CVE-2005-1195
CVSS7.5
发布时间 :2005-05-02 00:00:00
修订时间 :2008-11-15 00:46:03
NMCOPS    

[原文]Multiple heap-based buffer overflows in the code used to handle (1) MMS over TCP (MMST) streams or (2) RealMedia RTSP streams in xine-lib before 1.0, and other products that use xine-lib such as MPlayer 1.0pre6 and earlier, allow remote malicious servers to execute arbitrary code.


[CNNVD]MPlayer RTSP 远程堆溢出漏洞(CNNVD-200505-327)

        Mplayer是linux下的一款播放器,它几乎能播放所有的win媒体文件。
        Mplayer处理RealMedia RTSP流的代码中存在缓冲区溢出漏洞,攻击者可以利用这个漏洞以运行播放器用户的权限执行任意代码。从服务器获取媒体数据后,Real RTSP代码将它们存储在固定大小的MAX_FIELDS数组中,但没有检查是否接收了过多的数据。因此恶意服务器可以发送多于MAX_FIELDS的数据,溢出该数组。由于数组用指针来响应字符串,因此攻击者无法写入任意代码,这使得攻击比较困难。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:xine:xine-lib:1_rc3c
cpe:/a:xine:xine-lib:1_beta1
cpe:/a:xine:xine-lib:1_rc2
cpe:/a:xine:xine-lib:1_beta7
cpe:/a:xine:xine-lib:1_beta8
cpe:/a:xine:xine-lib:1_beta3
cpe:/a:xine:xine-lib:1_rc3a
cpe:/a:xine:xine-lib:1_beta10
cpe:/a:xine:xine-lib:1_beta2
cpe:/a:xine:xine-lib:1_beta5
cpe:/a:xine:xine-lib:1_beta4
cpe:/a:xine:xine-lib:1_beta6
cpe:/a:xine:xine-lib:1_beta9
cpe:/a:mplayer:mplayer:1.0_pre6
cpe:/a:xine:xine-lib:1_beta11
cpe:/a:xine:xine-lib:1_rc3b

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1195
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1195
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-327
(官方数据源) CNNVD

- 其它链接及资源

http://www.mplayerhq.hu/homepage/design7/news.html#vuln11
(PATCH)  CONFIRM  http://www.mplayerhq.hu/homepage/design7/news.html#vuln11
http://www.mplayerhq.hu/homepage/design7/news.html#vuln10
(PATCH)  CONFIRM  http://www.mplayerhq.hu/homepage/design7/news.html#vuln10
http://secunia.com/advisories/15014
(PATCH)  SECUNIA  15014
http://xforce.iss.net/xforce/xfdb/20175
(UNKNOWN)  XF  mplayer-mmst-stream-bo(20175)
http://xforce.iss.net/xforce/xfdb/20171
(UNKNOWN)  XF  mplayer-rtsp-stream-bo(20171)
http://www.securityfocus.com/bid/13271
(UNKNOWN)  BID  13271
http://www.securityfocus.com/archive/1/396703
(UNKNOWN)  BUGTRAQ  20050421 [PLSN-0003] - Remote exploits in MPlayer
http://www.osvdb.org/15712
(UNKNOWN)  OSVDB  15712
http://www.osvdb.org/15711
(UNKNOWN)  OSVDB  15711
http://www.gentoo.org/security/en/glsa/glsa-200504-19.xml
(UNKNOWN)  GENTOO  GLSA-200504-19
http://securitytracker.com/id?1013771
(UNKNOWN)  SECTRACK  1013771
http://seclists.org/lists/bugtraq/2005/Apr/0337.html
(UNKNOWN)  BUGTRAQ  20050421 xine security announcement: multiple heap overflows in MMS and Real RTSP streaming clients
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/mms.c?r1=1.55&r2=1.56&diff_format=u
(UNKNOWN)  CONFIRM  http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/mms.c?r1=1.55&r2=1.56&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/librtsp/rtsp.c?r1=1.18&r2=1.19&diff_format=u
(UNKNOWN)  CONFIRM  http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/librtsp/rtsp.c?r1=1.18&r2=1.19&diff_format=u

- 漏洞信息

MPlayer RTSP 远程堆溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Mplayer是linux下的一款播放器,它几乎能播放所有的win媒体文件。
        Mplayer处理RealMedia RTSP流的代码中存在缓冲区溢出漏洞,攻击者可以利用这个漏洞以运行播放器用户的权限执行任意代码。从服务器获取媒体数据后,Real RTSP代码将它们存储在固定大小的MAX_FIELDS数组中,但没有检查是否接收了过多的数据。因此恶意服务器可以发送多于MAX_FIELDS的数据,溢出该数组。由于数组用指针来响应字符串,因此攻击者无法写入任意代码,这使得攻击比较困难。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.mplayerhq.hu/MPlayer/patches/rtsp_fix_20050415.diff" target="_blank

- 漏洞信息 (F39106)

Ubuntu Security Notice 123-1 (PacketStormID:F39106)
2005-08-07 00:00:00
Ubuntu  ubuntu.com
advisory,overflow,arbitrary
linux,ubuntu
CVE-2005-1195
[点击下载]

Ubuntu Security Notice USN-123-1 - Two buffer overflows have been discovered in the MMS and Real RTSP stream handlers of the Xine library. By tricking a user to connect to a malicious MMS or RTSP video/audio stream source with an application that uses this library, an attacker could crash the client and possibly even execute arbitrary code with the privileges of the player application.

