Debian Bug report logs -
#407369
xine-ui: [CVE-2007-0254] Format string vulnerability
Reported by: SALVETTI Djoume <djoume@taket.org>
Date: Wed, 17 Jan 2007 22:48:14 UTC
Severity: normal
Tags: security
Found in version 0.99.4+dfsg+cvs20061111-1
Fixed in versions xine-ui/0.99.4+dfsg+cvs20061111-2, xine-ui/0.99.5-1
Done: Reinhard Tartler <siretart@tauware.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#407369; Package xine-ui.
(full text, mbox, link).
Acknowledgement sent to SALVETTI Djoume <djoume@taket.org>:
New Bug report received and forwarded. Copy sent to Siggi Langauf <siggi@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xine-ui
Severity: normal
Good day,
My understanding is that this CVE Candidate is buggy, but in case I have
missed something I prefer to let you know, just closed the bug if you
agree with me.
>From CVE-2007-0254 :
| Name: CVE-2007-0254
| Status: Candidate
| URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254
| Phase: Assigned (20070116)
| Category:
| Reference: BUGTRAQ:20070111 Xine-ui format string Vulnerabilties.
| Reference: URL:http://www.securityfocus.com/archive/1/archive/1/456590/100/0/threaded
| Reference: BID:22002
| Reference: URL:http://www.securityfocus.com/bid/22002
|
| Format string vulnerability in the errors_create_window function in
| errors.c in xine-ui allows attackers to execute arbitrary code via
| unknown vectors.
I take a look at the errors_create_window function in errors.c, the
vulnerable code seems to be on line 67 :
| xw = xitk_window_dialog_two_buttons_with_width(gGui->imlib_data, title,
| _("Done"), _("More..."),
| NULL, _errors_display_log,
| NULL, 400, ALIGN_CENTER,
| "%s", message);
xitk_window_dialog_two_buttons_with_width() is a macro function defined on
line 2323 in src/xitk/xine-toolkit/xitk.h, this macro called
xitk_window_dialog_checkbox_two_buttons_with_width() which is a function
defined on line 1108 in src/xitk/xine-toolkit/window.c. In this
function we have :
(message is the format, ang args is the message from the previous
function)
va_list args;
char *buf;
int n, size = 100;
if((buf = xitk_xmalloc(size)) == NULL)
return NULL;
while(1) {
va_start(args, message);
n = vsnprintf(buf, size, message, args);
va_end(args);
if(n > -1 && n < size)
break;
if(n > -1)
size = n + 1;
else
size *= 2;
if((buf = realloc(buf, size)) == NULL)
return NULL;
}
I failed to see where the format string vulnerability is, my
understanding is that vsnprintf will never overrun buf, but maybe I have
missed something...
Thanks for your time.
Regards.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-powerpc
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#407369; Package xine-ui.
(full text, mbox, link).
Acknowledgement sent to Matthias Hopf <mat@mshopf.de>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>.
(full text, mbox, link).
Message #10 received at 407369@bugs.debian.org (full text, mbox, reply):
On Jan 18, 07 09:18:46 +0100, Reinhard Tartler wrote:
> I just got the following bugreport on xine-ui. Could you have a look at
> it and tell me if you think there is a vulnerability? In this case, I'd
> have to update the xine-ui package despite debian's freeze. To be sure,
> I wanted to check with you. Here we go:
This is already fixed in CVS.
> | Format string vulnerability in the errors_create_window function in
> | errors.c in xine-ui allows attackers to execute arbitrary code via
> | unknown vectors.
>
> I take a look at the errors_create_window function in errors.c, the
> vulnerable code seems to be on line 67 :
>
> | xw = xitk_window_dialog_two_buttons_with_width(gGui->imlib_data, title,
> | _("Done"), _("More..."),
> | NULL, _errors_display_log,
> | NULL, 400, ALIGN_CENTER,
> | "%s", message);
This used to be .... NULL, 400, ALIGN_CENTER, message);
("%s", missing), which was indeed vulnerable.
