Debian
xine-lib package

Exploitable buffer overflow in RTSP streaming code

Bug #16321 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
xine-lib (Debian)
Fix Released
Unknown
xine-lib (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #305343 http://bugs.debian.org/305343

See original description

CVE References

Revision history for this message
In , Gerardo Di Giacomo (astharot) wrote : Exploitable buffer overflow in RTSP streaming code

Patch for sid attached.

Gerardo

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #305343 http://bugs.debian.org/305343

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <20050419122538.B0522B6F17@anton>
Date: Tue, 19 Apr 2005 14:25:38 +0200
From: Moritz Muehlenhoff <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: Exploitable buffer overflow in RTSP streaming code

Package: libxine1
Version: 1.0-1
Severity: grave
Tags: security

Two streaming related security issues have been reported in MPlayer. At least
one of them is present in xine-lib as well. The MPlayer reports can be found at
http://www.mplayerhq.hu/homepage/design7/news.html. The vulnerable MMST code
does not seem to be included in xine-lib, at least I couldn't find it.

The issue is an exploitable heap overflow in RTSP streaming (allows potential
remote execution of arbitrary code). Patch is available at
http://sourceforge.net/mailarchive/forum.php?thread_id=7060090&forum_id=11923

Stable is not affected.

Cheers,
         Moritz

-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux anton 2.4.29-univention.1 #1 SMP Thu Jan 27 17:08:46 CET 2005 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro

Versions of packages libxine1 depends on:
ii libasound2 0.9.4-2.18.200308292050 Advanced Linux Sound Architecture
ii libc6 2.3.2-9 GNU C Library: Shared libraries an
ii libfreetyp 2.1.5-2.3.200310081510 FreeType 2 font engine, shared lib
ii libpng12-0 1.2.5.0-8.6.200410161035 PNG library - runtime
ii libspeex1 1.0.rel.1-2.3.200308231822 The Speex Speech Codec
ii libxext6 4.3.0-0pre1v5.51.200409211658 X Window System miscellaneous exte
ii xlibmesa-g 4.3.0-0pre1v5.51.200409211658 Mesa 3D graphics library [XFree86]
ii xlibmesa-g 4.3.0-0pre1v5.51.200409211658 Mesa OpenGL utility library [XFree
ii xlibs 4.3.0-0pre1v5.51.200409211658 X Window System client libraries m
ii zlib1g 1:1.2.2-4.15.200501191530 compression library - runtime

-- debconf-show failed

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 21 Apr 2005 02:11:21 +0200
From: <email address hidden> (Gerardo Di Giacomo)
To: <email address hidden>
Subject: Exploitable buffer overflow in RTSP streaming code

--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Patch for sid attached.

Gerardo

--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="libxine1.patch"

diff -Nru /tmp/K6tJKUUwAx/xine-lib-1.0/src/input/librtsp/rtsp.c /tmp/ljlLpb7MdV/xine-lib-1.0/src/input/librtsp/rtsp.c
--- /tmp/K6tJKUUwAx/xine-lib-1.0/src/input/librtsp/rtsp.c 2004-07-25 19:13:54.000000000 +0200
+++ /tmp/ljlLpb7MdV/xine-lib-1.0/src/input/librtsp/rtsp.c 2005-04-21 02:09:50.313439360 +0200
@@ -218,6 +218,7 @@
   unsigned int answer_seq;
   char **answer_ptr=s->answers;
   int code;
+ int ans_count = 0;

   answer=rtsp_get(s);
   if (!answer)
@@ -268,7 +269,7 @@
     }
     *answer_ptr=answer;
     answer_ptr++;
- } while (strlen(answer)!=0);
+ } while ((strlen(answer)!=0) && (++ans_count < MAX_FIELDS));

   s->cseq++;

--FCuugMFkClbJLl1L--

Revision history for this message
In , Moritz Muehlenhoff (jmm-inutil) wrote : MMST code vulnerable as well

I missed the second part; the MMST code is vulnerable as well. Patch at:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/mms.c?r1=1.55&r2=1.56&diff_format=u

BTW, this is CAN-2005-1195, please refer to it when fixing it.

