Bugtraqmailing list archives

By Date

By Thread

iDEFENSE Security Advisory 12.21.04: Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow Vulnerability

Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow VulnerabilityiDEFENSE Security Advisory 12.21.04www.idefense.com/application/poi/display?id=177&type=vulnerabilitiesDecember 21, 2004I. BACKGROUNDXine is a multimedia player which runs on multiple platforms.More information is available at:http://xinehq.de/II. DESCRIPTIONRemote exploitation of a buffer overflow in version 0.99.2 of xine couldallow execution of arbitrary code.The vulnerability specifically exists in the RMF_TAG, DATA_TAG, PROP_TAG, MDPR_TAG and CONT_TAG handling code of the pnm_get_chunk() function. These tags are all handled by the same code. The code does notperform correct checking on the chunk size before reading data in. If the size given is less than the PREAMBLE_SIZE, a negative length read ismade into a fixed length buffer. Because the read length parameter is anunsigned value, the negative length is interpreted as a very large length, allowing a buffer overflow to occur.III. ANALYSISExploitation of this vulnerability allows execution of arbitrary code with the privileges of the targeted user.In order to exploit this vulnerability, an attacker would have to convince the targeted user to open a connection to a malicious PNM server with xine, using a pnm://address/ URL. Depending on configurationoptions, this may be exploitable simply by clicking on a link, or it mayrequire the user to launch the application, specifically requesting the malicious content.IV. DETECTIONiDEFENSE Labs has confirmed the existence of this vulnerability in xine version 0.99.2. It is suspected that earlier versions of xine also contain this vulnerability.This vulnerability also affects MPlayer prior to MPlayer 1.0pre5try2.V. WORKAROUNDiDEFENSE is currently unaware of any effective workarounds for this issue.VI. VENDOR RESPONSExine-lib 1-rc8 was released to address this vulnerability and isavailable for download at:http://xinehq.de/index.php/releases   An xine patch for this vulnerability is available at:http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21   An MPlayer patch for this vulnerability is available at:http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diffVII. CVE INFORMATIONThe Common Vulnerabilities and Exposures (CVE) project has assigned thenames CAN-2004-1188 to these issues. This is a candidate for inclusionin the CVE list (http://cve.mitre.org), which standardizes names forsecurity problems.VIII. DISCLOSURE TIMELINE12/10/2004  Initial vendor notification12/11/2004  Initial vendor response12/21/2004  Public disclosureIX. CREDITThe discoverer of this vulnerability wishes to remain anonymous.Get paid for vulnerability researchhttp://www.idefense.com/poi/teams/vcp.jspX. LEGAL NOTICESCopyright (c) 2004 iDEFENSE, Inc.Permission is granted for the redistribution of this alertelectronically. It may not be edited in any way without the expresswritten consent of iDEFENSE. If you wish to reprint the whole or anypart of this alert in any other medium other than electronically, pleaseemail customerservice () idefense com for permission.Disclaimer: The information in the advisory is believed to be accurateat the time of publishing based on currently available information. Useof the information constitutes acceptance for use in an AS IS condition.There are no warranties with regard to this information. Neither theauthor nor the publisher accepts any liability for any direct, indirect,or consequential loss or damage arising from use of, or reliance on,this information.

By Date

By Thread

Current thread:

• iDEFENSE Security Advisory 12.21.04: Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow Vulnerabilitycustomer service mailbox (Dec 21)