Bug 64513 - (CVE-2004-1188) VUL-0: CVE-2004-1188: xine version 0.99.2 PNM Handler PNA_TAG Heap OverflowVulnerability
(CVE-2004-1188)
VUL-0: CVE-2004-1188: xine version 0.99.2 PNM Handler PNA_TAG Heap OverflowVu...
Status: RESOLVED FIXED
: 64512 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Marcus Meissner
Security Team bot
CVE-2004-1188: CVSS v2 Base Score: 10...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-27 18:47 UTC by Marcus Meissner
Modified: 2021-10-27 15:24 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2004-12-27 18:47:57 UTC
Date: Tue, 21 Dec 2004 17:02:46 -0500 
Thread-Topic: iDEFENSE Security Advisory 12.21.04: Multiple Vendor Xine 
        version 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability 
Thread-Index: AcTnqNxeCiHab5QlRFipDl5gPOP5vQ== 
To: idlabs-advisories@idefense.com 
From: idlabs-advisories@idefense.com 
Cc: 
Subject: [Full-Disclosure] iDEFENSE Security Advisory 12.21.04: Multiple 
        Vendor Xine version 
        0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability 
Reply-To: customerservice@idefense.com 
Errors-To: full-disclosure-bounces@lists.netsys.com 
 
Multiple Vendor Xine version 0.99.2 PNM Handler PNA_TAG Heap Overflow 
Vulnerability 
 
iDEFENSE Security Advisory 12.21.04 
www.idefense.com/application/poi/display?id=176&type=vulnerabilities 
December 21, 2004 
 
I. BACKGROUND 
 
Xine is a multimedia player which runs on multiple platforms. 
More information is available at: 
 
   http://xinehq.de/ 
 
II. DESCRIPTION 
 
Remote exploitation of a buffer overflow in version 0.99.2 of xine could 
 
allow execution of arbitrary code. 
 
The vulnerability specifically exists in the PNA_TAG handling code of 
the pnm_get_chunk() function. The function does not check the if the 
length of an input to be stored in a fixed size buffer is larger than 
the buffer size. 
 
III. ANALYSIS 
 
Exploitation of this vulnerability allows execution of arbitrary code 
with the privileges of the targeted user. 
 
In order to exploit this vulnerability, an attacker would have to 
convince the targeted user to open a connection to a malicious PNM 
server with xine, using a pnm://address/ URL. Depending on configuration 
 
options, this may be exploitable simply by clicking on a link, or it may 
 
require the user to launch the application, specifically requesting the 
malicious content. 
 
IV. DETECTION 
 
iDEFENSE Labs has confirmed the existence of this vulnerability in xine 
version 0.99.2. It is suspected that earlier versions of xine also 
contain this vulnerability. 
 
This vulnerability also affects MPlayer prior to MPlayer 1.0pre5try2. 
 
V. WORKAROUND 
iDEFENSE is currently unaware of any effective workarounds for this 
issue. 
 
VI. VENDOR RESPONSE 
 
xine-lib 1-rc8 was released to address this vulnerability and is 
available for download at: 
 
   http://xinehq.de/index.php/releases 
 
An xine patch for this vulnerability is available at: 
 
 
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1 
.20&r2=1.21 
 
An MPlayer patch for this vulnerability is available at: 
 
   http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff 
 
VII. CVE INFORMATION 
 
The Common Vulnerabilities and Exposures (CVE) project has assigned the 
names CAN-2004-1187 to these issues. This is a candidate for inclusion  
in the CVE list (http://cve.mitre.org), which standardizes names for 
security problems. 
 
VIII. DISCLOSURE TIMELINE 
 
12/10/2004  Initial vendor notification 
12/11/2004  Initial vendor response 
12/21/2004  Public disclosure 
IX. CREDIT 
 
The discoverer of this vulnerability wishes to remain anonymous.
Comment 1 Marcus Meissner 2004-12-27 18:47:57 UTC
<!-- SBZ_reproduce  -->
n/a
Comment 2 Adrian Schröter 2005-01-03 18:27:56 UTC
what does this report mean to me ? fixing for STABLE or for everything ? 
Shouldn't there be a SWAMP entry, if it should get fixed for released 
products ? 
 
xine 1.0 is about to go to STABLE today .... 
Comment 3 Marcus Meissner 2005-01-03 18:51:31 UTC
use: 
SWAMPID: 95 
 
in the patchinfo files. 
Comment 4 Marcus Meissner 2005-01-03 18:58:12 UTC
fix for all old products shipping xine-lib ... if possible 
Comment 5 Marcus Meissner 2005-01-03 19:14:05 UTC
======================================================                           
Candidate: CAN-2004-1187                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1187                 
Reference: IDEFENSE:20041221 Multiple Vendor Xine version 0.99.2 PNM Handler     
+PNA_TAG Heap Overflow Vulnerability                                             
Reference:                                                                       
+URL:http://www.idefense.com/application/poi/display?id=176&type=vulnerabilities 
Reference:                                                                       
+CONFIRM:http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1= 
+1.20&r2=1.21                                                                    
Reference: 
CONFIRM:http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff 
                                                                                 
Heap-based buffer overflow in the pnm_get_chunk function for xine                
0.99.2, and other packages such as MPlayer that use the same code,               
allows remote attackers to execute arbitrary code via long PNA_TAG               
values, a different vulnerability than CAN-2004-1188.                            
Comment 6 Adrian Schröter 2005-01-05 18:25:55 UTC
*** Bug 64512 has been marked as a duplicate of this bug. ***
Comment 7 Adrian Schröter 2005-01-05 20:51:33 UTC
packages and patch infos are submitted. 
 
Please note that the package on 8.2 is named "xine" instead of "xine-lib" 
Comment 8 Ludwig Nussel 2005-01-18 20:44:40 UTC
also CAN-2004-1188 
Comment 9 Marcus Meissner 2005-01-21 20:43:33 UTC
approved packages. 
Comment 10 Thomas Biege 2009-10-13 20:09:14 UTC
CVE-2004-1188: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)