xine-lib: multiple heap overflows

Debian Bug report logs - #498243
xine-lib: multiple heap overflows

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: xine-lib: multiple heap overflows

Date: Mon, 08 Sep 2008 22:17:27 +1000

Package: xine-lib
Severity: grave
Tags: security
Justification: user security hole

Hi,

As you are probably aware oCERT released an advisory[0] about
several issues they found in xine-lib.
I am just wondering, how we are going to address the debian versions?

Cheers
Steffen

[0]: http://www.ocert.org/advisories/ocert-2008-008.html

Message #10 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 498243@bugs.debian.org, 498243-submitter@bugs.debian.org

Subject: Re: xine-lib: multiple heap overflows

Date: Sat, 20 Sep 2008 02:00:56 +0100

[Message part 1 (text/plain, inline)]

Darren Salt is a maintainer of both upstream xine-lib and the Debian
package.  It appears that he has applied all the upstream security fixes
since 1.1.14 to the Debian package as well.

That leaves issues 1B-1D to be checked and 3A-3G to be addressed.

Ben.

[signature.asc (application/pgp-signature, inline)]

Message #18 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: control@bugs.debian.org

Cc: 498243@bugs.debian.org

Subject: user bugsquash@qa.debian.org, usertagging 498243

Date: Mon, 22 Sep 2008 01:56:36 +0100

# Automatically generated email from bts, devscripts version 2.10.35
# Haven't had time to get far with this
user bugsquash@qa.debian.org
# Haven't had time to get far with this
usertags 498243  - ben@decadent.org.uk

Message #23 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@debian.org>

To: debian-devel@lists.debian.org

Cc: 498243@bugs.debian.org, Darren Salt <ds@youmustbejoking.demon.co.uk>

Subject: Re: List of RC-buggy source packages by maintainer/uploader

Date: Tue, 07 Oct 2008 06:55:26 +0200

Lucas Nussbaum <lucas@lucas-nussbaum.net> writes:

> Reinhard Tartler <siretart@tauware.de>
>    xine-lib (#498243)

Needs help. That report is a security report from ocert. The full report
can be seen here: http://www.ocert.org/analysis/2008-008/analysis.txt

all fixes from 1.1.15 are backported to debian's 1.1.14 package already,
what is missing are issues 3A-3G.

TBH, since these issues are "Unexpected process termination and other
issues", I think that bug can be downgraded to "important". Darren, what
do you think?



-- 
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Message #28 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Ben Finney <ben@benfinney.id.au>

To: 498243@bugs.debian.org, Debian BTS control <control@bugs.debian.org>

Cc: Reinhard Tartler <siretart@debian.org>, Darren Salt <ds@youmustbejoking.demon.co.uk>

Subject: Bug #498243: help requested

Date: Tue, 7 Oct 2008 16:56:02 +1100

[Message part 1 (text/plain, inline)]

package xine-lib
tags 498243 + help
thanks

On 07-Oct-2008, Reinhard Tartler wrote:
> > Reinhard Tartler <siretart@tauware.de>
> >    xine-lib (#498243)
> 
> Needs help.

Tagging the bug appropriately.

-- 
 \     “If nothing changes, everything will remain the same.” —Barne's |
  `\                                                               Law |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 498243@bugs.debian.org (full text, mbox, reply):

From: David Moreno <david@axiombox.com>

To: 498243@bugs.debian.org, control@bugs.debian.org

Subject: Re: xine-lib: multiple heap overflows

Date: Sat, 25 Oct 2008 23:40:44 -0400

tags 498243 + upstream
severity 498243 important
stop

Issues 3A-3G haven't been addressed yet by Xine, not even in release
1.1.15, tagging upstream.

As Reinhard Tartler suggests, the severity can be downgraded now; the
remaining issues subjected "unexpected process termination and other
issues" are not considered to be grave-wise anymore since they are not
representing security holes exposing user data or data loss, but only
random different problems prone to unexpected crashes or segmentation
faults: 'important' severity.

