[gentoo-announce] [ GLSA 200405-24 ] MPlayer, xine-lib: vulnerabilities in RTSP stream handling - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200405-24 ] MPlayer, xine-lib: vulnerabilities in RTSP stream handling
Date:	Fri, 28 May 2004 17:26:40
Message-Id:	`40B775E7.7080009@gentoo.org`

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA1

3

4

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

5

Gentoo Linux Security Advisory                           GLSA 200405-24

6

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

7

                                            http://security.gentoo.org/

8

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

9

10

  Severity: High

11

     Title: MPlayer, xine-lib: vulnerabilities in RTSP stream handling

12

      Date: May 28, 2004

13

      Bugs: #49387

14

        ID: 200405-24

15

16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

17

18

Synopsis

19

========

20

21

Multiple vulnerabilities, including remotely exploitable buffer

22

overflows, have been found in code common to MPlayer and the xine

23

library.

24

25

Background

26

==========

27

28

MPlayer is a movie player capable of handling multiple multimedia file

29

formats. xine-lib is a multimedia player library used by several

30

graphical user interfaces, including xine-ui. They both use the same

31

code to handle Real-Time Streaming Protocol (RTSP) streams from

32

RealNetworks servers.

33

34

Affected packages

35

=================

36

37

    -------------------------------------------------------------------

38

     Package              /   Vulnerable   /                Unaffected

39

    -------------------------------------------------------------------

40

  1  media-video/mplayer      < 1.0_pre4                   >= 1.0_pre4

41

                                                            <= 0.92-r1

42

  2  media-libs/xine-lib        < 1_rc4                       >= 1_rc4

43

                                                          <= 0.9.13-r3

44

45

Description

46

===========

47

48

Multiple vulnerabilities have been found and fixed in the RTSP handling

49

code common to recent versions of these two packages. These

50

vulnerabilities include several remotely exploitable buffer overflows.

51

52

Impact

53

======

54

55

A remote attacker, posing as a RTSP stream server, can execute

56

arbitrary code with the rights of the user of the software playing the

57

stream (MPlayer or any player using xine-lib). Another attacker may

58

entice a user to use a maliciously crafted URL or playlist to achieve

59

the same results.

60

61

Workaround

62

==========

63

64

For MPlayer, there is no known workaround at this time. For xine-lib,

65

you can delete the xineplug_inp_rtsp.so file.

66

67

Resolution

68

==========

69

70

All users should upgrade to non-vulnerable versions of MPlayer and

71

xine-lib:

72

73

    # emerge sync

74

75

    # emerge -pv ">=media-video/mplayer-1.0_pre4"

76

    # emerge ">=media-video/mplayer-1.0_pre4"

77

78

    # emerge -pv ">=media-libs/xine-lib-1_rc4"

79

    # emerge ">=media-libs/xine-lib-1_rc4"

80

81

References

82

==========

83

84

  [ 1 ] Xine security advisory

85

        http://xinehq.de/index.php/security/XSA-2004-3

86

  [ 2 ] CAN-2004-0433

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0433

88

89

Availability

90

============

91

92

This GLSA and any updates to it are available for viewing at

93

the Gentoo Security Website:

94

95

     http://security.gentoo.org/glsa/glsa-200405-24.xml

96

97

Concerns?

98

=========

99

100

Security is a primary focus of Gentoo Linux and ensuring the

101

confidentiality and security of our users machines is of utmost

102

importance to us. Any security concerns should be addressed to

103

security@g.o or alternatively, you may file a bug at

104

http://bugs.gentoo.org.

105

106

License

107

=======

108

109

Copyright 2004 Gentoo Technologies, Inc; referenced text

110

belongs to its owner(s).

111

112

The contents of this document are licensed under the

113

Creative Commons - Attribution / Share Alike license.

