Vulnerabilities > CVE-2008-0486 - Numeric Errors vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
mplayer
xine
CWE-189
nessus
NVD
Published: 2008-02-05
Updated: 2018-10-15

Summary

Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Mplayer
1
Application
Xine
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-045.NASL
    descriptionHeap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0225) Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function, different vectors than CVE-2008-0225. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0238) Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and earlier might allow remote attackers to execute arbitrary code via a QuickTime MOV file with a crafted stsc atom tag. (CVE-2008-0485) Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. (CVE-2008-0486) Buffer overflow in stream_cddb.c in MPlayer 1.0rc2 and SVN before r25824 allows remote user-assisted attackers to execute arbitrary code via a CDDB database entry containing a long album title. (CVE-2008-0629) Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allows remote attackers to execute arbitrary code via a crafted URL that prevents the IPv6 parsing code from setting a pointer to NULL, which causes the buffer to be reused by the unescape code. (CVE-2008-0630) The updated packages have been patched to prevent these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37405
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37405
    titleMandriva Linux Security Advisory : mplayer (MDVSA-2008:045)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1536.NASL
    descriptionSeveral local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1246 / CVE-2007-1387 The DMO_VideoDecoder_Open function does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code (applies to sarge only). - CVE-2008-0073 Array index error in the sdpplin_parse function allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter. - CVE-2008-0486 Array index vulnerability in libmpdemux/demux_audio.c might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow (applies to etch only). - CVE-2008-1161 Buffer overflow in the Matroska demuxer allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Matroska file with invalid frame sizes.
    last seen2020-06-01
    modified2020-06-02
    plugin id31721
    published2008-04-01
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31721
    titleDebian DSA-1536-1 : libxine - several vulnerabilities
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200803-16.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200803-16 (MPlayer: Multiple buffer overflows) The following errors have been discovered in MPlayer: Felipe Manzano and Anibal Sacco (Core Security Technologies) reported an array indexing error in the file libmpdemux/demux_mov.c when parsing MOV file headers (CVE-2008-0485). Damian Frizza and Alfredo Ortega (Core Security Technologies) reported a boundary error in the file libmpdemux/demux_audio.c when parsing FLAC comments (CVE-2008-0486). Adam Bozanich (Mu Security) reported boundary errors in the cddb_parse_matches_list() and cddb_query_parse() functions in the file stream_cddb.c when parsing CDDB album titles (CVE-2008-0629) and in the url_scape_string() function in the file stream/url.c when parsing URLS (CVE-2008-0630). Impact : A remote attacker could entice a user to open a specially crafted file, possibly resulting in the execution of arbitrary code with the privileges of the user running MPlayer. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id31442
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31442
    titleGLSA-200803-16 : MPlayer: Multiple buffer overflows
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-1581.NASL
    description - Fri Feb 8 2008 Ville Skytta <ville.skytta at iki.fi> - 1.1.10.1-1 - 1.1.10.1 (security update, #431541). * Sun Jan 27 2008 Ville Skytta <ville.skytta at iki.fi> - 1.1.10-2 - Include spu, spucc, and spucmml decoders (#213597). Upstream release notes: http://sourceforge.net/project/shownotes.php?group_id=96 55&release_id=574735 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31072
    published2008-02-14
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31072
    titleFedora 7 : xine-lib-1.1.10.1-1.fc7 (2008-1581)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_DE4D4110EBCE11DCAE140016179B2DD5.NASL
    descriptionThe Mplayer team reports : A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to escape URL strings. The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
    last seen2020-06-01
    modified2020-06-02
    plugin id31378
    published2008-03-07
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31378
    titleFreeBSD : mplayer -- multiple vulnerabilities (de4d4110-ebce-11dc-ae14-0016179b2dd5)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_E8A6A16DE49811DCBB89000BCDC1757A.NASL
    descriptionxine Team reports : A new xine-lib version is now available. This release contains a security fix (array index vulnerability which may lead to a stack buffer overflow.
    last seen2020-06-01
    modified2020-06-02
    plugin id31304
    published2008-02-28
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31304
    titleFreeBSD : libxine -- buffer overflow vulnerability (e8a6a16d-e498-11dc-bb89-000bcdc1757a)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XINE-DEVEL-5080.NASL
    descriptionThis update of xine fixes a possible buffer overflow that can be triggered via FLAC tags to execute arbitrary code (CVE-2008-0486) and a possible buffer overflow in the matroska demuxer.
    last seen2020-06-01
    modified2020-06-02
    plugin id31460
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31460
    titleSuSE 10 Security Update : xine (ZYPP Patch Number 5080)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2008-1543.NASL
    description - Fri Feb 8 2008 Ville Skytta <ville.skytta at iki.fi> - 1.1.10.1-1 - 1.1.10.1 (security update, #431541). * Sun Jan 27 2008 Ville Skytta <ville.skytta at iki.fi> - 1.1.10-2 - Include spu, spucc, and spucmml decoders (#213597). Upstream release notes: http://sourceforge.net/project/shownotes.php?group_id=96 55&release_id=574735 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id31068
    published2008-02-14
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31068
    titleFedora 8 : xine-lib-1.1.10.1-1.fc8 (2008-1543)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1496.NASL
    descriptionSeveral buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0485 Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files. - CVE-2008-0486 Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing. - CVE-2008-0629 Adam Bozanich discovered a buffer overflow in the CDDB access code. - CVE-2008-0630 Adam Bozanich discovered a buffer overflow in URL parsing.
    last seen2020-06-01
    modified2020-06-02
    plugin id31056
    published2008-02-14
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31056
    titleDebian DSA-1496-1 : mplayer - buffer overflows
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200802-12.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200802-12 (xine-lib: User-assisted execution of arbitrary code) Damian Frizza and Alfredo Ortega (Core Security Technologies) discovered a stack-based buffer overflow within the open_flac_file() function in the file demux_flac.c when parsing tags within a FLAC file (CVE-2008-0486). A buffer overflow when parsing ASF headers, which is similar to CVE-2006-1664, has also been discovered (CVE-2008-1110). Impact : A remote attacker could entice a user to play specially crafted FLAC or ASF video streams with a player using xine-lib, potentially resulting in the execution of arbitrary code with the privileges of the user running the player. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id31295
    published2008-02-27
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31295
    titleGLSA-200802-12 : xine-lib: User-assisted execution of arbitrary code
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-635-1.NASL
    descriptionAlin Rad Pop discovered an array index vulnerability in the SDP parser. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0073) Luigi Auriemma discovered that xine-lib did not properly check buffer sizes in the RTSP header-handling code. If xine-lib opened an RTSP stream with crafted SDP attributes, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0225, CVE-2008-0238) Damian Frizza and Alfredo Ortega discovered that xine-lib did not properly validate FLAC tags. If a user or automated system were tricked into opening a crafted FLAC file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-0486) It was discovered that the ASF demuxer in xine-lib did not properly check the length if the ASF header. If a user or automated system were tricked into opening a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1110) It was discovered that the Matroska demuxer in xine-lib did not properly verify frame sizes. If xine-lib opened a crafted ASF file, a remote attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1161) Luigi Auriemma discovered multiple integer overflows in xine-lib. If a user or automated system were tricked into opening a crafted FLV, MOV, RM, MVE, MKV or CAK file, a remote attacker may be able to execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-1482) It was discovered that xine-lib did not properly validate its input when processing Speex file headers. If a user or automated system were tricked into opening a specially crafted Speex file, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1686) Guido Landi discovered a stack-based buffer overflow in xine-lib when processing NSF files. If xine-lib opened a specially crafted NSF file with a long NSF title, an attacker could create a denial of service or possibly execute arbitrary code as the user invoking the program. (CVE-2008-1878). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id33940
    published2008-08-20
    reporterUbuntu Security Notice (C) 2008-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33940
    titleUbuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : xine-lib vulnerabilities (USN-635-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_XINE-DEVEL-5078.NASL
    descriptionThis update of xine fixes a possible buffer overflow that can be triggered via FLAC tags to execute arbitrary code (CVE-2008-0486) and a possible buffer overflow in the matroska demuxer.
    last seen2020-06-01
    modified2020-06-02
    plugin id31459
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31459
    titleopenSUSE 10 Security Update : xine-devel (xine-devel-5078)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-046.NASL
    descriptionAn array index vulnerability found in the FLAC audio demuxer might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. Although originally an MPlayer issue, it also affects xine-lib due to code similarity. The updated packages have been patched to prevent this issue. Update : The previous update used a bad patch which made Amarok interface very unresponsive while playing FLAC files. This new update fixes the security issue with a better patch.
    last seen2020-06-01
    modified2020-06-02
    plugin id36358
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36358
    titleMandriva Linux Security Advisory : xine-lib (MDVSA-2008:046-1)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 27441 CVE(CAN) ID: CVE-2008-0486 MPlayer是一款基于Linux的媒体播放程序,支持多种媒体格式。 MPlayer的libmpdemux/demux_audio.c文件在解析FLAC标注时存在栈溢出漏洞: /----------- libmpdemux/demux_audio.c 206 case FLAC_VORBIS_COMMENT: 207 { 208 /* For a description of the format please have a look at */ 209 /* http://www.xiph.org/vorbis/doc/v-comment.html */ 210 211 uint32_t length, comment_list_len; 212 (1) char comments[blk_len]; 213 uint8_t *ptr = comments; 214 char *comment; 215 int cn; 216 char c; 217 218 if (stream_read (s, comments, blk_len) == blk_len) 219 { 220 (2) length = AV_RL32(ptr); 221 ptr += 4 + length; 222 223 comment_list_len = AV_RL32(ptr); 224 ptr += 4; 225 226 cn = 0; 227 for (; cn &lt; comment_list_len; cn++) 228 { 229 length = AV_RL32(ptr); 230 ptr += 4; 231 232 comment = ptr; 233 (3) c = comment[length]; 234 comment[length] = 0; ... - -----------/ 可见在(2)处length参数是从文件流中的位置加载的,然后未经任何验证便在comment缓冲区索引中使用,这可能触发栈溢出,导致执行任意代码。 MPlayer MPlayer 1.0 rc2 厂商补丁: MPlayer ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff target=_blank>http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff</a> <a href=http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff target=_blank>http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff</a> <a href=http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff target=_blank>http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff</a>
idSSV:2889
last seen2017-11-19
modified2008-02-14
published2008-02-14
reporterRoot
titleMPlayer demux_audio.c远程栈溢出漏洞

References