CVE-2004-1379
CVSS7.5
发布时间 :2004-09-16 00:00:00
修订时间 :2008-09-05 16:41:11
NMCOPS    

[原文]Heap-based buffer overflow in the DVD subpicture decoder in xine xine-lib 1-rc5 and earlier allows remote attackers to execute arbitrary code via a (1) DVD or (2) MPEG subpicture header where the second field reuses RLE data from the end of the first field.


[CNNVD]Xine-lib DVD子图象解码器堆溢出漏洞(CNNVD-200409-040)

        
        Xine是Linux系统下播放VCD/DVD的程序。
        Xine-lib包含的DVD子图象解码器存在基于堆的溢出,本地攻击者可以利用这个漏洞以xine进程权限执行任意指令。
        在处理部分恶意DVD或者MPEG内容时,Xine-lib包含的DVD子图象解码器存在问题。Xine-lib解码器转换子图象数据并存储在动态分配的内存中,由于对所需的缓冲区空间计算存在缺陷可导致分配的内存过小,在拷贝数据时发生基于堆的溢出,精心构建子图象数据可能以xine进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:xine:xine-lib:1_rc0
cpe:/a:xine:xine-lib:0.9.8
cpe:/a:xine:xine-lib:1_rc3c
cpe:/a:xine:xine:1_rc3b
cpe:/a:xine:xine-lib:1_beta7
cpe:/a:xine:xine:1_rc0a
cpe:/a:xine:xine:1_beta6
cpe:/a:xine:xine-lib:1_beta8
cpe:/a:xine:xine-lib:1_beta3
cpe:/a:xine:xine:1_beta12
cpe:/a:xine:xine:1_rc3a
cpe:/a:xine:xine:1_alpha
cpe:/a:xine:xine-lib:1_rc3a
cpe:/a:xine:xine:1_rc3
cpe:/a:xine:xine:1_beta9
cpe:/a:xine:xine:1_beta2
cpe:/a:xine:xine:1_beta8
cpe:/a:xine:xine:1_rc2
cpe:/a:xine:xine-lib:1_beta9
cpe:/a:xine:xine:1_beta11
cpe:/a:xine:xine:1_beta3
cpe:/a:xine:xine-lib:1_rc2
cpe:/a:xine:xine:1_rc1
cpe:/a:xine:xine:1_beta7
cpe:/a:xine:xine:1_rc4
cpe:/a:xine:xine-lib:1_rc3
cpe:/a:xine:xine-lib:1_rc4
cpe:/a:xine:xine-lib:1_rc5
cpe:/a:xine:xine:1_rc5
cpe:/a:xine:xine:1_beta5
cpe:/a:xine:xine-lib:1_beta2
cpe:/a:xine:xine:1_beta4
cpe:/a:xine:xine-lib:1_rc1
cpe:/a:xine:xine-lib:1_beta5
cpe:/a:xine:xine-lib:1_beta4
cpe:/a:xine:xine-lib:1_beta12
cpe:/a:xine:xine-lib:1_beta6
cpe:/a:xine:xine:1_rc0
cpe:/a:xine:xine:1_beta1
cpe:/a:xine:xine:1_beta10
cpe:/a:xine:xine-lib:1_rc3b

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1379
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1379
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200409-040
(官方数据源) CNNVD

- 其它链接及资源

http://xinehq.de/index.php/security/XSA-2004-5
(VENDOR_ADVISORY)  CONFIRM  http://xinehq.de/index.php/security/XSA-2004-5
http://xforce.iss.net/xforce/xfdb/17423
(PATCH)  XF  xine-dvd-subpicture-bo(17423)
http://www.securityfocus.com/bid/11205
(PATCH)  BID  11205
http://www.gentoo.org/security/en/glsa/glsa-200409-30.xml
(PATCH)  GENTOO  GLSA-200409-30
http://www.debian.org/security/2005/dsa-657
(VENDOR_ADVISORY)  DEBIAN  DSA-657
http://slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.320308
(PATCH)  SLACKWARE  SSA:2004-266
http://www.vuxml.org/freebsd/131bd7c4-64a3-11d9-829a-000a95bc6fae.html
(UNKNOWN)  CONFIRM  http://www.vuxml.org/freebsd/131bd7c4-64a3-11d9-829a-000a95bc6fae.html
http://www.securityfocus.com/archive/1/375482/2004-09-02/2004-09-08/0
(UNKNOWN)  BUGTRAQ  20040906 XSA-2004-5: heap overflow in DVD subpicture decoder

- 漏洞信息

Xine-lib DVD子图象解码器堆溢出漏洞
高危 边界条件错误
2004-09-16 00:00:00 2005-10-20 00:00:00
远程  
        
        Xine是Linux系统下播放VCD/DVD的程序。
        Xine-lib包含的DVD子图象解码器存在基于堆的溢出,本地攻击者可以利用这个漏洞以xine进程权限执行任意指令。
        在处理部分恶意DVD或者MPEG内容时,Xine-lib包含的DVD子图象解码器存在问题。Xine-lib解码器转换子图象数据并存储在动态分配的内存中,由于对所需的缓冲区空间计算存在缺陷可导致分配的内存过小,在拷贝数据时发生基于堆的溢出,精心构建子图象数据可能以xine进程权限执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 删除如下共享库:
        xineplug_decode_spu.so
        厂商补丁:
        xine
        ----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        xine Upgrade xine-lib-1-rc6a.tar.gz
        
        http://prdownloads.sourceforge.net/xine/xine-lib-1-rc6a.tar.gz?download

- 漏洞信息 (F35897)

dsa-657.txt (PacketStormID:F35897)
2005-01-26 00:00:00
 
advisory,overflow,arbitrary
linux,debian
CVE-2004-1379
[点击下载]

Debian Security Advisory 657-1 - A heap overflow has been discovered in the DVD subpicture decoder of xine-lib. An attacker could cause arbitrary code to be executed on the victims host by supplying a malicious MPEG. By tricking users to view a malicious network stream, this is remotely exploitable.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 657-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
January 25th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : xine-lib
Vulnerability  : buffer overflow
Problem-Type   : local (remote)
Debian-specific: no
CVE ID         : CAN-2004-1379
BugTraq ID     : 11205

A heap overflow has been discovered in the DVD subpicture decoder of
xine-lib.  An attacker could cause arbitrary code to be executed on
the victims host by supplying a malicious MPEG.  By tricking users to
view a malicious network stream, this is remotely exploitable.

For the stable distribution (woody) this problem has been fixed in
version 0.9.8-2woody2.

For the unstable distribution (sid) this problem has been fixed in
version 1-rc6a-1.

We recommend that you upgrade your libxine packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8-2woody3.dsc
      Size/MD5 checksum:      760 fdead2b906645e98cd98482da245f9fe
    http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8-2woody3.diff.gz
      Size/MD5 checksum:     1432 d1228b2ea29024dc31d7e73716e430b8
    http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8.orig.tar.gz
      Size/MD5 checksum:  1766178 d8fc9b30e15b50af8ab7552bbda7aeda

  Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_alpha.deb
      Size/MD5 checksum:   260790 35b1fcb3d630159bffba57cd03ee7198
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_alpha.deb
      Size/MD5 checksum:   815898 5b969f8b91cd217a62fbe1206e0dae22

  ARM architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_arm.deb
      Size/MD5 checksum:   302736 503e7f984fcdc022730ae84bda3d7893
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_arm.deb
      Size/MD5 checksum:   671030 3ca1bdc2e19e8547593ec227457bf934

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_i386.deb
      Size/MD5 checksum:   261202 4fa616c95b299f01eb6c4d3984696a97
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_i386.deb
      Size/MD5 checksum:   807774 2880560bd06ebf751184bd8cb0345974

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_ia64.deb
      Size/MD5 checksum:   260670 474f66c0a7ffdd1f1728ca22a05556f3
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_ia64.deb
      Size/MD5 checksum:   953146 001f5e510918a2b1cb52e2d560094224

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_hppa.deb
      Size/MD5 checksum:   260840 af3ab8871f26ec99c2e5a4c67821415c
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_hppa.deb
      Size/MD5 checksum:   846422 cf09d101cec9e33e4074e6d9e5e7868a

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_m68k.deb
      Size/MD5 checksum:   292502 ba71fa3ee20e67e92e4ecfab2028f12b
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_m68k.deb
      Size/MD5 checksum:   617432 68fd34079a32e9881f095c7ccc458822

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_mips.deb
      Size/MD5 checksum:   299528 feca6217a5df51fe46d1e5185a36c0f4
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_mips.deb
      Size/MD5 checksum:   652674 80f688f5856c786f2432619491ac5b56

