[From nobody Thu Jul 10 02:06:27 2008 Message-ID: <45B70603.9010602@gmail.com> Date: Wed, 24 Jan 2007 08:08:51 +0100 From: endrazine <endrazine@gmail.com> User-Agent: Thunderbird 1.5.0.7 (X11/20061025) MIME-Version: 1.0 To: Raphael Marichez <falco@gentoo.org> Subject: Re: [Full-disclosure] [ GLSA 200701-18 ] xine-ui: Format string vulnerabilities References: <20070123220709.GB28520@falco.falcal.net> In-Reply-To: <20070123220709.GB28520@falco.falcal.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Hello Raphael, I have an issue with this Glsa (wich is a really usefull service between, thx) : I think the affected syscall is xitk_window_dialog_error rather at line 128,231,357 in /src/xitk/errors.c the "bad" thing is that errors_create_window exists but wasn't modified at all... see below... $ diff ./xine-ui-0.99.4/src/xitk/errors.c ../../xine-ui-0.99.5_pre20060716/work/xine-ui-0.99.5_pre20060716/src/xitk/errors.c 20c20 < * $Id: errors.c,v 1.32 2005/02/07 18:16:28 miguelfreitas Exp $ --- > * $Id: errors.c,v 1.34 2006/07/15 08:46:50 dgp85 Exp $ 71c71 < message); --- > "%s", message); 113c113 < if(gGui->stdctl_enable) { --- > if(gGui->stdctl_enable || !gGui->display) { 128c128 < xw = xitk_window_dialog_error(gGui->imlib_data, buf2); --- > xw = xitk_window_dialog_error(gGui->imlib_data, "%s", buf2); 231c231 < xw = xitk_window_dialog_info(gGui->imlib_data, buf2); --- > xw = xitk_window_dialog_info(gGui->imlib_data, "%s", buf2); 357c357 < message); --- > "%s", message); Regards, endrazine- Raphael Marichez a écrit : > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Gentoo Linux Security Advisory GLSA 200701-18 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > http://security.gentoo.org/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Severity: Normal > Title: xine-ui: Format string vulnerabilities > Date: January 23, 2007 > Bugs: #161558 > ID: 200701-18 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Synopsis > ======== > > xine-ui improperly handles format strings, possibly allowing for the > execution of arbitrary code. > > Background > ========== > > xine-ui is a skin-based user interface for xine. xine is a free > multimedia player. It plays CDs, DVDs, and VCDs, and can also decode > other common multimedia formats. > > Affected packages > ================= > > ------------------------------------------------------------------- > Package / Vulnerable / Unaffected > ------------------------------------------------------------------- > 1 xine-ui < 0.99.5_pre20060716 >= 0.99.5_pre20060716 > > Description > =========== > > Due to the improper handling and use of format strings, the > errors_create_window() function in errors.c does not safely write data > to memory. > > Impact > ====== > > An attacker could entice a user to open a specially crafted media file > with xine-ui, and possibly execute arbitrary code. > > Workaround > ========== > > There is no known workaround at this time. > > Resolution > ========== > > All xine-ui users should upgrade to the latest version: > > # emerge --sync > # emerge --ask --oneshot --verbose ">=media-video/xine-ui-0.99.5_pre20060716" > > References > ========== > > [ 1 ] CVE-2007-0254 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254 > > Availability > ============ > > This GLSA and any updates to it are available for viewing at > the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-200701-18.xml > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and ensuring the > confidentiality and security of our users machines is of utmost > importance to us. Any security concerns should be addressed to > security@gentoo.org or alternatively, you may file a bug at > http://bugs.gentoo.org. > > License > ======= > > Copyright 2007 Gentoo Foundation, Inc; referenced text > belongs to its owner(s). > > The contents of this document are licensed under the > Creative Commons - Attribution / Share Alike license. > > http://creativecommons.org/licenses/by-sa/2.5 > > ------------------------------------------------------------------------ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ]