Debian Bug report logs - #332919
CAN-2005-2967: Format string vulnerability in xine-lib's CDDB response parsing

version graph

Package: xine-lib; Maintainer for xine-lib is Darren Salt <devspam@moreofthesa.me.uk>;

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Sun, 9 Oct 2005 14:03:09 UTC

Severity: grave

Tags: fixed, patch, security

Merged with 333682

Fixed in version xine-lib/1.1.1-1

Done: Reinhard Tartler <siretart@tauware.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Siggi Langauf <siggi@debian.org>:
Bug#332919; Package xine-lib. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-2967: Format string vulnerability in xine-lib's CDDB response parsing
Date: Sun, 09 Oct 2005 15:58:36 +0200
Package: xine-lib
Severity: grave
Tags: security
Justification: user security hole

A format string vulnerability in xine-lib's CDDB response parsing has been found.
Exploitation is quite unlikely, as it would require a rogue CDDB server, but it
should be fixed nevertheless, as the fix is trivial. Please see
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0196.html for
details and a patch.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#332919; Package xine-lib. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #10 received at 332919@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: 332919@bugs.debian.org
Cc: jmm@inutil.org
Subject: No
Date: Tue, 11 Oct 2005 12:26:10 +0100
No, you don't need to set up a rogue CDDB server, as CDDB servers let anyone add or modify information about records.

http://www.freedb.org/modules.php?name=Sections&sop=viewarticle&artid=26

// Ulf



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze



Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#332919; Package xine-lib. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #15 received at 332919@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Ulf Harnhammar <metaur@operamail.com>
Cc: 332919@bugs.debian.org
Subject: Re: No
Date: Tue, 11 Oct 2005 13:59:37 +0200
Ulf Harnhammar wrote:
> No, you don't need to set up a rogue CDDB server, as CDDB servers let anyone add or modify information about records.

But according to the freedb.org FAQs every submission is reviewed before being
applied to the database. So it seems quite unlikely submissions of crafted entries
to exploit this vulnerability would pass this stage.

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#332919; Package xine-lib. Full text and rfc822 format available.

Acknowledgement sent to "Ulf Harnhammar" <metaur@operamail.com>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #20 received at 332919@bugs.debian.org (full text, mbox):

From: "Ulf Harnhammar" <metaur@operamail.com>
To: "Moritz Muehlenhoff" <jmm@inutil.org>
Cc: 332919@bugs.debian.org
Subject: Re: No
Date: Wed, 12 Oct 2005 12:27:17 +0100
> > No, you don't need to set up a rogue CDDB server, as CDDB servers 
> > let anyone add or modify information about records.
> 
> But according to the freedb.org FAQs every submission is reviewed before being
> applied to the database. So it seems quite unlikely submissions of 
> crafted entries
> to exploit this vulnerability would pass this stage.

I can't find any place in the FAQ or the web site where it says that. On the contrary:


"Many users submit, and we are (automatically) trying to sort the bad entries out but we cannot guarantee that all submitted data is correct."

http://www.freedb.org/modules.php?name=Sections&sop=viewarticle&artid=4


"We update our master server as well as the mirrors with new submissions several times a day."

http://www.freedb.org/modules.php?name=Sections&sop=viewarticle&artid=26


They had about 19600 submissions last week:

http://www.freedb.org/freedb_stats.php?type=weekly&topic=submits


I think that's pretty conclusive evidence that they don't review the submitted entries.

It should also be noted that if you don't patch xine-lib, you have to trust the freedb.org people 100%, which I'm not willing to do. (I trust debian.org and ftp.sunet.se where I download .debs from, but they both have a reputation and a history.)

// Ulf



-- 
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 8 at http://www.opera.com

Powered by Outblaze



Merged 332919 333682. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#332919; Package xine-lib. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #27 received at 332919@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 337996@bugs.debian.org, 333682@bugs.debian.org, 332919@bugs.debian.org, Jérôme Marant <jmarant@free.fr>
Cc: siggi@debian.org, pmhahn@debian.org, debian-qa@lists.debian.org
Subject: Re: #332919 Still not fixed
Date: Wed, 23 Nov 2005 10:33:33 +0100
[Message part 1 (text/plain, inline)]
On Tue, 2005-11-22 at 23:31 +0100, Jérôme Marant wrote:
> Hi,
> 
> I've just noticed that this security bug has not been fixed:
> 
>   #332919: CAN-2005-2967: Format string vulnerability in xine-lib's CDDB response parsing
> 
> Any action taken?

This bug has been addressed for stable in DSA-863, it's only etch/sid
which have to be fixed. The package has two maintainers, but I can't
trace recent activity for any of them.

I've prepared updated packages for xine-lib, which fix this security
issue and the FTBFS-bug. They thus fix 2 RC bugs (or 3 if you count
merged separately). The diff is attached, the updated packages can be
found here: http://www.a-eskwadraat.nl/~kink/xine-lib/

Since I can't upload them myself, maybe someone else can review and
upload?

regards,
Thijs
[xine-lib_CVE-2005-2967.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#332919; Package xine-lib. Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>. Full text and rfc822 format available.

