Bugzilla – Bug 64513
VUL-0: CVE-2004-1188: xine version 0.99.2 PNM Handler PNA_TAG Heap OverflowVulnerability
Last modified: 2021-10-27 15:24:12 UTC
Date: Tue, 21 Dec 2004 17:02:46 -0500 Thread-Topic: iDEFENSE Security Advisory 12.21.04: Multiple Vendor Xine version 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability Thread-Index: AcTnqNxeCiHab5QlRFipDl5gPOP5vQ== To: idlabs-advisories@idefense.com From: idlabs-advisories@idefense.com Cc: Subject: [Full-Disclosure] iDEFENSE Security Advisory 12.21.04: Multiple Vendor Xine version 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability Reply-To: customerservice@idefense.com Errors-To: full-disclosure-bounces@lists.netsys.com Multiple Vendor Xine version 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability iDEFENSE Security Advisory 12.21.04 www.idefense.com/application/poi/display?id=176&type=vulnerabilities December 21, 2004 I. BACKGROUND Xine is a multimedia player which runs on multiple platforms. More information is available at: http://xinehq.de/ II. DESCRIPTION Remote exploitation of a buffer overflow in version 0.99.2 of xine could allow execution of arbitrary code. The vulnerability specifically exists in the PNA_TAG handling code of the pnm_get_chunk() function. The function does not check the if the length of an input to be stored in a fixed size buffer is larger than the buffer size. III. ANALYSIS Exploitation of this vulnerability allows execution of arbitrary code with the privileges of the targeted user. In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a connection to a malicious PNM server with xine, using a pnm://address/ URL. Depending on configuration options, this may be exploitable simply by clicking on a link, or it may require the user to launch the application, specifically requesting the malicious content. IV. DETECTION iDEFENSE Labs has confirmed the existence of this vulnerability in xine version 0.99.2. It is suspected that earlier versions of xine also contain this vulnerability. This vulnerability also affects MPlayer prior to MPlayer 1.0pre5try2. V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds for this issue. VI. VENDOR RESPONSE xine-lib 1-rc8 was released to address this vulnerability and is available for download at: http://xinehq.de/index.php/releases An xine patch for this vulnerability is available at: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1 .20&r2=1.21 An MPlayer patch for this vulnerability is available at: http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-1187 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 12/10/2004 Initial vendor notification 12/11/2004 Initial vendor response 12/21/2004 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous.
<!-- SBZ_reproduce --> n/a
what does this report mean to me ? fixing for STABLE or for everything ? Shouldn't there be a SWAMP entry, if it should get fixed for released products ? xine 1.0 is about to go to STABLE today ....
use: SWAMPID: 95 in the patchinfo files.
fix for all old products shipping xine-lib ... if possible
====================================================== Candidate: CAN-2004-1187 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1187 Reference: IDEFENSE:20041221 Multiple Vendor Xine version 0.99.2 PNM Handler +PNA_TAG Heap Overflow Vulnerability Reference: +URL:http://www.idefense.com/application/poi/display?id=176&type=vulnerabilities Reference: +CONFIRM:http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1= +1.20&r2=1.21 Reference: CONFIRM:http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff Heap-based buffer overflow in the pnm_get_chunk function for xine 0.99.2, and other packages such as MPlayer that use the same code, allows remote attackers to execute arbitrary code via long PNA_TAG values, a different vulnerability than CAN-2004-1188.
*** Bug 64512 has been marked as a duplicate of this bug. ***
packages and patch infos are submitted. Please note that the package on 8.2 is named "xine" instead of "xine-lib"
also CAN-2004-1188
approved packages.
CVE-2004-1188: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)