===========================================================
Ubuntu Security Notice USN-123-1	       May 06, 2005
xine-lib vulnerabilities
CAN-2005-1195
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libxine1

The problem can be corrected by upgrading the affected package to
version 1-rc5-1ubuntu2.2 (for Ubuntu 4.10) and 1.0-1ubuntu3.1 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Two buffer overflows have been discovered in the MMS and Real RTSP
stream handlers of the Xine library. By tricking a user to connect to
a malicious MMS or RTSP video/audio stream source with an application
that uses this library, an attacker could crash the client and
possibly even execute arbitrary code with the privileges of the player
application.

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.2.diff.gz
      Size/MD5:   220602 e22a91dd6602a778a456ac4e75d14a67
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.2.dsc
      Size/MD5:      950 484c40b9a1e254d52f8c2078566cc1c1
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5.orig.tar.gz
      Size/MD5:  7052663 703c3e68d60524598d4d9e527fe38286

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.2_amd64.deb
      Size/MD5:   101412 224c971e640f01ca72dc2dac17e15916
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.2_amd64.deb
      Size/MD5:  3543166 8d2ca25c0e9d364d5a2e4dedf63fba0c

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.2_i386.deb
      Size/MD5:   101406 0cf03b13b797703d594f68d7636138de
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.2_i386.deb
      Size/MD5:  3728804 27dc0b4c3fccefd1f03caa42e4dc6266

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.2_powerpc.deb
      Size/MD5:   101412 931d76d961bc60ce74514348524958e5
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.2_powerpc.deb
      Size/MD5:  3886674 b70a0603c57ad8b2ac977bdea6f9ff9f

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.1.diff.gz
      Size/MD5:     2763 a949659041b75d077a5605c5496bfd80
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.1.dsc
      Size/MD5:     1070 dffb73537640298a5ba352f4c15f30b4
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz
      Size/MD5:  7384258 96e5195c366064e7778af44c3e71f43a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.1_amd64.deb
      Size/MD5:   106364 9ed4670b90056b5983ebe4f4bec06521
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.1_amd64.deb
      Size/MD5:  3566834 f79dfbbf98c7964f23a6f3e2c71a61c3

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.1_i386.deb
      Size/MD5:   106362 6cdbdc86a2dbe46bfba98e34078ef29d
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.1_i386.deb
      Size/MD5:  3749688 f0c5bc4161e13a973b39a86138cffa5d

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.1_powerpc.deb
      Size/MD5:   106360 0d202d05bcd13bebe3518d5c61216b02
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.1_powerpc.deb
      Size/MD5:  3924810 86ec380434aaab8bbd6f34c101f25a83
    

- 漏洞信息

15711
MPlayer Real RTSP Stream Handling Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-04-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.0pre7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MPlayer RTSP Server Line Response Remote Buffer Overflow Vulnerability
Boundary Condition Error 13270
Yes No
2005-04-20 12:00:00 2009-07-12 02:06:00
The individual or individuals responsible for the discovery of this issue are currently unknown; the vendor disclosed this issue.