114

115

http://creativecommons.org/licenses/by-sa/1.0

116

117

-----BEGIN PGP SIGNATURE-----

118

Version: GnuPG v1.2.4 (GNU/Linux)

119

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

120

121

iD8DBQFAt3XnvcL1obalX08RAh2gAJ9ySSipEhhDmj6aBHaMIrGCvhal5QCfft/d

122

4esLZpJjqX0f+8HpE4uzyi0=

123

=jm1a

124

-----END PGP SIGNATURE-----

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA1
3
4	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5	Gentoo Linux Security Advisory GLSA 200405-24
6	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7	http://security.gentoo.org/
8	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10	Severity: High
11	Title: MPlayer, xine-lib: vulnerabilities in RTSP stream handling
12	Date: May 28, 2004
13	Bugs: #49387
14	ID: 200405-24
15
16	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18	Synopsis
19	========
20
21	Multiple vulnerabilities, including remotely exploitable buffer
22	overflows, have been found in code common to MPlayer and the xine
23	library.
24
25	Background
26	==========
27
28	MPlayer is a movie player capable of handling multiple multimedia file
29	formats. xine-lib is a multimedia player library used by several
30	graphical user interfaces, including xine-ui. They both use the same
31	code to handle Real-Time Streaming Protocol (RTSP) streams from
32	RealNetworks servers.
33
34	Affected packages
35	=================
36
37	-------------------------------------------------------------------
38	Package / Vulnerable / Unaffected
39	-------------------------------------------------------------------
40	1 media-video/mplayer < 1.0_pre4 >= 1.0_pre4
41	<= 0.92-r1
42	2 media-libs/xine-lib < 1_rc4 >= 1_rc4
43	<= 0.9.13-r3
44
45	Description
46	===========
47
48	Multiple vulnerabilities have been found and fixed in the RTSP handling
49	code common to recent versions of these two packages. These
50	vulnerabilities include several remotely exploitable buffer overflows.
51
52	Impact
53	======
54
55	A remote attacker, posing as a RTSP stream server, can execute
56	arbitrary code with the rights of the user of the software playing the
57	stream (MPlayer or any player using xine-lib). Another attacker may
58	entice a user to use a maliciously crafted URL or playlist to achieve
59	the same results.
60
61	Workaround
62	==========
63
64	For MPlayer, there is no known workaround at this time. For xine-lib,
65	you can delete the xineplug_inp_rtsp.so file.
66
67	Resolution
68	==========
69
70	All users should upgrade to non-vulnerable versions of MPlayer and
71	xine-lib:
72
73	# emerge sync
74
75	# emerge -pv ">=media-video/mplayer-1.0_pre4"
76	# emerge ">=media-video/mplayer-1.0_pre4"
77
78	# emerge -pv ">=media-libs/xine-lib-1_rc4"
79	# emerge ">=media-libs/xine-lib-1_rc4"
80
81	References
82	==========
83
84	[ 1 ] Xine security advisory
85	http://xinehq.de/index.php/security/XSA-2004-3
86	[ 2 ] CAN-2004-0433
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0433
88
89	Availability
90	============
91
92	This GLSA and any updates to it are available for viewing at
93	the Gentoo Security Website:
94
95	http://security.gentoo.org/glsa/glsa-200405-24.xml
96
97	Concerns?
98	=========
99
100	Security is a primary focus of Gentoo Linux and ensuring the
101	confidentiality and security of our users machines is of utmost
102	importance to us. Any security concerns should be addressed to
103	security@g.o or alternatively, you may file a bug at
104	http://bugs.gentoo.org.
105
106	License
107	=======
108
109	Copyright 2004 Gentoo Technologies, Inc; referenced text
110	belongs to its owner(s).
111
112	The contents of this document are licensed under the
113	Creative Commons - Attribution / Share Alike license.
114
115	http://creativecommons.org/licenses/by-sa/1.0
116
117	-----BEGIN PGP SIGNATURE-----
118	Version: GnuPG v1.2.4 (GNU/Linux)
119	Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
120
121	iD8DBQFAt3XnvcL1obalX08RAh2gAJ9ySSipEhhDmj6aBHaMIrGCvhal5QCfft/d
122	4esLZpJjqX0f+8HpE4uzyi0=
123	=jm1a
124	-----END PGP SIGNATURE-----

Gentoo Archives: gentoo-announce