Message #44 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: David Moreno <david@axiombox.com>

Cc: 498243@bugs.debian.org, control@bugs.debian.org

Subject: Re: xine-lib: multiple heap overflows

Date: Sun, 26 Oct 2008 11:59:46 +0100

severity 498243 grave
thanks

On Sat, Oct 25, 2008 at 11:40:44PM -0400, David Moreno wrote:
> tags 498243 + upstream
> stop
> 
> Issues 3A-3G haven't been addressed yet by Xine, not even in release
> 1.1.15, tagging upstream.
> 
> As Reinhard Tartler suggests, the severity can be downgraded now; the
> remaining issues subjected "unexpected process termination and other
> issues" are not considered to be grave-wise anymore since they are not
> representing security holes exposing user data or data loss, but only
> random different problems prone to unexpected crashes or segmentation
> faults: 'important' severity.

The ocert advisory states that code injection is possible for some of
the issues in 3A-3G and Will knows what he's doing.

Given that his report also has precise information, where the specific
bugs are present, this should rather be patched than downgraded.

Cheers,
        Moritz

Message #51 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: oss-security@lists.openwall.com

Cc: 498243@bugs.debian.org, xine-user@lists.sourceforge.net, redpig@ocert.org

Subject: xine-lib and ocert-2008-008

Date: Sat, 22 Nov 2008 17:49:40 +0100

[Message part 1 (text/plain, inline)]

[resending this with hopefully less broken CC, apologies]

Hi,

I am not quite sure whether I can agree with Will Drewry's analysis[1]
accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will
says is fixed in 1.1.5, attached .mov seems to fit the case description
and will still corrupt the memory when viewed e.g. in gxine. xine-lib
with the attached patch seems to be more successful in preventing the
attach (note that the file is more tuned to be small than to be a valid
.mov, but the same works by including the bad meta in an otherwise good
file). Note that xine_xmalloc is specifically designed to allocate
memory when passed size 0. Upstream seems to move away from it, but...
As Will notices, demux-qt.c has loads of unfixed problems.

If anyone cares to go over the xine-lib issues (primarily the unfixed
ones from Will's section 3), I'd much appreciate a CC. In order to make
the analysis and verification more, I would also be interested in the
test cases mentioned in the advisory.

Kind regards

T.

1. http://www.ocert.org/analysis/2008-008/analysis.txt
2. http://www.ocert.org/advisories/ocert-2008-008.html
-- 
Thomas Viehmann, http://thomas.viehmann.net/

[ocert-2008-008-1a-notfixed.mov (video/quicktime, inline)]

[fix-for-ocert-2008-008-1a.diff (text/x-patch, inline)]

--- xine-lib-1.1.14.orig/src/demuxers/demux_qt.c
+++ xine-lib-1.1.14/src/demuxers/demux_qt.c
@@ -739,49 +739,49 @@
     if (current_atom == ART_ATOM) {
       string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
       info->artist = xine_xmalloc(string_size);
-      if (info->artist) {
+      if (string_size && info->artist) {
         strncpy(info->artist, &meta_atom[i + 20], string_size - 1);
         info->artist[string_size - 1] = 0;
       }
     } else if (current_atom == NAM_ATOM) {
       string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
       info->name = xine_xmalloc(string_size);
-      if (info->name) {
+      if (string_size && info->name) {
         strncpy(info->name, &meta_atom[i + 20], string_size - 1);
         info->name[string_size - 1] = 0;
       }
     } else if (current_atom == ALB_ATOM) {
       string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
       info->album = xine_xmalloc(string_size);
-      if (info->album) {
+      if (string_size && info->album) {
         strncpy(info->album, &meta_atom[i + 20], string_size - 1);
         info->album[string_size - 1] = 0;
       }
     } else if (current_atom == GEN_ATOM) {
       string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
       info->genre = xine_xmalloc(string_size);
-      if (info->genre) {
+      if (string_size && info->genre) {
         strncpy(info->genre, &meta_atom[i + 20], string_size - 1);
         info->genre[string_size - 1] = 0;
       }
     } else if (current_atom == TOO_ATOM) {
       string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
       info->comment = xine_xmalloc(string_size);
-      if (info->comment) {
+      if (string_size && info->comment) {
         strncpy(info->comment, &meta_atom[i + 20], string_size - 1);
         info->comment[string_size - 1] = 0;
       }
     } else if (current_atom == WRT_ATOM) {
       string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
       info->composer = xine_xmalloc(string_size);
-      if (info->composer) {
+      if (string_size && info->composer) {
         strncpy(info->composer, &meta_atom[i + 20], string_size - 1);
         info->composer[string_size - 1] = 0;
       }
     } else if (current_atom == DAY_ATOM) {
       string_size = _X_BE_32(&meta_atom[i + 4]) - 16 + 1;
       info->year = xine_xmalloc(string_size);
-      if (info->year) {
+      if (string_size && info->year) {
         strncpy(info->year, &meta_atom[i + 20], string_size - 1);
         info->year[string_size - 1] = 0;
       }

Message #56 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Matthias Hopf <mhopf@suse.de>

To: oss-security@lists.openwall.com

Cc: 498243@bugs.debian.org, xine-user@lists.sourceforge.net, redpig@ocert.org

Subject: Re: [oss-security] xine-lib and ocert-2008-008

Date: Mon, 24 Nov 2008 16:23:17 +0100

On Nov 22, 08 17:49:40 +0100, Thomas Viehmann wrote:
> I am not quite sure whether I can agree with Will Drewry's analysis[1]
> accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will
> says is fixed in 1.1.5, attached .mov seems to fit the case description
> and will still corrupt the memory when viewed e.g. in gxine. xine-lib
> with the attached patch seems to be more successful in preventing the
> attach (note that the file is more tuned to be small than to be a valid
> .mov, but the same works by including the bad meta in an otherwise good
> file). Note that xine_xmalloc is specifically designed to allocate
> memory when passed size 0. Upstream seems to move away from it, but...
> As Will notices, demux-qt.c has loads of unfixed problems.
> 
> If anyone cares to go over the xine-lib issues (primarily the unfixed
> ones from Will's section 3), I'd much appreciate a CC. In order to make
> the analysis and verification more, I would also be interested in the
> test cases mentioned in the advisory.

I have fixed all of them (at least I believe so, but I have to verify
your test case), and we're waiting for new ocert numbers. Given that
this takes so long, and the issues are public anyway, I will probably
upstream the fixes soon. If you would verify them it would be awesome.

Matthias

-- 
Matthias Hopf <mhopf@suse.de>      __        __   __
Maxfeldstr. 5 / 90409 Nuernberg   (_   | |  (_   |__          mat@mshopf.de
Phone +49-911-74053-715           __)  |_|  __)  |__  R & D   www.mshopf.de

Message #61 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Thomas Viehmann <tv@beamnet.de>

To: 498243@bugs.debian.org, team@security.debian.org

Subject: patches being reviewed

Date: Wed, 26 Nov 2008 00:07:37 +0100

Hi,

I'm presently reviewing Matthias' patches. As soon as he discloses them,
 (expected next Monday or so), I'll post a diff here.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/

Message #66 received at 498243@bugs.debian.org (full text, mbox, reply):

From: "Steven M. Christey" <coley@linus.mitre.org>

To: oss-security@lists.openwall.com

Cc: 498243@bugs.debian.org, xine-user@lists.sourceforge.net, redpig@ocert.org

Subject: Re: [oss-security] xine-lib and ocert-2008-008

Date: Tue, 25 Nov 2008 19:46:19 -0500 (EST)

On Sat, 22 Nov 2008, Thomas Viehmann wrote:

> I am not quite sure whether I can agree with Will Drewry's analysis[1]
> accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will
> says is fixed in 1.1.5, attached .mov seems to fit the case description
> and will still corrupt the memory when viewed e.g. in gxine.

