[UNIX] Stack Overflow in AIFF Demultiplexer

From: SecuriTeam (support_at_securiteam.com)
Date: 12/29/04

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)" 
    To: list@securiteam.com
Date: 29 Dec 2004 14:57:22 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Stack Overflow in AIFF Demultiplexer
    ------------------------------------------------------------------------

    SUMMARY

    A stack buffer overflow vulnerability in the AIFF demultiplexer has been
    found by Ariel Berkman and was reported to the xine team by D. J.
    Bernstein. This can be used for an exploit, leading to attacker-chosen
    code being executed with the permissions of the user running a xine-lib
    based media application.

    DETAILS

    Vulnerable Systems:
     * All xine version 1-alpha releases
     * All xine version 1-beta releases
     * All xine version 1-rc releases

    Immune Systems:
     * All xine version releases older than 1-alpha0
     * xine version 1.0 or newer

    AIFF is a file format supported by the xine-lib media library. During
    opening and header parsing of an AIFF file, data of arbitrary length is
    read into an unprotected stack buffer. This can lead to a stack overflow,
    which can be used to the execution of attacker-chosen code. An attacker
    can craft a malicious AIFF file and trick the user into playing it. Since
    AIFF files can also be provided through network streaming, this can be as
    easy as publishing a link on a website. It should also be noted that due
    to xine-lib's way of detecting file formats by querying each available
    demultiplexer in turn, this problem is not limited to AIFF files. The
    vulnerable code in the AIFF demultiplexer will also be executed on
    non-AIFF files.

    Severity:
    Since the involved xine plugin is part of the standard xine installation
    and the vulnerability can be used directly to write attacker-chosen code
    on the stack, we consider this problem to be critical.

    Solution:
    The enclosed patch which has been applied to xine-lib CVS fixes the
    problem but should only be used by distributors who do not want to
    upgrade. Otherwise, we strongly advise everyone to upgrade to the 1.0
    release of xine-lib. As a temporary workaround, you may delete the file
    "xineplug_dmx_audio.so" for xine-lib versions starting with and including
    1-beta3 or "xineplug_dmx_aiff.so" for xine-lib versions older than 1-beta3
    from the xine-lib plugin directory, losing the ability to play AIFF files.

    Patch:
     
    <http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/demuxers/demux_aiff.c?r1=1.39&r2=1.40&diff_format=u> http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/demuxers/demux_aiff.c? r1=1.39&r2=1.40&diff_format=u

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1300>
    CAN-2004-1300

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mroi@users.sourceforge.net>
    Michael Roitzsch.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)"

    Relevant Pages