Vulnerabilities > CVE-2009-0385

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE

Summary

Integer signedness error in the fourxm_read_header function in libavformat/4xm.c in FFmpeg before revision 16846 allows remote attackers to execute arbitrary code via a malformed 4X movie file with a large current_track value, which triggers a NULL pointer dereference.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-3428.NASL
    descriptionMaintenance release. Fixes two security problems (CVE-2009-0385, CVE-2009-1274) and a few miscellaneous bugs. See the upstream changelog for details: http://sourceforge.net/project/shownotes.php?group_id=9655&release_id= 673233 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36124
    published2009-04-10
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36124
    titleFedora 9 : xine-lib-1.1.16.3-1.fc9 (2009-3428)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2009-3428.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36124);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:29");
    
      script_cve_id("CVE-2009-0385", "CVE-2009-1274");
      script_bugtraq_id(33502, 34384);
      script_xref(name:"FEDORA", value:"2009-3428");
    
      script_name(english:"Fedora 9 : xine-lib-1.1.16.3-1.fc9 (2009-3428)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Maintenance release. Fixes two security problems (CVE-2009-0385,
    CVE-2009-1274) and a few miscellaneous bugs. See the upstream
    changelog for details:
    http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=
    673233
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6bea3c3c"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=495031"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2009-April/022156.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?f0bd2185"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected xine-lib package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xine-lib");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC9", reference:"xine-lib-1.1.16.3-1.fc9")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xine-lib");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-319.NASL
    descriptionVulnerabilities have been discovered and corrected in xine-lib : Failure on Ogg files manipulation can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-3231). Failure on manipulation of either MNG or Real or MOD files can lead remote attackers to cause a denial of service by using crafted files (CVE: CVE-2008-5233). Heap-based overflow allows remote attackers to execute arbitrary code by using Quicktime media files holding crafted metadata (CVE-2008-5234). Heap-based overflow allows remote attackers to execute arbitrary code by using either crafted Matroska or Real media files (CVE-2008-5236). Failure on manipulation of either MNG or Quicktime files can lead remote attackers to cause a denial of service by using crafted files (CVE-2008-5237). Multiple heap-based overflow on input plugins (http, net, smb, dvd, dvb, rtsp, rtp, pvr, pnm, file, gnome_vfs, mms) allow attackers to execute arbitrary code by handling that input channels. Further this problem can even lead attackers to cause denial of service (CVE-2008-5239). Heap-based overflow allows attackers to execute arbitrary code by using crafted Matroska media files (MATROSKA_ID_TR_CODECPRIVATE track entry element). Further a failure on handling of Real media files (CONT_TAG header) can lead to a denial of service attack (CVE-2008-5240). Integer underflow allows remote attackers to cause denial of service by using Quicktime media files (CVE-2008-5241). Failure on manipulation of Real media files can lead remote attackers to cause a denial of service by indexing an allocated buffer with a certain input value in a crafted file (CVE-2008-5243). Vulnerabilities of unknown impact - possibly buffer overflow - caused by a condition of video frame preallocation before ascertaining the required length in V4L video input plugin (CVE-2008-5245). Heap-based overflow allows remote attackers to execute arbitrary code by using crafted media files. This vulnerability is in the manipulation of ID3 audio file data tagging mainly used in MP3 file formats (CVE-2008-5246). Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow (CVE-2009-1274) Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385 (CVE-2009-0698) Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update fixes these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id43022
    published2009-12-07
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43022
    titleMandriva Linux Security Advisory : xine-lib (MDVSA-2009:319)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-297.NASL
    descriptionVulnerabilities have been discovered and corrected in ffmpeg : - The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial of service (application crash) via a crafted GIF file (CVE-2008-3230) - FFmpeg 0.4.9, as used by MPlayer, allows context-dependent attackers to cause a denial of service (memory consumption) via unknown vectors, aka a Tcp/udp memory leak. (CVE-2008-4869) - Integer signedness error in the fourxm_read_header function in libavformat/4xm.c in FFmpeg before revision 16846 allows remote attackers to execute arbitrary code via a malformed 4X movie file with a large current_track value, which triggers a NULL pointer dereference (CVE-2009-0385) The updated packages fix this issue. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen2020-06-01
    modified2020-06-02
    plugin id42809
    published2009-11-16
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42809
    titleMandriva Linux Security Advisory : ffmpeg (MDVSA-2009:297-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1782.NASL
    descriptionSeveral vulnerabilities have been discovered in mplayer, a movie player for Unix-like systems. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. - CVE-2008-4866 It was discovered that multiple buffer overflows could lead to the execution of arbitrary code. - CVE-2008-5616 It was discovered that watching a malformed TwinVQ file could lead to the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id38641
    published2009-04-30
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38641
    titleDebian DSA-1782-1 : mplayer - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2009-3433.NASL
    descriptionMaintenance release. Fixes two security problems (CVE-2009-0385, CVE-2009-1274) and a few miscellaneous bugs. See the upstream changelog for details: http://sourceforge.net/project/shownotes.php?group_id=9655&release_id= 673233 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id37865
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/37865
    titleFedora 10 : xine-lib-1.1.16.3-1.fc10 (2009-3433)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_48E14D8642F111DEAD22000E35248AD7.NASL
    descriptionxine developers report : - Fix another possible int overflow in the 4XM demuxer. (ref. TKADV2009-004, CVE-2009-0385) - Fix an integer overflow in the Quicktime demuxer.
    last seen2020-06-01
    modified2020-06-02
    plugin id38801
    published2009-05-18
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38801
    titleFreeBSD : libxine -- multiple vulnerabilities (48e14d86-42f1-11de-ad22-000e35248ad7)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2009-098-03.NASL
    descriptionNew xine-lib packages are available for Slackware 12.0, 12.1, 12.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id36106
    published2009-04-08
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36106
    titleSlackware 12.0 / 12.1 / 12.2 / current : xine-lib (SSA:2009-098-03)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-299.NASL
    descriptionVulnerabilities have been discovered and corrected in xine-lib : - Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow (CVE-2009-1274) - Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385 (CVE-2009-0698) This update fixes these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id42810
    published2009-11-16
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42810
    titleMandriva Linux Security Advisory : xine-lib (MDVSA-2009:299)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200903-33.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200903-33 (FFmpeg: Multiple vulnerabilities) Multiple vulnerabilities were found in FFmpeg: astrange reported a stack-based buffer overflow in the str_read_packet() in libavformat/psxstr.c when processing .str files (CVE-2008-3162). Multiple buffer overflows in libavformat/utils.c (CVE-2008-4866). A buffer overflow in libavcodec/dca.c (CVE-2008-4867). An unspecified vulnerability in the avcodec_close() function in libavcodec/utils.c (CVE-2008-4868). Unspecified memory leaks (CVE-2008-4869). Tobias Klein repoerted a NULL pointer dereference due to an integer signedness error in the fourxm_read_header() function in libavformat/4xm.c (CVE-2009-0385). Impact : A remote attacker could entice a user to open a specially crafted media file, possibly leading to the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id35969
    published2009-03-20
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35969
    titleGLSA-200903-33 : FFmpeg: Multiple vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_6733E1BF125F11DEA9640030843D3802.NASL
    descriptionSecunia reports : Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to a signedness error within the
    last seen2020-06-01
    modified2020-06-02
    plugin id35938
    published2009-03-17
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35938
    titleFreeBSD : ffmpeg -- 4xm processing memory corruption vulnerability (6733e1bf-125f-11de-a964-0030843d3802)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-734-1.NASL
    descriptionIt was discovered that FFmpeg did not correctly handle certain malformed Ogg Media (OGM) files. If a user were tricked into opening a crafted Ogg Media file, an attacker could cause the application using FFmpeg to crash, leading to a denial of service. (CVE-2008-4610) It was discovered that FFmpeg did not correctly handle certain parameters when creating DTS streams. If a user were tricked into processing certain commands, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. This issue only affected Ubuntu 8.10. (CVE-2008-4866) It was discovered that FFmpeg did not correctly handle certain malformed DTS Coherent Acoustics (DCA) files. If a user were tricked into opening a crafted DCA file, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4867) It was discovered that FFmpeg did not correctly handle certain malformed 4X movie (4xm) files. If a user were tricked into opening a crafted 4xm file, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2009-0385). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38037
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38037
    titleUbuntu 7.10 / 8.04 LTS / 8.10 : ffmpeg, ffmpeg-debian vulnerabilities (USN-734-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1781.NASL
    descriptionSeveral vulnerabilities have been discovered in ffmpeg, a multimedia player, server and encoder. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0385 It was discovered that watching a malformed 4X movie file could lead to the execution of arbitrary code. - CVE-2008-3162 It was discovered that using a crafted STR file can lead to the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id38640
    published2009-04-30
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38640
    titleDebian DSA-1781-1 : ffmpeg-debian - several vulnerabilities

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 33502 CVE(CAN) ID: CVE-2009-0385 FFmpeg是一套对音频和视频进行解码录制转换的完整方案。 Fmpeg在解析畸形的4X电影文件时存在类型转换漏洞,以下是libavformat/4xm.c文件中的有漏洞代码段: [..] 93 static int fourxm_read_header(AVFormatContext *s, 94 AVFormatParameters *ap) 95 { .. 103 [8] int current_track = -1; .. 106 [9] fourxm-&gt;track_count = 0; 107 [10] fourxm-&gt;tracks = NULL; .. 160 } else if (fourcc_tag == strk_TAG) { 161 /* check that there is enough data */ 162 if (size != strk_SIZE) { 163 av_free(header); 164 return AVERROR_INVALIDDATA; 165 } 166 [1] current_track = AV_RL32(&amp;header[i + 8]); 167 [2] if (current_track + 1 &gt; fourxm-&gt;track_count) { 168 fourxm-&gt;track_count = current_track + 1; 169 if((unsigned)fourxm-&gt;track_count &gt;= UINT_MAX / sizeof(AudioTrack)) 170 return -1; 171 [3] fourxm-&gt;tracks = av_realloc(fourxm-&gt;tracks, 172 fourxm-&gt;track_count * sizeof(AudioTrack)); 173 if (!fourxm-&gt;tracks) { 174 av_free(header); 175 return AVERROR(ENOMEM); 176 } 177 } 178 [4] fourxm-&gt;tracks[current_track].adpcm = AV_RL32(&amp;header[i + 12]); 179 [5] fourxm-&gt;tracks[current_track].channels = AV_RL32(&amp;header[i + 36]); 180 [6] fourxm-&gt;tracks[current_track].sample_rate = AV_RL32(&amp;header[i+40]); 181 [7] fourxm-&gt;tracks[current_track].bits = AV_RL32(&amp;header[i + 44]); [..] [1] 使用来自媒体文件的用户提供数据填充有符型int变量current_track(见[8]) [2] 这个语句检查current_track值是否大于fourxm-&gt;track_count。用0初始化了fourxm-&gt;track_count变量(见[9]),对current_track提供大于等于0x80000000的值就会导致current_track为负数。如果current_track为负数,if语句总会返回false,无法到达[3]处的缓冲区分配。 [4] 由于用NULL初始化了fourxm-&gt;tracks(见[10])且无法到达171行,这导致可利用的空指针引用。可以向NULL + current_track内存位置写入4个字节的用户控制数据。由于current_track值也是用户可控的,还可以向很大的内存地址范围写入4字节的任意数据。 [5] 同[4] [6] 同[4] [7] 同[4] FFmpeg &lt; revision 16846 FFmpeg ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://svn.ffmpeg.org/ffmpeg?view=rev&amp;revision=16846 target=_blank rel=external nofollow>http://svn.ffmpeg.org/ffmpeg?view=rev&amp;revision=16846</a>
idSSV:4791
last seen2017-11-19
modified2009-02-19
published2009-02-19
reporterRoot
titleFFmpeg 4xm文件解析内存破坏漏洞