安全研究

安全漏洞
xine-lib NSF声音格式解码器demux_nsf.c栈溢出漏洞

发布日期:2008-04-17
更新日期:2008-04-18

受影响系统:
xine xine-lib 1.1.12
描述:
BUGTRAQ  ID: 28816
CVE(CAN) ID: CVE-2008-1878

xine是一款免费的媒体播放器,支持多种格式。

xine-lib的src/demuxers/demux_nsf.c文件中的demux_nsf_send_chunk()函数没有正确地处理NSF声音格式:

open_nsf_file():

109: this->title = strdup(&header[0x0E]);

demux_nsf_send_chunk():

122: char title[100];
162: sprintf(title, "%s, song %d/%d",
            this->title, this->current_song, this->total_songs);

如果用户受骗打开了带有超长NSF标题的媒体文件的话,就可以触发栈溢出,导致执行任意指令。

<*来源:Guido Landi
  
  链接:http://secunia.com/advisories/29850/
        http://www.debian.org/security/2008/dsa-1586
        http://security.gentoo.org/glsa/glsa-200808-01.xml
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

perl -e 'print
"\x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" . "\x41" x
114' > evil.mp3

建议:
厂商补丁:

Debian
------
Debian已经为此发布了一个安全公告(DSA-1586-1)以及相应补丁:
DSA-1586-1:New xine-lib packages fix several vulnerabilities
链接:http://www.debian.org/security/2008/dsa-1586

补丁下载:
Source archives:

http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg.orig.tar.gz
Size/MD5 checksum:  6716994 ae6525a76280a6e1979c3f4f89fd00f3
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.diff.gz
Size/MD5 checksum:    32397 9ef42da73934e6a981151549e97fd396
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.dsc
Size/MD5 checksum:     1585 b0949db5082a590b1afa4f477005f79f

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_alpha.deb
Size/MD5 checksum:  3410964 35526481cc816fad2d5692b33f4a3577
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_alpha.deb
Size/MD5 checksum:   118604 cfc8a8c900bd1182b3faddfeb09eba84
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_alpha.deb
Size/MD5 checksum:  3665492 49adcd016edc53b96bbc028bc3e428ae

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_amd64.deb
Size/MD5 checksum:   117506 f8305c6e72d9fd2a25cb7b144e0d696d
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_amd64.deb
Size/MD5 checksum:  3050404 b94199ba7a4a578db7eb0eefa42b725c
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_amd64.deb
Size/MD5 checksum:  3660324 635669edb747900be1b17a17dba1f564

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_arm.deb
Size/MD5 checksum:   118774 052c7ceae25865180a966f6e9e4eb573
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_arm.deb
Size/MD5 checksum:  2959500 bb1f326f6451a5681c592a56734b30da
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_arm.deb
Size/MD5 checksum:  2668528 19d061e0cc24b1bf935607207bc8c638

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_hppa.deb
Size/MD5 checksum:  3225530 ac2abcd37fe278b730a7a52db4690e2c
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_hppa.deb
Size/MD5 checksum:   119646 5190a9fd4691a7523f1ae2734d81691f
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_hppa.deb
Size/MD5 checksum:  2697042 ea3479f6dc14ed23f90fbb653ea714aa

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_i386.deb
Size/MD5 checksum:   117466 6bd9177c7a51abe868c0c4f4dfb1b6d7
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_i386.deb
Size/MD5 checksum:  3967634 5a85d97914a5bcb3033e8d3eaec4af4b
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_i386.deb
Size/MD5 checksum:  3350218 88382dafa93891b720985435619e1bee

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_ia64.deb
Size/MD5 checksum:  3765616 e38586e9ef6c7b1997679198cc263b9f
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_ia64.deb
Size/MD5 checksum:  2685148 2bbd6abfaa59b6d5d238916e1fe588c1
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_ia64.deb
Size/MD5 checksum:   117500 c6038901ade50caa3a84254f51b43081

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mips.deb
Size/MD5 checksum:  3036512 2e2b54ad4b4b45715528981791ce85c6
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mips.deb
Size/MD5 checksum:  2844538 03835764ba28aa277cf33b994ac2c515
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mips.deb
Size/MD5 checksum:   119386 292683637eeb0e0922516c27069b0a4a

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mipsel.deb
Size/MD5 checksum:  3017710 0fd6b63681e496817a5a741b942b3642
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mipsel.deb
Size/MD5 checksum:  2788988 e9bc0450d264dfc9f3522bc38f27fa61
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mipsel.deb
Size/MD5 checksum:   117528 656913c22767f942ea3ef2f8ad0edc80

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_powerpc.deb
Size/MD5 checksum:  3719568 4bf9a41390aa91305a7de075d8d2c52a
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_powerpc.deb
Size/MD5 checksum:  3209842 ee37b66a198c890770fcda734e30fab8
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_powerpc.deb
Size/MD5 checksum:   117512 e952851e820d0634de013e598c61c432

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_s390.deb
Size/MD5 checksum:  3173064 c1210b83707d76a4256c42393ef1e2d4
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_s390.deb
Size/MD5 checksum:  2719306 125a96fd91fc8cf88c69280500230e0e
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_s390.deb
Size/MD5 checksum:   117502 babe974673968538886456d4f5345cce

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_sparc.deb
Size/MD5 checksum:  3025332 591637b97267686c199c074ce3e92aba
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_sparc.deb
Size/MD5 checksum:   117520 f3b076031d34e283445c27fcb9031e63
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_sparc.deb
Size/MD5 checksum:  3369250 d8e3d16b7c014187398029cf2e75f0da

补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200808-01)以及相应补丁:
GLSA-200808-01:xine-lib: User-assisted execution of arbitrary code
链接:http://security.gentoo.org/glsa/glsa-200808-01.xml

所有xine-lib用户都应升级到最新版本:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.13"

浏览次数:4192
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客