This has finally prompted me to process CVE's for the issues originally
disclosed by Will back in August.  Our analysts didn't have a very
pleasant time with the volume and complexity, I'm sure.  Sorry it took so
long.

CVE-2008-5234 includes two separate bugs, one of which is the item 1A you
mention (parse_moov_atom in demux_qt.c). If CVE-2008-5234 actually wasn't
fixed in 1.1.15, we might need a new CVE to handle the variant.

There are also some cases where an xine bug announcement includes some
bugs that weren't covered by Will's analysis; those won't have an OCERT
reference.

CVE-2008-5236 and CVE-2008-5237, and possibly others, don't have a
"CONFIRM" reference in them - which implies that, based on CVE analysis,
the upstream vendor didn't provide enough clear evidence of a fix.

My brain is too fried to process the followup comment that listed
individual patches.

- Steve

======================================================
Name: CVE-2008-5233
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5233
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

xine-lib 1.1.12, and other versions before 1.1.15, does not check for
failure of malloc in circumstances including (1) the
mymng_process_header function in demux_mng.c, (2) the open_mod_file
function in demux_mod.c, and (3) frame_buffer allocation in the
real_parse_audio_specific_data function in demux_real.c, which allows
remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code via a crafted media file.


======================================================
Name: CVE-2008-5234
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
versions before 1.1.15, allow remote attackers to execute arbitrary
code via vectors related to (1) a crafted metadata atom size processed
by the parse_moov_atom function in demux_qt.c and (2) frame reading in
the id3v23_interp_frame function in id3.c.  NOTE: as of 20081122, it is
possible that vector 1 has not been fixed in 1.1.15.


======================================================
Name: CVE-2008-5235
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5235
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502

Heap-based buffer overflow in the demux_real_send_chunk function in
src/demuxers/demux_real.c in xine-lib before 1.1.15 allows remote
attackers to execute arbitrary code via a crafted Real Media file.
NOTE: some of these details are obtained from third party information.


======================================================
Name: CVE-2008-5236
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5236
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: FRSIRT:ADV-2008-2427
Reference: URL:http://www.frsirt.com/english/advisories/2008/2427
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502
Reference: SECUNIA:31567
Reference: URL:http://secunia.com/advisories/31567

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
1.1.15 and earlier versions, allow remote attackers to execute
arbitrary code via vectors related to (1) a crafted EBML element
length processed by the parse_block_group function in
demux_matroska.c; (2) a certain combination of sps, w, and h values
processed by the real_parse_audio_specific_data and
demux_real_send_chunk functions in demux_real.c; and (3) an
unspecified combination of three values processed by the open_ra_file
function in demux_realaudio.c.  NOTE: vector 2 reportedly exists
because of an incomplete fix in 1.1.15.


======================================================
Name: CVE-2008-5237
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5237
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.


======================================================
Name: CVE-2008-5238
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5238
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

Integer overflow in the real_parse_mdpr function in demux_real.c in
xine-lib 1.1.12, and other versions before 1.1.15, allows remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via a crafted stream_name_size field.


======================================================
Name: CVE-2008-5239
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5239
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.


======================================================
Name: CVE-2008-5240
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5240
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.


======================================================
Name: CVE-2008-5241
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5241
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

Integer underflow in demux_qt.c in xine-lib 1.1.12, and other 1.1.15
and earlier versions, allows remote attackers to cause a denial of
service (crash) via a crafted media file that results in a small value
of moov_atom_size in a compressed MOV (aka CMOV_ATOM).


======================================================
Name: CVE-2008-5242
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5242
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions,
does not validate the count field before calling calloc for STSD_ATOM
atom allocation, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via a crafted media
file.


======================================================
Name: CVE-2008-5243
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5243
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

The real_parse_headers function in demux_real.c in xine-lib 1.1.12,
and other 1.1.15 and earlier versions, relies on an untrusted input
length value to "reindex into an allocated buffer," which allows
remote attackers to cause a denial of service (crash) via a crafted
value, probably an array index error.


======================================================
Name: CVE-2008-5244
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5244
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact
and attack vectors related to libfaad.  NOTE: due to the lack of
details, it is not clear whether this is an issue in xine-lib or in
libfaad.


======================================================
Name: CVE-2008-5245
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5245
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502

xine-lib before 1.1.15 performs V4L video frame preallocation before
ascertaining the required length, which has unknown impact and attack
vectors, possibly related to a buffer overflow in the
open_video_capture_device function in src/input/input_v4l.c.


======================================================
Name: CVE-2008-5246
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5246
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

Multiple heap-based buffer overflows in xine-lib before 1.1.15 allow
remote attackers to execute arbitrary code via vectors that send ID3
data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame
functions in src/demuxers/id3.c.  NOTE: the provenance of this
information is unknown; the details are obtained solely from third
party information.


======================================================
Name: CVE-2008-5247
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5247
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

The real_parse_audio_specific_data function in demux_real.c in
xine-lib 1.1.12, and other 1.1.15 and earlier versions, uses an
untrusted height (aka codec_data_length) value as a divisor, which
allow remote attackers to cause a denial of service (divide-by-zero
error and crash) via a zero value.


======================================================
Name: CVE-2008-5248
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869

xine-lib before 1.1.15 allows remote attackers to cause a denial of
service (crash) via "MP3 files with metadata consisting only of
separators."

Message #71 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Andrea Barisani <lcars@ocert.org>

To: oss-security@lists.openwall.com

Cc: 498243@bugs.debian.org, xine-user@lists.sourceforge.net, redpig@ocert.org

Subject: Re: [oss-security] xine-lib and ocert-2008-008

Date: Wed, 26 Nov 2008 09:51:35 +0000

On Tue, Nov 25, 2008 at 07:46:19PM -0500, Steven M. Christey wrote:
> 
> On Sat, 22 Nov 2008, Thomas Viehmann wrote:
> 
> > I am not quite sure whether I can agree with Will Drewry's analysis[1]
> > accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will
> > says is fixed in 1.1.5, attached .mov seems to fit the case description
> > and will still corrupt the memory when viewed e.g. in gxine.
> 
> This has finally prompted me to process CVE's for the issues originally
> disclosed by Will back in August.  Our analysts didn't have a very
> pleasant time with the volume and complexity, I'm sure.  Sorry it took so
> long.
>

Steve, thanks for this assignment, I updated our advisory with the
references.  We'll try to take a look at the new test case sometimes next
week.

Cheers

> CVE-2008-5234 includes two separate bugs, one of which is the item 1A you
> mention (parse_moov_atom in demux_qt.c). If CVE-2008-5234 actually wasn't
> fixed in 1.1.15, we might need a new CVE to handle the variant.
> 
> There are also some cases where an xine bug announcement includes some
> bugs that weren't covered by Will's analysis; those won't have an OCERT
> reference.
> 
> CVE-2008-5236 and CVE-2008-5237, and possibly others, don't have a
> "CONFIRM" reference in them - which implies that, based on CVE analysis,
> the upstream vendor didn't provide enough clear evidence of a fix.
> 
> My brain is too fried to process the followup comment that listed
> individual patches.
> 
> - Steve
> 

-- 
Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars@ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

Message #76 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>

To: Matthias Hopf <mhopf@suse.de>, 498243@bugs.debian.org

Cc: oss-security@lists.openwall.com, redpig@ocert.org

Subject: Re: Bug#498243: [oss-security] xine-lib and ocert-2008-008

Date: Wed, 26 Nov 2008 19:26:18 +0000

[xine-user dropped; should probably have been sent to xine-devel, and this
thread doesn't seem to be appearing there anyway]

I demand that Matthias Hopf may or may not have written...

