Vulnerabilities > CVE-2004-1475 - Stack Overflow vulnerability in Xine-lib VideoCD And Text Subtitle
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple stack-based buffer overflows in xine-lib 1-rc2 through 1-rc5 allow attackers to execute arbitrary code via (1) long VideoCD vcd:// MRLs or (2) long subtitle lines.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Exploit-Db
| description | xine 0.99.2 Remote Stack Overflow Exploit. CVE-2004-1475. Remote exploit for linux platform |
| id | EDB-ID:386 |
| last seen | 2016-01-31 |
| modified | 2004-08-09 |
| published | 2004-08-09 |
| reporter | c0ntex |
| source | https://www.exploit-db.com/download/386/ |
| title | xine 0.99.2 - Remote Stack Overflow Exploit |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200408-18.NASL description The remote host is affected by the vulnerability described in GLSA-200408-18 (xine-lib: VCD MRL buffer overflow) xine-lib contains a bug where it is possible to overflow the vcd:// input source identifier management buffer through carefully crafted playlists. Impact : An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user. In order to conform with the generic naming standards of most Unix-like systems, playlists can have extensions other than .asx (the standard xine playlist format), and made to look like another file (MP3, AVI, or MPEG for example). If an attacker crafts a playlist with a valid header, they can insert a VCD playlist line that can cause a buffer overflow and possible shellcode execution. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of xine-lib. last seen 2020-06-01 modified 2020-06-02 plugin id 14574 published 2004-08-30 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14574 title GLSA-200408-18 : xine-lib: VCD MRL buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200408-18. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14574); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-1475"); script_xref(name:"GLSA", value:"200408-18"); script_name(english:"GLSA-200408-18 : xine-lib: VCD MRL buffer overflow"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200408-18 (xine-lib: VCD MRL buffer overflow) xine-lib contains a bug where it is possible to overflow the vcd:// input source identifier management buffer through carefully crafted playlists. Impact : An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user. In order to conform with the generic naming standards of most Unix-like systems, playlists can have extensions other than .asx (the standard xine playlist format), and made to look like another file (MP3, AVI, or MPEG for example). If an attacker crafts a playlist with a valid header, they can insert a VCD playlist line that can cause a buffer overflow and possible shellcode execution. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of xine-lib." ); # http://www.open-security.org/advisories/6 script_set_attribute( attribute:"see_also", value:"http://ww17.open-security.org/advisories/6" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200408-18" ); script_set_attribute( attribute:"solution", value: "All xine-lib users should upgrade to the latest version: # emerge sync # emerge -pv '>=media-libs/xine-lib-1_rc5-r3' # emerge '>=media-libs/xine-lib-1_rc5-r3'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xine-lib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-libs/xine-lib", unaffected:make_list("ge 1_rc5-r3"), vulnerable:make_list("le 1_rc5-r2"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xine-lib"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200409-30.NASL description The remote host is affected by the vulnerability described in GLSA-200409-30 (xine-lib: Multiple vulnerabilities) xine-lib contains two stack-based overflows and one heap-based overflow. In the code reading VCD disc labels, the ISO disc label is copied into an unprotected stack buffer of fixed size. Also, there is a buffer overflow in the code that parses subtitles and prepares them for display (XSA-2004-4). Finally, xine-lib contains a heap-based overflow in the DVD sub-picture decoder (XSA-2004-5). (Please note that the VCD MRL issue mentioned in XSA-2004-4 was fixed with GLSA 200408-18.) Impact : With carefully-crafted VCDs, DVDs, MPEGs or subtitles, an attacker may cause xine-lib to execute arbitrary code with the permissions of the user. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 14798 published 2004-09-23 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14798 title GLSA-200409-30 : xine-lib: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200409-30. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(14798); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:41"); script_cve_id("CVE-2004-1379", "CVE-2004-1475", "CVE-2004-1476"); script_xref(name:"GLSA", value:"200409-30"); script_name(english:"GLSA-200409-30 : xine-lib: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200409-30 (xine-lib: Multiple vulnerabilities) xine-lib contains two stack-based overflows and one heap-based overflow. In the code reading VCD disc labels, the ISO disc label is copied into an unprotected stack buffer of fixed size. Also, there is a buffer overflow in the code that parses subtitles and prepares them for display (XSA-2004-4). Finally, xine-lib contains a heap-based overflow in the DVD sub-picture decoder (XSA-2004-5). (Please note that the VCD MRL issue mentioned in XSA-2004-4 