BID:9939

Xine Bug Reporting Script Insecure Temporary File Creation Vulnerability

Info

Xine Bug Reporting Script Insecure Temporary File Creation Vulnerability

Bugtraq ID:	9939
Class:	Design Error
CVE:	CVE-2004-0372
Remote:	No
Local:	Yes
Published:	Mar 22 2004 12:00AM
Updated:	Jul 12 2006 04:18PM
Credit:	Discovery is credited to Shaun Colley.
Vulnerable:	xine xine-ui 0.9.23 + Mandriva Linux Mandrake 10.0 + Slackware Linux 9.1 + Slackware Linux -current + xine xine 0.9.13 + xine xine 0.9.8 + xine xine 1-rc3b + xine xine 1-rc3a + xine xine 1-rc3 + xine xine 1-rc2 + xine xine 1-rc1 + xine xine 1-rc0a + xine xine 1-beta9 + xine xine 1-beta8 + xine xine 1-beta7 + xine xine 1-beta6 + xine xine 1-beta5 + xine xine 1-beta4 + xine xine 1-beta3 + xine xine 1-beta2 + xine xine 1-beta12 + xine xine 1-beta11 + xine xine 1-beta10 + xine xine 1-beta1 xine xine-ui 0.9.22 + Mandriva Linux Mandrake 9.2 amd64 + Mandriva Linux Mandrake 9.2 + xine xine 0.9.13 + xine xine 0.9.8 + xine xine 1-rc3b + xine xine 1-rc3a + xine xine 1-rc3 + xine xine 1-rc2 + xine xine 1-rc1 + xine xine 1-rc0a + xine xine 1-beta9 + xine xine 1-beta8 + xine xine 1-beta7 + xine xine 1-beta6 + xine xine 1-beta5 + xine xine 1-beta4 + xine xine 1-beta3 + xine xine 1-beta2 + xine xine 1-beta12 + xine xine 1-beta11 + xine xine 1-beta10 + xine xine 1-beta1 xine xine-ui 0.9.21 + xine xine 0.9.13 + xine xine 0.9.8 + xine xine 1-rc3b + xine xine 1-rc3a + xine xine 1-rc3 + xine xine 1-rc2 + xine xine 1-rc1 + xine xine 1-rc0a + xine xine 1-beta9 + xine xine 1-beta8 + xine xine 1-beta7 + xine xine 1-beta6 + xine xine 1-beta5 + xine xine 1-beta4 + xine xine 1-beta3 + xine xine 1-beta2 + xine xine 1-beta12 + xine xine 1-beta11 + xine xine 1-beta10 + xine xine 1-beta1 xine xine-ui 0.9.20 + xine xine 0.9.13 + xine xine 0.9.8 + xine xine 1-rc3b + xine xine 1-rc3a + xine xine 1-rc3 + xine xine 1-rc2 + xine xine 1-rc1 + xine xine 1-rc0a + xine xine 1-beta9 + xine xine 1-beta8 + xine xine 1-beta7 + xine xine 1-beta6 + xine xine 1-beta5 + xine xine 1-beta4 + xine xine 1-beta3 + xine xine 1-beta2 + xine xine 1-beta12 + xine xine 1-beta11 + xine xine 1-beta10 + xine xine 1-beta1 xine xine 0.9.13 xine xine 0.9.8 - Debian Linux 3.0 sparc - Debian Linux 3.0 s/390 - Debian Linux 3.0 ppc - Debian Linux 3.0 mipsel - Debian Linux 3.0 mips - Debian Linux 3.0 m68k - Debian Linux 3.0 ia-64 - Debian Linux 3.0 ia-32 - Debian Linux 3.0 hppa - Debian Linux 3.0 arm - Debian Linux 3.0 alpha - Debian Linux 3.0 xine xine 1-rc3b xine xine 1-rc3a xine xine 1-rc3 xine xine 1-rc2 xine xine 1-rc1 xine xine 1-rc0a xine xine 1-beta9 xine xine 1-beta8 xine xine 1-beta7 xine xine 1-beta6 xine xine 1-beta5 xine xine 1-beta4 xine xine 1-beta3 xine xine 1-beta2 xine xine 1-beta12 xine xine 1-beta11 xine xine 1-beta10 xine xine 1-beta1 Redhat Linux 7.3 i686 Redhat Linux 7.3 i386 Redhat Linux 7.3