> On Nov 22, 08 17:49:40 +0100, Thomas Viehmann wrote:
[snip]
>> If anyone cares to go over the xine-lib issues (primarily the unfixed
>> ones from Will's section 3), I'd much appreciate a CC. In order to make
>> the analysis and verification more, I would also be interested in the
>> test cases mentioned in the advisory.

> I have fixed all of them (at least I believe so, but I have to verify your
> test case), and we're waiting for new ocert numbers. Given that this takes
> so long, and the issues are public anyway, I will probably upstream the
> fixes soon. If you would verify them it would be awesome.

I'd appreciate these *not* being committed to the 1.1 tip: just make sure
that I get the patch series (no more than one CVE no. per patch), prepared so
that I can just "hg import" each one, and I'll handle things from there.
(Somebody, probably me, will have to backport at least some of this lot for
etch, and separate patches should make this a bit easier.)

I'm currently not sure whether to do 1.1.15.1 or 1.1.16, mainly because
1.1.15.1 can be uploaded to unstable and still make it into lenny; OTOH,
that'd be a new sourceful upload. And I'm not sure that we're ready for
1.1.16 yet anyway.

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Use more efficient products. Use less.          BE MORE ENERGY EFFICIENT.

You will be reincarnated as a toad; and you will be much happier.

Message #81 received at 498243@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <oss-security+ml@ngolde.de>

To: oss-security@lists.openwall.com

Cc: 498243@bugs.debian.org, xine-user@lists.sourceforge.net, redpig@ocert.org

Subject: Re: [oss-security] xine-lib and ocert-2008-008

Date: Fri, 28 Nov 2008 23:54:48 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Steven M. Christey <coley@linus.mitre.org> [2008-11-26 09:27]:
> ======================================================
> Name: CVE-2008-5234
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234
> Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
> Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
> Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
> Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
> Reference: BID:30797
> Reference: URL:http://www.securityfocus.com/bid/30797
> Reference: FRSIRT:ADV-2008-2382
> Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
> Reference: SECTRACK:1020703
> Reference: URL:http://securitytracker.com/id?1020703
> Reference: SECUNIA:31502
> Reference: URL:http://secunia.com/advisories/31502
> 
> Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
> versions before 1.1.15, allow remote attackers to execute arbitrary
> code via vectors related to (1) a crafted metadata atom size processed
> by the parse_moov_atom function in demux_qt.c and (2) frame reading in
> the id3v23_interp_frame function in id3.c.  NOTE: as of 20081122, it is
> possible that vector 1 has not been fixed in 1.1.15.
> 
[...] 
> ======================================================
> Name: CVE-2008-5246
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5246
> Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
> Reference: FRSIRT:ADV-2008-2382
> Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
> Reference: SECTRACK:1020703
> Reference: URL:http://securitytracker.com/id?1020703
> 
> Multiple heap-based buffer overflows in xine-lib before 1.1.15 allow
> remote attackers to execute arbitrary code via vectors that send ID3
> data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame
> functions in src/demuxers/id3.c.  NOTE: the provenance of this
> information is unknown; the details are obtained solely from third
> party information.

Isn't the second part of CVE-2008-5234 the same like 
CVE-2008-5246? About CVE-2008-5246 and the provenance of 
this information, I can hereby confirm this.
See http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d7;style=gitweb

the length is user supplied + 1 used to allocate a buffer 
which is used for a read call later -> typical heap 
overflow.

Cheers
Nico
> 
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #86 received at 498243-done@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 498243-done@bugs.debian.org

Subject: closing

Date: Sun, 30 Nov 2008 11:34:17 +0100

[Message part 1 (text/plain, inline)]

Hi,
I think we should close this bug as we started to track each 
CVE id for this advisory in a single bug, this is less 
confusing.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.