Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.GSO.4.51.0811251939300.16341@faron.mitre.org>
Date: Tue, 25 Nov 2008 19:46:19 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: 498243@...s.debian.org, xine-user@...ts.sourceforge.net, redpig@...rt.org
Subject: Re: xine-lib and ocert-2008-008


On Sat, 22 Nov 2008, Thomas Viehmann wrote:

> I am not quite sure whether I can agree with Will Drewry's analysis[1]
> accompanying ocert advisory 2008-008[1]. Looking at item 1A, which Will
> says is fixed in 1.1.5, attached .mov seems to fit the case description
> and will still corrupt the memory when viewed e.g. in gxine.

This has finally prompted me to process CVE's for the issues originally
disclosed by Will back in August.  Our analysts didn't have a very
pleasant time with the volume and complexity, I'm sure.  Sorry it took so
long.

CVE-2008-5234 includes two separate bugs, one of which is the item 1A you
mention (parse_moov_atom in demux_qt.c). If CVE-2008-5234 actually wasn't
fixed in 1.1.15, we might need a new CVE to handle the variant.

There are also some cases where an xine bug announcement includes some
bugs that weren't covered by Will's analysis; those won't have an OCERT
reference.

CVE-2008-5236 and CVE-2008-5237, and possibly others, don't have a
"CONFIRM" reference in them - which implies that, based on CVE analysis,
the upstream vendor didn't provide enough clear evidence of a fix.

My brain is too fried to process the followup comment that listed
individual patches.

- Steve

======================================================
Name: CVE-2008-5233
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5233
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

xine-lib 1.1.12, and other versions before 1.1.15, does not check for
failure of malloc in circumstances including (1) the
mymng_process_header function in demux_mng.c, (2) the open_mod_file
function in demux_mod.c, and (3) frame_buffer allocation in the
real_parse_audio_specific_data function in demux_real.c, which allows
remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code via a crafted media file.


======================================================
Name: CVE-2008-5234
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
versions before 1.1.15, allow remote attackers to execute arbitrary
code via vectors related to (1) a crafted metadata atom size processed
by the parse_moov_atom function in demux_qt.c and (2) frame reading in
the id3v23_interp_frame function in id3.c.  NOTE: as of 20081122, it is
possible that vector 1 has not been fixed in 1.1.15.


======================================================
Name: CVE-2008-5235
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5235
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502

Heap-based buffer overflow in the demux_real_send_chunk function in
src/demuxers/demux_real.c in xine-lib before 1.1.15 allows remote
attackers to execute arbitrary code via a crafted Real Media file.
NOTE: some of these details are obtained from third party information.


======================================================
Name: CVE-2008-5236
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5236
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: FRSIRT:ADV-2008-2427
Reference: URL:http://www.frsirt.com/english/advisories/2008/2427
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502
Reference: SECUNIA:31567
Reference: URL:http://secunia.com/advisories/31567

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other
1.1.15 and earlier versions, allow remote attackers to execute
arbitrary code via vectors related to (1) a crafted EBML element
length processed by the parse_block_group function in
demux_matroska.c; (2) a certain combination of sps, w, and h values
processed by the real_parse_audio_specific_data and
demux_real_send_chunk functions in demux_real.c; and (3) an
unspecified combination of three values processed by the open_ra_file
function in demux_realaudio.c.  NOTE: vector 2 reportedly exists
because of an incomplete fix in 1.1.15.


======================================================
Name: CVE-2008-5237
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5237
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
earlier versions, allow remote attackers to cause a denial of service
(crash) or possibly execute arbitrary code via (1) crafted width and
height values that are not validated by the mymng_process_header
function in demux_mng.c before use in an allocation calculation or (2)
crafted current_atom_size and string_size values processed by the
parse_reference_atom function in demux_qt.c.


======================================================
Name: CVE-2008-5238
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5238
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

Integer overflow in the real_parse_mdpr function in demux_real.c in
xine-lib 1.1.12, and other versions before 1.1.15, allows remote
attackers to cause a denial of service (crash) or possibly execute
arbitrary code via a crafted stream_name_size field.


======================================================
Name: CVE-2008-5239
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5239
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not
properly handle (a) negative and (b) zero values during unspecified
read function calls in input_file.c, input_net.c, input_smb.c, and
input_http.c, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via vectors such as
(1) a file or (2) an HTTP response, which triggers consequences such
as out-of-bounds reads and heap-based buffer overflows.


======================================================
Name: CVE-2008-5240
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5240
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an
untrusted input value to determine the memory allocation and does not
check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry
element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG,
and (4) CONT_TAG chunks processed by the real_parse_headers function
in demux_real.c; which allows remote attackers to cause a denial of
service (NULL pointer dereference and crash) or possibly execute
arbitrary code via a crafted value.


======================================================
Name: CVE-2008-5241
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5241
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

Integer underflow in demux_qt.c in xine-lib 1.1.12, and other 1.1.15
and earlier versions, allows remote attackers to cause a denial of
service (crash) via a crafted media file that results in a small value
of moov_atom_size in a compressed MOV (aka CMOV_ATOM).


======================================================
Name: CVE-2008-5242
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5242
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions,
does not validate the count field before calling calloc for STSD_ATOM
atom allocation, which allows remote attackers to cause a denial of
service (crash) or possibly execute arbitrary code via a crafted media
file.


======================================================
Name: CVE-2008-5243
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5243
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

The real_parse_headers function in demux_real.c in xine-lib 1.1.12,
and other 1.1.15 and earlier versions, relies on an untrusted input
length value to "reindex into an allocated buffer," which allows
remote attackers to cause a denial of service (crash) via a crafted
value, probably an array index error.


======================================================
Name: CVE-2008-5244
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5244
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact
and attack vectors related to libfaad.  NOTE: due to the lack of
details, it is not clear whether this is an issue in xine-lib or in
libfaad.


======================================================
Name: CVE-2008-5245
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5245
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703
Reference: SECUNIA:31502
Reference: URL:http://secunia.com/advisories/31502

xine-lib before 1.1.15 performs V4L video frame preallocation before
ascertaining the required length, which has unknown impact and attack
vectors, possibly related to a buffer overflow in the
open_video_capture_device function in src/input/input_v4l.c.


======================================================
Name: CVE-2008-5246
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5246
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
Reference: FRSIRT:ADV-2008-2382
Reference: URL:http://www.frsirt.com/english/advisories/2008/2382
Reference: SECTRACK:1020703
Reference: URL:http://securitytracker.com/id?1020703

Multiple heap-based buffer overflows in xine-lib before 1.1.15 allow
remote attackers to execute arbitrary code via vectors that send ID3
data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame
functions in src/demuxers/id3.c.  NOTE: the provenance of this
information is unknown; the details are obtained solely from third
party information.


======================================================
Name: CVE-2008-5247
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5247
Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in xine-lib
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded
Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt
Reference: BID:30797
Reference: URL:http://www.securityfocus.com/bid/30797

The real_parse_audio_specific_data function in demux_real.c in
xine-lib 1.1.12, and other 1.1.15 and earlier versions, uses an
untrusted height (aka codec_data_length) value as a divisor, which
allow remote attackers to cause a denial of service (divide-by-zero
error and crash) via a zero value.


======================================================
Name: CVE-2008-5248
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248
Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869

xine-lib before 1.1.15 allows remote attackers to cause a denial of
service (crash) via "MP3 files with metadata consisting only of
separators."

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.