Vulnerabilities > CVE-2004-1187
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Heap-based buffer overflow in the pnm_get_chunk function for xine 0.99.2, and other packages such as MPlayer that use the same code, allows remote attackers to execute arbitrary code via long PNA_TAG values, a different vulnerability than CVE-2004-1188.
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_85D76F02538011D9A9E70001020EED82.NASL description iDEFENSE and the MPlayer Team have found multiple vulnerabilities in MPlayer : - Potential heap overflow in Real RTSP streaming code - Potential stack overflow in MMST streaming code - Multiple buffer overflows in BMP demuxer - Potential heap overflow in pnm streaming code - Potential buffer overflow in mp3lib These vulnerabilities could allow a remote attacker to execute arbitrary code as the user running MPlayer. The problem in the pnm streaming code also affects xine. last seen 2020-06-01 modified 2020-06-02 plugin id 19013 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19013 title FreeBSD : mplayer -- multiple vulnerabilities (85d76f02-5380-11d9-a9e7-0001020eed82) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-07.NASL description The remote host is affected by the vulnerability described in GLSA-200501-07 (xine-lib: Multiple overflows) Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size in demux_aiff.c, making it vulnerable to a buffer overflow (CAN-2004-1300) . iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CAN-2004-1187). iDefense also discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CAN-2004-1188). Impact : A remote attacker could craft a malicious movie or convince a targeted user to connect to a malicious PNM server, which could result in the execution of arbitrary code with the rights of the user running any xine-lib frontend. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16398 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16398 title GLSA-200501-07 : xine-lib: Multiple overflows NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-011.NASL description iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CVE-2004-1187). As well, they discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CVE-2004-1188). Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size making it vulnerable to a buffer overflow problem (CVE-2004-1300). The updated packages have been patched to prevent these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 16220 published 2005-01-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16220 title Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:011)
References
- http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21
- http://www.idefense.com/application/poi/display?id=176&type=vulnerabilities
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:011
- http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18640