Vulnerabilities > CVE-2004-1188
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The pnm_get_chunk function in xine 0.99.2 and earlier, and other packages such as MPlayer that use the same code, does not properly verify that the chunk size is less than the PREAMBLE_SIZE, which causes a read operation with a negative length that leads to a buffer overflow via (1) RMF_TAG, (2) DATA_TAG, (3) PROP_TAG, (4) MDPR_TAG, and (5) CONT_TAG values, a different vulnerability than CVE-2004-1187.
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_85D76F02538011D9A9E70001020EED82.NASL description iDEFENSE and the MPlayer Team have found multiple vulnerabilities in MPlayer : - Potential heap overflow in Real RTSP streaming code - Potential stack overflow in MMST streaming code - Multiple buffer overflows in BMP demuxer - Potential heap overflow in pnm streaming code - Potential buffer overflow in mp3lib These vulnerabilities could allow a remote attacker to execute arbitrary code as the user running MPlayer. The problem in the pnm streaming code also affects xine. last seen 2020-06-01 modified 2020-06-02 plugin id 19013 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19013 title FreeBSD : mplayer -- multiple vulnerabilities (85d76f02-5380-11d9-a9e7-0001020eed82) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-07.NASL description The remote host is affected by the vulnerability described in GLSA-200501-07 (xine-lib: Multiple overflows) Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size in demux_aiff.c, making it vulnerable to a buffer overflow (CAN-2004-1300) . iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CAN-2004-1187). iDefense also discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CAN-2004-1188). Impact : A remote attacker could craft a malicious movie or convince a targeted user to connect to a malicious PNM server, which could result in the execution of arbitrary code with the rights of the user running any xine-lib frontend. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16398 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16398 title GLSA-200501-07 : xine-lib: Multiple overflows NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-011.NASL description iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CVE-2004-1187). As well, they discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CVE-2004-1188). Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size making it vulnerable to a buffer overflow problem (CVE-2004-1300). The updated packages have been patched to prevent these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 16220 published 2005-01-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16220 title Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:011)
References
- http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21
- http://www.idefense.com/application/poi/display?id=177&type=vulnerabilities
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:011
- http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff
- https://exchange.xforce.ibmcloud.com/vulnerabilities/18638