Not Vulnerable:	xine xine-ui 0.99.1 + xine xine 0.9.13 + xine xine 0.9.8 + xine xine 1-rc3b + xine xine 1-rc3a + xine xine 1-rc3 + xine xine 1-rc2 + xine xine 1-rc1 + xine xine 1-rc0a + xine xine 1-beta9 + xine xine 1-beta8 + xine xine 1-beta7 + xine xine 1-beta6 + xine xine 1-beta5 + xine xine 1-beta4 + xine xine 1-beta3 + xine xine 1-beta2 + xine xine 1-beta12 + xine xine 1-beta11 + xine xine 1-beta10 + xine xine 1-beta1

Discussion

Xine Bug Reporting Script Insecure Temporary File Creation Vulnerability

The xine bug-reporting scripts (xine-bugreport and xine-check) create temporary files in an insecure manner. A malicious local user could take advantage of this issue by mounting a symbolic-link attack to corrupt other system files, most likely resulting in the destruction of data. Privilege escalation is also possible. This issue occurs only when the vulnerable scripts are run to submit a bug report to the vendor.

Note that xine-bugreport and xine-check are separate instances of the same script.

Exploit / POC

Xine Bug Reporting Script Insecure Temporary File Creation Vulnerability

An exploit is not required.

Solution / Fix

Xine Bug Reporting Script Insecure Temporary File Creation Vulnerability

Solution:
Updates are available. Please see the referenced advisories for more information.

xine xine-ui 0.9.22

Mandrake xine-ui-0.9.22-5.1.92mdk.amd64.rpm
Mandrake Linux 9.2/AMD64
http://www.mandrakesecure.net/en/ftp.php

Mandrake xine-ui-0.9.22-5.1.92mdk.i586.rpm
Mandrake Linux 9.2
http://www.mandrakesecure.net/en/ftp.php

Mandrake xine-ui-aa-0.9.22-5.1.92mdk.amd64.rpm
Mandrake Linux 9.2/AMD64
http://www.mandrakesecure.net/en/ftp.php

Mandrake xine-ui-aa-0.9.22-5.1.92mdk.i586.rpm
Mandrake Linux 9.2
http://www.mandrakesecure.net/en/ftp.php

Mandrake xine-ui-fb-0.9.22-5.1.92mdk.amd64.rpm
Mandrake Linux 9.2/AMD64
http://www.mandrakesecure.net/en/ftp.php

Mandrake xine-ui-fb-0.9.22-5.1.92mdk.i586.rpm
Mandrake Linux 9.2
http://www.mandrakesecure.net/en/ftp.php

xine xine-ui 0.9.23

Mandrake xine-ui-0.9.23-3.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake xine-ui-aa-0.9.23-3.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php

Mandrake xine-ui-fb-0.9.23-3.1.100mdk.i586.rpm
Mandrake Linux 10.0
http://www.mandrakesecure.net/en/ftp.php

xine xine 0.9.8

Debian xine-ui_0.9.8-5.1_alpha.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_alpha.deb

Debian xine-ui_0.9.8-5.1_arm.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_arm.deb

Debian xine-ui_0.9.8-5.1_hppa.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_hppa.deb

Debian xine-ui_0.9.8-5.1_i386.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_i386.deb

Debian xine-ui_0.9.8-5.1_ia64.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_ia64.deb

Debian xine-ui_0.9.8-5.1_m68k.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_m68k.deb

Debian xine-ui_0.9.8-5.1_mips.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_mips.deb

Debian xine-ui_0.9.8-5.1_mipsel.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_mipsel.deb

Debian xine-ui_0.9.8-5.1_powerpc.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_powerpc.deb

Debian xine-ui_0.9.8-5.1_s390.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_s390.deb

Debian xine-ui_0.9.8-5.1_sparc.deb
Debian GNU/Linux 3.0 (woody)
http://security.debian.org/pool/updates/main/x/xine-ui/xine-ui_0.9.8-5 .1_sparc.deb

Fedora Legacy xine-0.9.8-4.2.legacy.i386.rpm
Red Hat Linux 7.3:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xine-0.9.8-4. 2.legacy.i386.rpm

Fedora Legacy xine-devel-0.9.8-4.2.legacy.i386.rpm
Red Hat Linux 7.3:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/xine-devel-0. 9.8-4.2.legacy.i386.rpm

References

Xine Bug Reporting Script Insecure Temporary File Creation Vulnerability

References:

xine Homepage (xine)
xine-check/xine-bugreport symlink vulnerability. (=?iso-8859-1?q?Shaun=20Colley?= )