Thanks
Matthias
--
Matthias Hopf <mhopf@suse.de> __ __ __
Maxfeldstr. 5 / 90409 Nuernberg (_ | | (_ |__ mat@mshopf.de
Phone +49-911-74053-715 __) |_| __) |__ R & D www.mshopf.de
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#407369; Package xine-ui.
(full text, mbox, link).
Acknowledgement sent to Diego 'Flameeyes' Pettenò <flameeyes@gentoo.org>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>.
(full text, mbox, link).
Message #15 received at 407369@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Thursday 18 January 2007, Reinhard Tartler wrote:
> Could you have a look at
> it and tell me if you think there is a vulnerability?
Yes there's one and it's not isolated, there are a few others too, but as
Matthias said, they are all fixed in CVS. 0.99.4 release was very very unsafe
when it came to format strings; CVS version is fine, but it has a nasty bug
(double click on the video window does not fullscreen.. it crashes down.
--
Diego "Flameeyes" Pettenò - http://farragut.flameeyes.is-a-geek.org/
Gentoo/Alt lead, Gentoo/FreeBSD, Video, Sound, ALSA, PAM, KDE, CJK, Ruby ...
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#407369; Package xine-ui.
(full text, mbox, link).
Acknowledgement sent to Reinhard Tartler <siretart@debian.org>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>.
(full text, mbox, link).
Message #20 received at 407369@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Diego 'Flameeyes' Pettenò <flameeyes@gentoo.org> writes:
> On Thursday 18 January 2007, Reinhard Tartler wrote:
>> Could you have a look at
>> it and tell me if you think there is a vulnerability?
> Yes there's one and it's not isolated, there are a few others too, but as
> Matthias said, they are all fixed in CVS. 0.99.4 release was very very unsafe
> when it came to format strings; CVS version is fine, but it has a nasty bug
> (double click on the video window does not fullscreen.. it crashes down.
Debian currently ships an CVS snapshot of November 11 2006, not a plain
0.99.4. There wasn't any later release, so I decided to have an snapshot
uploaded. I'll check the logs for further supicous (read: security
related) commits later today.
Thanks for your comment!
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to SALVETTI Djoume <djoume@taket.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #25 received at 407369-done@bugs.debian.org (full text, mbox, reply):
Matthias Hopf <mat@mshopf.de> writes:
>> I take a look at the errors_create_window function in errors.c, the
>> vulnerable code seems to be on line 67 :
>>
>> | xw = xitk_window_dialog_two_buttons_with_width(gGui->imlib_data, title,
>> | _("Done"), _("More..."),
>> | NULL, _errors_display_log,
>> | NULL, 400, ALIGN_CENTER,
>> | "%s", message);
>
> This used to be .... NULL, 400, ALIGN_CENTER, message);
> ("%s", missing), which was indeed vulnerable.
With this rationale, I'm closing this bug (at least for now). I checked
the source of the current xine-ui package, which is in both
testing+unstable, and it contains the source like shown above. If you
find further vulnerabilities, feel free to file or reopen this report.
I'm planning to upload an updated xine-ui snapshot to experimental later
today.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#407369; Package xine-ui.
(full text, mbox, link).
Acknowledgement sent to Hans-Dieter Kosch <hdkosch@t-online.de>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>.
(full text, mbox, link).
Message #30 received at 407369@bugs.debian.org (full text, mbox, reply):
Diego 'Flameeyes' Pettenò wrote:
> On Thursday 18 January 2007, Reinhard Tartler wrote:
>
>>Could you have a look at
>>it and tell me if you think there is a vulnerability?
>
> Yes there's one and it's not isolated, there are a few others too, but as
> Matthias said, they are all fixed in CVS. 0.99.4 release was very very unsafe
> when it came to format strings; CVS version is fine, but it has a nasty bug
> (double click on the video window does not fullscreen.. it crashes down.
