden: Ãffentlicher SchlÃŒssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] [-- Anhang #1 --] [-- Typ: text/plain, Kodierung: 7bit, GröÃe: 0,8K --] Hi all, >So did we decide on Saturday? I committed the fix to xine-lib's CVS, so it will be publicly visible in some hours anyway. I think you can just go ahead and release your advisories. We will release xine-lib 1.0.3 soon and most likely xine- lib 1.1.2 later. Both will fix this problem. To the xine team members: I just collected all the *BUGFIX* marked patches (mostly win32 build system changes) from xine-lib HEAD and prepared a patch to backport them (incuding the fix for this vulnerability and the necessary version number changes) to the xine-1_0 branch. I don't know, if this patch works correctly, since I have to leave now. So if someone wants to go ahead and make the 1.0.3 release, you don't have to start from scratch. Michael
Created attachment 52066 [details] stable-bugfixes.patch
ill do it.
done for 9.* and 10.0 patchinfos submitted
Thanks a lot.
packages approved
CVE-2005-2967: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)