Luigi Auriemma, Alin Rad Pop, Remi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc.

The Common Vulnerabilities and Exposures project identifies the following eight problems :

  - CVE-2007-6681     A buffer overflow vulnerability in subtitle handling     allows an attacker to execute arbitrary code through the     opening of a maliciously crafted MicroDVD, SSA or     Vplayer file.

  - CVE-2007-6682     A format string vulnerability in the HTTP-based remote     control facility of the vlc application allows a remote,     unauthenticated attacker to execute arbitrary code.

  - CVE-2007-6683     Insecure argument validation allows a remote attacker to     overwrite arbitrary files writable by the user running     vlc, if a maliciously crafted M3U playlist or MP3 audio     file is opened.

  - CVE-2008-0295, CVE-2008-0296     Heap buffer overflows in RTSP stream and session     description protocol (SDP) handling allow an attacker to     execute arbitrary code if a maliciously crafted RTSP     stream is played.

  - CVE-2008-0073     Insufficient integer bounds checking in SDP handling     allows the execution of arbitrary code through a     maliciously crafted SDP stream ID parameter in an RTSP     stream.

  - CVE-2008-0984     Insufficient integrity checking in the MP4 demuxer     allows a remote attacker to overwrite arbitrary memory     and execute arbitrary code if a maliciously crafted MP4     file is opened.

  - CVE-2008-1489     An integer overflow vulnerability in MP4 handling allows     a remote attacker to cause a heap buffer overflow,     inducing a crash and possibly the execution of arbitrary     code if a maliciously crafted MP4 file is opened.

Several local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content.
The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-1246 / CVE-2007-1387     The DMO_VideoDecoder_Open function does not set the     biSize before use in a memcpy, which allows     user-assisted remote attackers to cause a buffer     overflow and possibly execute arbitrary code (applies to     sarge only).

  - CVE-2008-0073     Array index error in the sdpplin_parse function allows     remote RTSP servers to execute arbitrary code via a     large streamid SDP parameter.

  - CVE-2008-0486     Array index vulnerability in libmpdemux/demux_audio.c     might allow remote attackers to execute arbitrary code     via a crafted FLAC tag, which triggers a buffer overflow     (applies to etch only).

  - CVE-2008-1161     Buffer overflow in the Matroska demuxer allows remote     attackers to cause a denial of service (crash) and     possibly execute arbitrary code via a Matroska file with     invalid frame sizes.

New xine-lib packages are available for Slackware 10.0, 10.1, 10.2, 11.0, 12.0, and -current to fix security issues.

This updates xine-lib to 1.1.11.1, which fixes the following security vulnerabilities: CVE-2008-0073 array indexing (fixed in 1.1.11), CVE-2008-1482 integer overflow (fixed in 1.1.11.1). It also provides a versioned xine-lib (plugin-abi) so 3rd party packages installing plugins can use it instead of requiring a version of xine-lib.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability that was discovered in xine-lib that allowed remote RTSP servers to execute arbitrary code via a large streamid SDP parameter also affects MPlayer (CVE-2008-0073).

Several integer overflows were discovered by Felipe Andres Manzano in MPlayer's Real video stream demuxing code. These vulnerabilities could allow an attacker to cause a crash or possibly execute arbitrary code by supplying a malicious crafted video file (CVE-2008-3827).

The updated packages have been patched to fix these issues. Note that CVE-2008-3827 was already corrected in the Mandriva Linux 2009 packages.

The remote host is affected by the vulnerability described in GLSA-200804-25 (VLC: User-assisted execution of arbitrary code)

    Multiple vulnerabilities were found in VLC:
    Luigi Auriemma discovered that the stack-based buffer overflow when     reading subtitles, which has been reported as CVE-2007-6681 in GLSA     200803-13, was not properly fixed (CVE-2008-1881).
    Alin Rad Pop of Secunia reported an array indexing vulnerability in the     sdpplin_parse() function when processing streams from RTSP servers in     Xine code, which is also used in VLC (CVE-2008-0073).
    Drew Yao and Nico Golde reported an integer overflow in the     MP4_ReadBox_rdrf() function in the file libmp4.c leading to a     heap-based buffer overflow when reading MP4 files (CVE-2008-1489).
    Drew Yao also reported integer overflows in the MP4 demuxer,     the Real demuxer and in the Cinepak codec, which might lead to buffer     overflows (CVE-2008-1768).
    Drew Yao finally discovered and a     boundary error in Cinepak, which might lead to memory corruption     (CVE-2008-1769).
  Impact :

    A remote attacker could entice a user to open a specially crafted media     file or stream, possibly resulting in the remote execution of arbitrary     code.
  Workaround :

    There is no known workaround at this time.

