Bugtraqmailing list archives

By Date

By Thread

XSA-2004-7: stack overflow in AIFF demultiplexer

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1xine security announcement==========================Announcement-ID: XSA-2004-7Summary:A stack buffer overflow vulnerability in the AIFF demultiplexer has been foundby Ariel Berkman and was reported to the xine team by D. J. Bernstein. This can be used for an exploit, leading to attacker-chosen code being executed with the permissions of the user running a xine-lib based media application.The Common Vulnerabilities and Exposures (CVE) project has assigned thename CAN-2004-1300 to this issue.Description:AIFF is a file format supported by the xine-lib media library. During openingand header parsing of an AIFF file, data of arbitrary length is read into anunprotected stack buffer. This can lead to a stack overflow, which can be usedto the execution of attacker-chosen code.An attacker can craft a malicious AIFF file and trick the user into playing it. Since AIFF files can also be provided through network streaming, this can be as easy as publishing a link on a website.It should also be noted that due to xine-lib's way of detecting file formats by querying each available demultiplexer in turn, this problem is not limited to AIFF files. The vulnerable code in the AIFF demultiplexer will also be executed on non-AIFF files.Severity:Since the involved xine plugin is part of the standard xine installation andthe vulnerability can be used directly to write attacker-chosen code on thestack, we consider this problem to be critical.Affected versions:All 1-alpha releases.All 1-beta releases.All 1-rc releases.Unaffected versions:All releases older than 1-alpha0.1.0 or newer.Solution:The enclosed patch which has been applied to xine-lib CVS fixes the problembut should only be used by distributors who do not want to upgrade.Otherwise, we strongly advise everyone to upgrade to the 1.0 release ofxine-lib.As a temporary workaround, you may delete the file "xineplug_dmx_audio.so"for xine-lib versions starting with and including 1-beta3 or"xineplug_dmx_aiff.so" for xine-lib versions older than 1-beta3 from thexine-lib plugin directory, losing the ability to play AIFF files.Patch:http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/demuxers/demux_aiff.c?r1=1.39&r2=1.40&diff_format=uFor further information and in case of questions, please contact the xineteam. Our website ishttp://xinehq.de/-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.2 (GNU/Linux)iD8DBQFBzt8djhx3hMVnyYsRAobrAKCsmcS1aTwsKvMurvhdsZ5lYGRNEwCff/OK5LGNn5euSeQrIUiXA0PmWJo==RGD/-----END PGP SIGNATURE-----

By Date

By Thread

Current thread:

• XSA-2004-7: stack overflow in AIFF demultiplexerMichael Roitzsch (Dec 28)