[oCERT-2008-008] multiple heap overflows in xine-lib




#2008-008 multiple heap overflows in xine-lib

Description:

The xine free multimedia player suffers from a number of vulnerabilities
ranging in severity. The worst of these vulnerabilities results in
arbitrary code execution and the least, in unexpected process
termination.

Five heap buffer overflows exist in parsing of real audio files, id3
tags, qt mov files, and matroska headers which all can result in
arbitrary code execution.

Three additional heap buffer overflows occur in mng, mod, and real
handling which are potentially exploitable.

Seven additional issues were identified in the input plugins as well as
the real, qt, and matroska demuxers which result in process termination
or memory corruption that may have wider implications.

The oCERT team was contacted by the Xine project requesting a review of
some code changes relating to memory allocations. These vulnerabilities
were the findings of this requested analysis. The full analysis text can
be found in the references below.

Affected version:

xine-lib <= 1.1.14

Fixed version:

xine-lib >= 1.1.15 [*]

* - see analysis text for more detail on fixes

Credit: Will Drewry, oCERT Team | Google Security Team.

CVE: TBD

Timeline:
2008-04-30: vendor contacts oCERT asking patch analysis
2008-05-06: analysis results in bug being found, test case sent upstream
2008-05-07: vendor submits second set of patches for analysis
2008-05-07: vendor provides issue private exposure to some vendors
2008-05-07: vendor proposes patch for the found security bug
2008-05-25: Full analysis results supplied to vendor and another PoC
2008-05-27: oCERT contacts vendor regarding timeline and coordination
2008-05-28: vendor asks for clarification
2008-06-09: oCERT contacts vendor offering help
2008-06-11: vendor supplies patches
2008-06-18: oCERT indicates that patches are incomplete
2008-06-21: vendor confirms receipt and looks in to options
2008-07-02: vendor indicates problem with a potential fix; oCERT replies
2008-07-28: vendor contact becomes unavailable
2008-08-11: oCERT attempts another contact with vendor
2008-08-12: new contact is confirmed
2008-08-14: xine-lib releases 1.1.15 with fixes (w/out oCERT knowledge)
2008-08-18: oCERT supplies all original findings and test cases again
2008-08-22: Ludwig Nussel notified oCERT regarding 1.1.15
2008-08-22: advisory release

References:
- Vulnerability analysis report:
http://www.ocert.org/analysis/2008-008/analysis.txt
- xine-1.1.15 release notes:
http://sourceforge.net/project/shownotes.php?release_id=619869&group_id=9655

Links:
- http://xinehq.de


--
Will Drewry <redpig@xxxxxxxxx>
oCERT Team :: http://ocert.org



Relevant Pages

  • [Full-Disclosure] its all about timing
    ... Why do people look for vulnerabilities? ... They publish vuln info because they have customers that pay (or ... Full Disclosure issue must take into account the ... report vulns primarily to the vendor, in the hope that the vendor will ...
    (Full-Disclosure)
  • Re: ROI (ROSI?) on IDP devices
    ... vulnerabilities go all the way up the application stack. ... after 2 to 7 days by IPS vendor. ... I'd say that's a useless IDP system, ... The signatures are lagging too far behind the vulnerabilities. ...
    (Focus-IDS)
  • [Full-disclosure] Vulnerability Type Distributions in CVE
    ... Vulnerability Type Distributions in CVE ... Table 4 Analysis: Open and Closed Source ... lead to publicly reported vulnerabilities, ... are in the top 3 for OS vendor advisories. ...
    (Full-Disclosure)
  • Vulnerability Type Distributions in CVE
    ... Vulnerability Type Distributions in CVE ... Table 4 Analysis: Open and Closed Source ... lead to publicly reported vulnerabilities, ... are in the top 3 for OS vendor advisories. ...
    (Bugtraq)
  • [Full-Disclosure] SugarSales Multiple Vulnerabilities
    ... Product: SugarSales ... Vendor: SugarCRM ... Multiple Vulnerabilities have been found in the open source customer ... all such file inclusion flaws, remote command execution is just the blink ...
    (Full-Disclosure)