BID:17769

Xine Filename Handling Remote Format String Vulnerability

Info

Xine Filename Handling Remote Format String Vulnerability

Bugtraq ID:	17769
Class:	Input Validation Error
CVE:	CVE-2006-2230
Remote:	Yes
Local:	No
Published:	May 01 2006 12:00AM
Updated:	Nov 24 2006 05:35PM
Credit:	Discovery is credited to KaDaL-X <[email protected]>.
Vulnerable:	xine xine-ui 0.99.4 xine xine-ui 0.99.3 xine xine-ui 0.99.2 xine xine-ui 0.99.1 + xine xine 0.9.13 + xine xine 0.9.8 + xine xine 1-rc3b + xine xine 1-rc3a + xine xine 1-rc3 + xine xine 1-rc2 + xine xine 1-rc1 + xine xine 1-rc0a + xine xine 1-beta9 + xine xine 1-beta8 + xine xine 1-beta7 + xine xine 1-beta6 + xine xine 1-beta5 + xine xine 1-beta4 + xine xine 1-beta3 + xine xine 1-beta2 + xine xine 1-beta12 + xine xine 1-beta11 + xine xine 1-beta10 + xine xine 1-beta1 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1

Not Vulnerable:

Discussion

Xine Filename Handling Remote Format String Vulnerability

The xine package is susceptible to a remote format-string vulnerability.

This issue arises when the application handles specially crafted filenames. An attacker can exploit this vulnerability by crafting a malicious filename that contains format specifiers and then coercing unsuspecting users to try to execute the affected application with the malicious filename as an argument.

A successful attack may crash the application or lead to arbitrary code execution.

Version 0.99.4 of xine is vulnerable to this issue; other versions may also be affected.

Exploit / POC

Xine Filename Handling Remote Format String Vulnerability

The following command is sufficient to demonstrate this issue:
xine %p-%p.mp3

This will result in a file-not-found dialog being displayed. The dialog will report that the file that was not found has a name similar to '0x811ac8e-0xbe1fdabc.mp3'

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

Solution / Fix

Xine Filename Handling Remote Format String Vulnerability

Solution:
Currently we are not aware of any official vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]:[email protected]

Please see the referenced third-party vendor advisories for details on obtaining updates.

xine xine-ui 0.99.3

Debian xine-ui_0.99.3-1sarge1_alpha.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_alpha.deb

Debian xine-ui_0.99.3-1sarge1_amd64.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_amd64.deb

Debian xine-ui_0.99.3-1sarge1_arm.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_arm.deb

Debian xine-ui_0.99.3-1sarge1_hppa.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_hppa.deb

Debian xine-ui_0.99.3-1sarge1_i386.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_i386.deb

Debian xine-ui_0.99.3-1sarge1_ia64.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_ia64.deb

Debian xine-ui_0.99.3-1sarge1_m68k.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_m68k.deb

Debian xine-ui_0.99.3-1sarge1_mips.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_mips.deb

Debian xine-ui_0.99.3-1sarge1_mipsel.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_mipsel.deb

Debian xine-ui_0.99.3-1sarge1_powerpc.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_powerpc.deb

Debian xine-ui_0.99.3-1sarge1_s390.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_s390.deb

Debian xine-ui_0.99.3-1sarge1_sparc.deb
Debian GNU/Linux 3.1 alias sarge
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.99.3- 1sarge1_sparc.deb

References

Xine Filename Handling Remote Format String Vulnerability

References: