Format string vulnerability in input_cdda.c in xine-lib 1-beta through 1-beta 3, 1-rc, 1.0 through 1.0.2, and 1.1.1 allows remote servers to execute arbitrary code via format string specifiers in metadata in CDDB server responses when the victim plays a CD.

Gentoo Linux Security Advisory reports :

Ulf Harnhammar discovered a format string bug in the routines handling CDDB server response contents.

An attacker could submit malicious information about an audio CD to a public CDDB server (or impersonate a public CDDB server). When the victim plays this CD on a multimedia frontend relying on xine-lib, it could end up executing arbitrary code.

Ulf Harnhammar discovered a format string vulnerability in the CDDB module's cache file handling in the Xine library, which is used by packages such as xine-ui, totem-xine, and gxine.

By tricking an user into playing a particular audio CD which has a specially crafted CDDB entry, a remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the user running the application. Since CDDB servers usually allow anybody to add and modify information, this exploit does not even require a particular CDDB server to be selected.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

When playing an Audio CD, a xine-lib based media application contacts a CDDB server to retrieve metadata like the title and artist's name.
During processing of this data, a response from the server, which is located in memory on the stack, is passed to the fprintf() function as a format string. An attacker can set up a malicious CDDB server and trick the client into using this server instead of the pre- configured one. Alternatively, any user and therefore the attacker can modify entries in the official CDDB server. Using this format string vulnerability, attacker-chosen data can be written to an attacker-chosen memory location. This allows the attacker to alter the control flow and to execute malicious code with the permissions of the user running the application.

This problem was reported by Ulf Harnhammar from the Debian Security Audit Project.

The updated packages have been patched to correct this problem.

Ulf Harnhammar from the Debian Security Audit Project discovered a format string vulnerability in the CDDB processing component of xine-lib, the xine video/media player library, that could lead to the execution of arbitrary code caused by a malicious CDDB entry.

The remote host is affected by the vulnerability described in GLSA-200510-08 (xine-lib: Format string vulnerability)

    Ulf Harnhammar discovered a format string bug in the routines     handling CDDB server response contents.
  Impact :

    An attacker could submit malicious information about an audio CD     to a public CDDB server (or impersonate a public CDDB server). When the     victim plays this CD on a multimedia frontend relying on xine-lib, it     could end up executing arbitrary code.
  Workaround :

    There is no known workaround at this time.

New xine-lib packages are available for Slackware 9.1, 10.0, 10.1, 10.2, and -current to fix a security issue. A format string bug may allow the execution of arbitrary code as the user running a xine-lib linked application. The attacker must provide (by uploading or running a server) specially crafted CDDB information and then get the user to play the referenced audio CD. The official Xine advisory may be found here: http://xinehq.de/index.php/security/XSA-2005-1

ID	Name	Product	Family	Severity
21415	FreeBSD : libxine -- format string vulnerability (3bc5691e-38dd-11da-92f5-020039488e34)	Nessus	FreeBSD Local Security Checks	high
20610	Ubuntu 4.10 / 5.04 : xine-lib vulnerability (USN-196-1)	Nessus	Ubuntu Local Security Checks	high
20040	Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:180)	Nessus	Mandriva Local Security Checks	high
20018	Debian DSA-863-1 : xine-lib - format string vulnerability	Nessus	Debian Local Security Checks	high
19978	GLSA-200510-08 : xine-lib: Format string vulnerability	Nessus	Gentoo Local Security Checks	high
19952	Slackware 10.0 / 10.1 / 10.2 / 9.1 / current : xine-lib (SSA:2005-283-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2005-2967

critical

Tenable Plugins

high

high

high

high

high

high