Message #32 received at 332919@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: Steve Langasek <vorlon@debian.org>, 332919@bugs.debian.org, control@bugs.debian.org
Cc: Thijs Kinkhorst <kink@squirrelmail.org>, debian-qa@lists.debian.org
Subject: Re: #332919 Still not fixed
Date: Thu, 24 Nov 2005 13:02:45 +0100
tag 332919 + pending
thanks

I'm presently uploading Thijs' NMU.

Steve Langasek wrote:
> On Wed, Nov 23, 2005 at 09:15:29PM +0100, Thomas Viehmann wrote:
[build-problem]
> This is an accidental dependency on i386 only due to a samba misbuild.  It
> should be fixed as soon as samba gets binNMUed (autobuilder binNMUs are
> currently down for maintenance).
Ah. Thanks for the info. So I've built xine-lib with a local binNMU of
samba on i386 and am uploading the xine-lib NMU.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/



Tags added: pending Request was from Thomas Viehmann <tv@beamnet.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #43 received at 332919-close@bugs.debian.org (full text, mbox):

From: Reinhard Tartler <siretart@tauware.de>
To: 332919-close@bugs.debian.org
Subject: Bug#332919: fixed in xine-lib 1.1.1-1
Date: Fri, 24 Feb 2006 15:02:16 -0800
Source: xine-lib
Source-Version: 1.1.1-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.1-1_i386.deb
  to pool/main/x/xine-lib/libxine-dev_1.1.1-1_i386.deb
libxine1_1.1.1-1_i386.deb
  to pool/main/x/xine-lib/libxine1_1.1.1-1_i386.deb
xine-lib_1.1.1-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1.1.1-1.diff.gz
xine-lib_1.1.1-1.dsc
  to pool/main/x/xine-lib/xine-lib_1.1.1-1.dsc
xine-lib_1.1.1.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1.1.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 332919@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 19 Feb 2006 18:34:51 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source i386
Version: 1.1.1-1
Distribution: unstable
Urgency: low
Maintainer: Siggi Langauf <siggi@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, binary files
Closes: 288189 315986 318838 320317 323276 325960 326935 326936 327203 328168 328184 328265 328454 332919 337996 337997 338000 342208 345499 346488 347162 353150
Changes: 
 xine-lib (1.1.1-1) unstable; urgency=low
 .
   * New upstream release! (Closes: #326936, #353150, #332919)
 .
   [ Reinhard Tartler ]
     - adding myself to uploaders
     - Remove build dependencies on xlibs-dev, as well as alternatives on
       xlibs-dev-static. Debian is on its way towards X11R7!
       (Closes: #337997, #346488, #345499, #342208, #347162)
     - Rechecking the long list of NMUs. Thanks to all submitters!
 .
   [ Darren Salt ]
     - Add debian/watch file for uscan.
     - Convert debian/copyright to UTF-8.
     - Add build-deps on libxv-dev and libvcdinfo-dev.
     - Bump standards version to 3.6.2
     - Make "post-Sarge"-tagged changes to debian/rules and strip debian/tmp/
       from debian/*.install.
     - Remove *.gmo on clean (Just In Case). (Closes: #338000)
     - Do a little preparation for a possible -dbg package.
 .
   * Acknowledge NMUs.
     - Backports and gcc 4.0 fixes dropped since they're already in this version.
       Closes: #288189, #318838
     - slang transition: Closes: #315986
     - aalib transition: Closes: #320317, #323276
     - flac transition: Closes: #325960
     - fix of dependency generation script debian/shlibdeps.sh:
       Closes: #326935, #327203, #328168, #328184, #328265, #328454
     - fix bashism in debian/rules: Closes: #337996
Files: 
 3a7bb1c29296533f933ba4d3a5023d3a 1109 libs optional xine-lib_1.1.1-1.dsc
 b1f42602c776bb93e3cbf127e220cbfd 7990031 libs optional xine-lib_1.1.1.orig.tar.gz
 2822672c7751a97d673946a3ce14074d 2787 libs optional xine-lib_1.1.1-1.diff.gz
 eae78d0d6e9a85837a27130679aae894 109628 libdevel optional libxine-dev_1.1.1-1_i386.deb
 32843ca6f9b97079b83049c9badcc5ea 4150224 libs optional libxine1_1.1.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD/4ver/RnCw96jQERArMlAKCbwm+QeTzuz6sny+qkY+9dVoxpZwCeKvCy
r2QtbaUEVFnTQ56DcATiko8=
=U9Ts
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>:
Bug#332919; Package xine-lib. Full text and rfc822 format available.

Acknowledgement sent to Reinhard Tartler <siretart@tauware.de>:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #48 received at 332919@bugs.debian.org (full text, mbox):

From: Reinhard Tartler <siretart@tauware.de>
To: 332919@bugs.debian.org
Date: Mon, 19 Mar 2007 16:18:56 +0100
Package: xine-lib
Version: 

--- Please enter the report below this line. ---


--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.18-4-686

Debian Release: 4.0
  500 testing         security.debian.org 
  500 testing         ftp.de.debian.org 
   50 unstable        www.debian-multimedia.org 
   50 unstable        ftp.debian-unofficial.org 
   50 unstable        ftp.de.debian.org 
    1 experimental    ftp.de.debian.org 

--- Package information. ---
Depends                                  (Version) | Installed
==================================================-+-=========================
                                                   | 




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 19:14:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:32:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.