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_mipsel.deb
      Size/MD5 checksum:   299564 5c2165f1adad2172acfddb42b2be92d1
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_mipsel.deb
      Size/MD5 checksum:   654450 4937401c8ea1d16ebfabf83b9321cc4e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_powerpc.deb
      Size/MD5 checksum:   261054 9345084069863c90f69d17d4cd55e31d
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_powerpc.deb
      Size/MD5 checksum:   742158 7fd5ef486125947c8418ca95b803df8f

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_s390.deb
      Size/MD5 checksum:   302236 c539ecfcf4a0dfd19b4637fc93f558b9
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_s390.deb
      Size/MD5 checksum:   662496 2d6aede160abfc88f5cf5e7f2e19014a

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody3_sparc.deb
      Size/MD5 checksum:   260942 db51371b3aad43f02fead312971c8150
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody3_sparc.deb
      Size/MD5 checksum:   807478 2f4c13dab590a77d3f57aa923617bc8c


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB9lXbW5ql+IAeqTIRAmjmAJ0UFEb7mKPGUQxiLpX1D2IjAq1a5wCfXnLG
hhuVvFyMBnPdzEbO18/fWFY=
=5B+W
-----END PGP SIGNATURE-----

    

- 漏洞信息

10044
xine-lib DVD Subpicture Decoder Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-09-06 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Xine-lib DVD Subpicture Decoder Heap Overflow Vulnerability
Boundary Condition Error 11205
Yes No
2004-09-16 12:00:00 2006-07-12 04:38:00
Announced by Michael Roitzsch <mroi@users.sourceforge.net>.

- 受影响的程序版本

xine xine-lib 0.9.8
xine xine-lib 0.9.8
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
xine xine-lib 1-rc5
xine xine-lib 1-rc4
xine xine-lib 1-rc3c
+ Slackware Linux 9.1
+ Slackware Linux -current
xine xine-lib 1-rc3b
xine xine-lib 1-rc3a
xine xine-lib 1-rc3
xine xine-lib 1-rc2
xine xine-lib 1-rc1
xine xine-lib 1-rc0
xine xine-lib 1-beta9
xine xine-lib 1-beta8
xine xine-lib 1-beta7
xine xine-lib 1-beta6
xine xine-lib 1-beta5
xine xine-lib 1-beta4
xine xine-lib 1-beta3
xine xine-lib 1-beta2
xine xine-lib 1-beta12
xine xine 1-rc5
xine xine 1-rc4
xine xine 1-rc3b
xine xine 1-rc3a
xine xine 1-rc3
xine xine 1-rc2
xine xine 1-rc1
xine xine 1-rc1
xine xine 1-rc0a
xine xine 1-rc0
xine xine 1-beta9
xine xine 1-beta8
xine xine 1-beta7
xine xine 1-beta6
xine xine 1-beta5
xine xine 1-beta4
xine xine 1-beta3
xine xine 1-beta2
xine xine 1-beta12
xine xine 1-beta11
xine xine 1-beta10
xine xine 1-beta1
xine xine 1-alpha
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
xine xine-lib 1-rc6a
xine xine 1-rc6a

- 不受影响的程序版本

xine xine-lib 1-rc6a
xine xine 1-rc6a

- 漏洞讨论

A buffer overflow in the DVD subpicture component, exploitable through malicious DVD or MPEG content, may allow for the execution of arbitrary code. The Xine-lib decoder converts subpicture data into an internal representation and stores it in dynamically allocated memory. A flaw in the calculation of required buffer space may result in the allocation of a buffer that is too small. Consequently, neighboring data in the heap may be corrupted when data is written to the buffer.

Attackers could exploit this vulnerability to write arbitrary words to nearly arbitrary locations in memory. The Linux and Windows dynamic memory-allocation subsystems may be more susceptible than BSD-based systems.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vulnerability is eliminated in version 1-rc6. The author has also made a source-code patch available:

http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u

Please see the referenced vendor advisories for more information.


xine xine-lib 1-rc2

xine xine-lib 1-rc3a

xine xine-lib 1-rc5

xine xine-lib 1-rc3b

xine xine 1-rc2

xine xine 1-rc3b

xine xine 1-rc3a

xine xine-lib 1-rc4

xine xine 1-rc3

xine xine-lib 1-rc3c

xine xine 1-rc4

xine xine-lib 1-rc3

xine xine 1-rc5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站