- 受影响的程序版本

xine xine 1.0
xine xine 0.9.18
+ S.u.S.E. Linux Personal 8.2
xine xine 0.9.13
xine xine 1-rc8
xine xine 1-rc7
xine xine 1-rc6a
xine xine 1-rc6
xine xine 1-rc5
xine xine 1-rc4
xine xine 1-rc3b
xine xine 1-rc3a
xine xine 1-rc3
xine xine 1-rc2
xine xine 1-rc1
xine xine 1-rc1
xine xine 1-rc0a
xine xine 1-rc0
xine xine 1-beta9
xine xine 1-beta8
xine xine 1-beta7
xine xine 1-beta6
xine xine 1-beta5
xine xine 1-beta4
xine xine 1-beta3
xine xine 1-beta2
xine xine 1-beta12
xine xine 1-beta11
xine xine 1-beta10
xine xine 1-beta1
xine xine 1-alpha
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux -current
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
S.u.S.E. Linux 7.3 sparc
S.u.S.E. Linux 7.3 ppc
S.u.S.E. Linux 7.3 i386
S.u.S.E. Linux 7.3
S.u.S.E. Linux 7.2 i386
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.1 x86
S.u.S.E. Linux 7.1 sparc
S.u.S.E. Linux 7.1 ppc
S.u.S.E. Linux 7.1 alpha
S.u.S.E. Linux 7.1
S.u.S.E. Linux 7.0 sparc
S.u.S.E. Linux 7.0 ppc
S.u.S.E. Linux 7.0 i386
S.u.S.E. Linux 7.0 alpha
S.u.S.E. Linux 7.0
S.u.S.E. Linux 6.4 ppc
S.u.S.E. Linux 6.4 i386
S.u.S.E. Linux 6.4 alpha
S.u.S.E. Linux 6.4
S.u.S.E. Linux 6.3 ppc
S.u.S.E. Linux 6.3 alpha
S.u.S.E. Linux 6.3
S.u.S.E. Linux 6.2
S.u.S.E. Linux 6.1 alpha
S.u.S.E. Linux 6.1
S.u.S.E. Linux 6.0
S.u.S.E. Linux 5.3
S.u.S.E. Linux 5.2
S.u.S.E. Linux 5.1
S.u.S.E. Linux 5.0
S.u.S.E. Linux 4.4.1
S.u.S.E. Linux 4.4
S.u.S.E. Linux 4.3
S.u.S.E. Linux 4.2
S.u.S.E. Linux 4.0
S.u.S.E. Linux 3.0
S.u.S.E. Linux 2.0
S.u.S.E. Linux 1.0
Peachtree Linux release 1
MPlayer MPlayer 1.0 pre6
+ Gentoo Linux
MPlayer MPlayer 1.0 pre5try2
MPlayer MPlayer 1.0 pre5try1
MPlayer MPlayer 1.0 pre5
+ Gentoo Linux 1.4
+ Gentoo Linux
MPlayer MPlayer 1.0 pre4
MPlayer MPlayer 1.0 pre3try2
MPlayer MPlayer 1.0 pre3
MPlayer MPlayer 1.0 pre2
MPlayer MPlayer 1.0 pre1
MPlayer MPlayer 0.92.1
MPlayer MPlayer 0.92
MPlayer MPlayer 0.91
MPlayer MPlayer 0.90 rc series
MPlayer MPlayer 0.90 pre series
MPlayer MPlayer 0.90
MPlayer MPlayer 0.9 0rc4
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
xine xine 1.0
xine xine 0.9.8
- Debian Linux 3.0 sparc
- Debian Linux 3.0 s/390
- Debian Linux 3.0 ppc
- Debian Linux 3.0 mipsel
- Debian Linux 3.0 mips
- Debian Linux 3.0 m68k
- Debian Linux 3.0 ia-64
- Debian Linux 3.0 ia-32
- Debian Linux 3.0 hppa
- Debian Linux 3.0 arm
- Debian Linux 3.0 alpha
- Debian Linux 3.0

- 不受影响的程序版本

xine xine 1.0
xine xine 0.9.8
- Debian Linux 3.0 sparc
- Debian Linux 3.0 s/390
- Debian Linux 3.0 ppc
- Debian Linux 3.0 mipsel
- Debian Linux 3.0 mips
- Debian Linux 3.0 m68k
- Debian Linux 3.0 ia-64
- Debian Linux 3.0 ia-32
- Debian Linux 3.0 hppa
- Debian Linux 3.0 arm
- Debian Linux 3.0 alpha
- Debian Linux 3.0

- 漏洞讨论

A remote heap-based buffer overflow vulnerability affects MPlayer. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released a patch dealing with this issue.

Mandriva has released security announcement MDKSA-2005:115 addressing this issue. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

SuSE has released advisory SUSE-SR:2005:013 and fixes for this issue. Fixes can be obtained through the SuSE FTP server or by using the YaST Online Update.

Ubuntu Linux has released fixes and an advisory (USN-123-1) to address this and another vulnerability. Please see the referenced advisory for further information.

Peachtree Linux has released fixes and an advisory (PLSN-0003) to address this and another vulnerability. Please see the referenced advisory for further information.

xine has released fixes and an advisory (XSA-2004-8) to address this and another vulnerability. Patches are also available at the following location:

http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/librtsp/rtsp.c?r1=1.18&r2=1.19&diff_format=u
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/mms.c?r1=1.55&r2=1.56&diff_format=u

Please see the referenced advisory for further information.

Gentoo Linux has released an advisory (GLSA 200504-19) dealing with this issue. Gentoo advises that all users upgrade their packages by executing the following commands with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose ">=media-video/mplayer-1.0_pre6-r4"

For more information, please see the referenced Gentoo Linux advisory.

Gentoo Linux has released an advisory (GLSA 200504-27) dealing with this issue for xine-lib. Gentoo advises that all xine-lib users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose media-libs/xine-lib

SuSE has released advisory SUSE-SR:2005:012 confirming that SuSE Linux products are vulnerable to this issue. Fixes are pending.

Slackware Linux has released advisory SSA:2005-121-02 to address this issue. Please see the referenced advisory for further information.

Turbolinux has released advisory TLSA-2005-65 to address this issue. Please see the referenced advisory for more information.


xine xine 1-rc5

MPlayer MPlayer 1.0 pre3

MPlayer MPlayer 1.0 pre5try2

MPlayer MPlayer 1.0 pre5try1

MPlayer MPlayer 1.0 pre4

xine xine 1.0

MPlayer MPlayer 1.0 pre5

MPlayer MPlayer 1.0 pre6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站