Alin Rad Pop found an array index vulnerability in the SDP parser of xine-lib. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker could possibly execute arbitrary code with the privileges of the user using the program (CVE-2008-0073).

The ASF demuxer in xine-lib did not properly check the length of ASF headers. If a user was tricked into opening a crafted ASF file, a remote attacker could possibly cause a denial of service or execute arbitrary code with the privileges of the user using the program (CVE-2008-1110).

The Matroska demuxer in xine-lib did not properly verify frame sizes, which could possibly lead to the execution of arbitrary code if a user opened a crafted ASF file (CVE-2008-1161).

Luigi Auriemma found multiple integer overflows in xine-lib. If a user was tricked into opening a crafted FLV, MOV, RM, MVE, MKV, or CAK file, a remote attacker could possibly execute arbitrary code with the privileges of the user using the program (CVE-2008-1482).

Guido Landi found A stack-based buffer overflow in xine-lib that could allow a remote attacker to cause a denial of service (crash) and potentially execute arbitrary code via a long NSF title (CVE-2008-1878).

The updated packages have been patched to correct this issue.

This update fixes a bug in the function sdpplin_parse() that allowed remote attackers to access process memory out-of a buffers bound. This vulnerability can be used to execute arbitrary code remotely if successfully exploited. (CVE-2008-0073)

The remote host is affected by the vulnerability described in GLSA-200808-01 (xine-lib: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been discovered in xine-lib:
    Alin Rad Pop of Secunia reported an array indexing vulnerability in the     sdpplin_parse() function in the file input/libreal/sdpplin.c when     processing streams from RTSP servers that contain a large 'streamid'     SDP parameter (CVE-2008-0073).
    Luigi Auriemma reported multiple integer overflows that result in     heap-based buffer overflows when processing '.FLV', '.MOV' '.RM',     '.MVE', '.MKV', and '.CAK' files (CVE-2008-1482).
    Guido Landi reported a stack-based buffer overflow in the     demux_nsf_send_chunk() function when handling titles within NES Music     (.NSF) files (CVE-2008-1878).
  Impact :

    A remote attacker could entice a user to play a specially crafted video     file or stream with a player using xine-lib, potentially resulting in     the execution of arbitrary code with the privileges of the user running     the player.
  Workaround :

    There is no known workaround at this time.

Alin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-0073)

Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238)

Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486)

It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110)

It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-1161)

Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-1482)

It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686)

Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program.
(CVE-2008-1878).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Wed Mar 19 2008 Ville Skytta <ville.skytta at iki.fi> -     1.1.11-1 - 1.1.11 (security update, #438182,     CVE-2008-0073). - Drop jack and wavpack build     conditionals. - Specfile cleanups.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
31949	Debian DSA-1543-1 : vlc - several vulnerabilities	Nessus	Debian Local Security Checks	4/17/2008	1/4/2021	critical
31721	Debian DSA-1536-1 : libxine - several vulnerabilities	Nessus	Debian Local Security Checks	4/1/2008	1/4/2021	high
31708	Slackware 10.0 / 10.1 / 10.2 / 11.0 / 12.0 / current : xine-lib (SSA:2008-089-03)	Nessus	Slackware Local Security Checks	3/31/2008	1/14/2021	medium
31818	Fedora 7 : xine-lib-1.1.11.1-1.fc7 (2008-2945)	Nessus	Fedora Local Security Checks	4/11/2008	1/11/2021	medium
37535	Mandriva Linux Security Advisory : mplayer (MDVSA-2008:219)	Nessus	Mandriva Local Security Checks	4/23/2009	1/6/2021	high
32045	GLSA-200804-25 : VLC: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	4/25/2008	1/6/2021	high
36948	Mandriva Linux Security Advisory : xine-lib (MDVSA-2008:178)	Nessus	Mandriva Local Security Checks	4/23/2009	1/6/2021	high
31716	openSUSE 10 Security Update : xine-devel (xine-devel-5113)	Nessus	SuSE Local Security Checks	3/31/2008	1/14/2021	medium
33831	GLSA-200808-01 : xine-lib: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	8/7/2008	1/6/2021	high
33940	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : xine-lib vulnerabilities (USN-635-1)	Nessus	Ubuntu Local Security Checks	8/20/2008	1/19/2021	high
31665	Fedora 8 : xine-lib-1.1.11-1.fc8 (2008-2569)	Nessus	Fedora Local Security Checks	3/26/2008	1/11/2021	medium
31723	SuSE 10 Security Update : xine (ZYPP Patch Number 5116)	Nessus	SuSE Local Security Checks	4/1/2008	1/14/2021	medium

Detections

Analytics

Plugins Search

critical

high

medium

medium

high

high

high

medium

high

high

medium

medium