Cheers,
        Moritz

Revision history for this message
In , Frank Lichtenheld (djpig) wrote : tagging 305343

# Automatically generated email from bts, devscripts version 2.8.14
tags 305343 patch

Revision history for this message
In , Siggi Langauf (siggi-localhost) wrote : Fixed in NMU of xine-lib 1.0.1-1

tag 288331 + fixed
tag 292341 + fixed
tag 297435 + fixed
tag 301901 + fixed
tag 303463 + fixed
tag 304865 + fixed
tag 305343 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 27 Apr 2005 12:41:46 +0200
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source powerpc
Version: 1.0.1-1
Distribution: unstable
Urgency: high
Maintainer: <email address hidden>
Changed-By: Siggi Langauf <email address hidden>
Description:
 libxine-dev - the xine video player library, development packages
 libxine1 - the xine video/media player library, binary files
Closes: 288331 292341 297435 301901 303463 304865 305343
Changes:
 xine-lib (1.0.1-1) unstable; urgency=high
 .
   * new upstream release
     * fixes MMST and RTSP vulnerabilities (CAN-2005-1195, closes: #305343)
     * presumably fixes Ogg/Vorbis/Theora audio sync (closes: #301901)
     * fixes typo in xine-check subsystem (closes: #292341)
   * build-depends on libsdl1.2 (closes: #297435)
   * allow installing libxine1-dev with slang1-utf8-dev (closes: #304865)
   * moved documentation to policy compliant directories (closes: #303463)
   * made Vorbis and Theora hard dependancies (workaround closes: #288331)
Files:
 b3739c1d8da804888da1531b3ff5b677 1047 libs optional xine-lib_1.0.1-1.dsc
 9be804b337c6c3a2e202c5a7237cb0f8 7774954 libs optional xine-lib_1.0.1.orig.tar.gz
 2e0cbd3ce5c6cc8b8a5f87f571e35359 1584 libs optional xine-lib_1.0.1-1.diff.gz
 641493e4d7e2fdd128fcae74a02fb79a 107388 libdevel optional libxine-dev_1.0.1-1_powerpc.deb
 5604dd04f8434316007d6a14e58dd732 4304876 libs optional libxine1_1.0.1-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCb6G8GlPdX3lx7w8RAltlAKCTMfJM+FRiMU5Wh1RLP0reYd72igCeKK9a
vPq0Yz/iWqob/2yoMogbL4w=
=ZupC
-----END PGP SIGNATURE-----

Revision history for this message
In , Siggi Langauf (siggi) wrote : There is no NMU...

close 288331
close 292341
close 297435
close 301901
close 303463
close 304865
close 305343

quit

...it's just the uploader email has been messed up. :-/

Revision history for this message
In , Martin Pitt (pitti) wrote : Patch

Hi!

Please do not use the previous patch, since it is incomplete.

The Ubuntu patch

  http://patches.ubuntu.com/patches/xine-lib.CAN-2005-1195.patch

also fixes an overflow in the MMS stream decoder.

This is CAN-2005-1195, please mention that in the changelog.

Thanks,

Martin

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org

Revision history for this message
Martin Pitt (pitti) wrote :

Warty and Hoary were fixed in USN-123-1. Keeping bug open until Breezy is fixed.

Revision history for this message
Martin Pitt (pitti) wrote :

 xine-lib (1.0-1ubuntu5) breezy; urgency=low
 .
   * SECURITY UPDATE: Fix buffer overflows.
   * src/input/librtsp/rtsp.c, src/input/mms.c: Apply upstream fixes to avoid
     buffer overflows with crafted MMS or Real RTSP streams.
   * References:
     CAN-2005-1195

Bug Watch Updater (bug-watch-updater)
Changed in xine-lib:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.