was fixed with GLSA 200408-18.) Impact : With carefully-crafted VCDs, DVDs, MPEGs or subtitles, an attacker may cause xine-lib to execute arbitrary code with the permissions of the user. Workaround : There is no known workaround at this time." ); # http://www.securityfocus.com/archive/1/375485/2004-09-02/2004-09-08/0 script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/375485/2004-09-02/2004-09-08/0" ); # http://www.securityfocus.com/archive/1/375482/2004-09-02/2004-09-08/0 script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/375482/2004-09-02/2004-09-08/0" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200409-30" ); script_set_attribute( attribute:"solution", value: "All xine-lib users should upgrade to the latest version: # emerge sync # emerge -pv '>=media-libs/xine-lib-1_rc6' # emerge '>=media-libs/xine-lib-1_rc6'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:xine-lib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2004/09/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-libs/xine-lib", unaffected:make_list("ge 1_rc6"), vulnerable:make_list("le 1_rc5-r3"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xine-lib"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-105.NASL description A number of string overflows were discovered in the xine-lib program, some of which can be used for remote buffer overflow exploits that lead to the execution of arbitrary code with the permissions of the user running a xine-lib-based media application. xine-lib versions 1-rc2 through, and including, 1-rc5 are vulnerable to these problems. As well, a heap overflow was found in the DVD subpicture decoder of xine-lib; this vulnerability is also remotely exploitable. All versions of xine-lib prior to and including 0.5.2 through, and including, 1-rc5 are vulnerable to this problem. Patches from the xine-lib team have been backported and applied to the program to solve these problems. last seen 2020-06-01 modified 2020-06-02 plugin id 15434 published 2004-10-08 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15434 title Mandrake Linux Security Advisory : xine-lib (MDKSA-2004:105) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:105. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(15434); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-1379", "CVE-2004-1475", "CVE-2004-1476"); script_xref(name:"MDKSA", value:"2004:105"); script_name(english:"Mandrake Linux Security Advisory : xine-lib (MDKSA-2004:105)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A number of string overflows were discovered in the xine-lib program, some of which can be used for remote buffer overflow exploits that lead to the execution of arbitrary code with the permissions of the user running a xine-lib-based media application. xine-lib versions 1-rc2 through, and including, 1-rc5 are vulnerable to these problems. As well, a heap overflow was found in the DVD subpicture decoder of xine-lib; this vulnerability is also remotely exploitable. All versions of xine-lib prior to and including 0.5.2 through, and including, 1-rc5 are vulnerable to this problem. Patches from the xine-lib team have been backported and applied to the program to solve these problems." ); # http://xinehq.de/index.php/security/XSA-2004-4 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?21259b72" ); # http://xinehq.de/index.php/security/XSA-2004-5 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6ce00046" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64xine1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64xine1-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libxine1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libxine1-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xine-aa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xine-arts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xine-dxr3"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xine-esd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xine-flac"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xine-gnomevfs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:xine-plugins"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/10/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/10/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64xine1-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64xine1-devel-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libxine1-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libxine1-devel-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"xine-aa-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"xine-arts-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"xine-dxr3-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"xine-esd-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"xine-flac-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"xine-gnomevfs-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"xine-plugins-1-0.rc3.6.2.100mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://security.gentoo.org/glsa/glsa-200408-18.xml
- http://www.gentoo.org/security/en/glsa/glsa-200409-30.xml
- http://www.securityfocus.com/archive/1/375485/2004-09-02/2004-09-08/0
- http://www.securityfocus.com/bid/11206
- http://xinehq.de/index.php/security/XSA-2004-4
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17430
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17432