>
This crash has been fixed in xitk/xine-toolkit/xitk.c r1.152 and
reviewed in r1.157.
Cheers,
Hans-Dieter
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#407369; Package xine-ui.
(full text, mbox, link).
Acknowledgement sent to Reinhard Tartler <siretart@tauware.de>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>.
(full text, mbox, link).
Message #35 received at 407369@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
found 407369 0.99.4+dfsg+cvs20061111-1
thanks
Hans-Dieter Kosch <hdkosch@t-online.de> writes:
>> Yes there's one and it's not isolated, there are a few others too, but as
>> Matthias said, they are all fixed in CVS. 0.99.4 release was very very unsafe
>> when it came to format strings; CVS version is fine, but it has a nasty bug
>> (double click on the video window does not fullscreen.. it crashes down.
>>
> This crash has been fixed in xitk/xine-toolkit/xitk.c r1.152 and
> reviewed in r1.157.
Ok, I'm currently preparing an update with xitk.c r.1.152, which I'll
upload shortly.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4
[Message part 2 (application/pgp-signature, inline)]
Bug marked as found in version 0.99.4+dfsg+cvs20061111-1.
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to SALVETTI Djoume <djoume@taket.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #42 received at 407369-close@bugs.debian.org (full text, mbox, reply):
Source: xine-ui
Source-Version: 0.99.4+dfsg+cvs20061111-2
We believe that the bug you reported is fixed in the latest version of
xine-ui, which is due to be installed in the Debian FTP archive:
xine-ui_0.99.4+dfsg+cvs20061111-2.diff.gz
to pool/main/x/xine-ui/xine-ui_0.99.4+dfsg+cvs20061111-2.diff.gz
xine-ui_0.99.4+dfsg+cvs20061111-2.dsc
to pool/main/x/xine-ui/xine-ui_0.99.4+dfsg+cvs20061111-2.dsc
xine-ui_0.99.4+dfsg+cvs20061111-2_i386.deb
to pool/main/x/xine-ui/xine-ui_0.99.4+dfsg+cvs20061111-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 407369@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated xine-ui package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 23 Jan 2007 15:23:06 +0100
Source: xine-ui
Binary: xine-ui
Architecture: source i386
Version: 0.99.4+dfsg+cvs20061111-2
Distribution: unstable
Urgency: medium
Maintainer: Siggi Langauf <siggi@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
xine-ui - the xine video player, user interface
Closes: 407369
Changes:
xine-ui (0.99.4+dfsg+cvs20061111-2) unstable; urgency=medium
.
* imported patch from xine-ui CVS for CVE-2007-0254: fix format string
vulnerability. (Closes: #407369)
Files:
983122cd16969d5eb2383b1b8c6eb32b 1173 graphics optional xine-ui_0.99.4+dfsg+cvs20061111-2.dsc
1213a1f5d8c6a76747de40c8e8b6e944 11395 graphics optional xine-ui_0.99.4+dfsg+cvs20061111-2.diff.gz
4784694333b675564439f751a7cfd65a 1512310 graphics optional xine-ui_0.99.4+dfsg+cvs20061111-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Debian Powered!
iD8DBQFFtkAKmAg1RJRTSKQRAn6PAJ9acSOqLRE6/5tD3swxMElQq6CO/QCdHwFk
7fVXfAVd8jnIxqgcdOh4tz0=
=DgUS
-----END PGP SIGNATURE-----
Bug marked as fixed in version 0.99.5-1.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org.
(Thu, 20 Sep 2007 20:36:05 GMT) (full text, mbox, link).
Tags added: security
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org.
(Thu, 20 Sep 2007 20:39:04 GMT) (full text, mbox, link).
Changed Bug title to `xine-ui: [CVE-2007-0254] Format string vulnerability' from `xine-ui: [CVE-2007-0254] Format string vulnerability bogus?'.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org.
(Thu, 20 Sep 2007 21:15:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 19 Oct 2007 07:30:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:29:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon