Another critical vulnerability in xine-lib
The xine-lib development team has only just released version 1.1.12, which fixed multiple security vulnerabilities, and already a demo of another vulnerability in the multimedia library has turned up. The newly disclosed vulnerability can be exploited by attackers to inject and execute arbitrary code.
The vulnerability is in the
src/demuxers/demux_nsf.c routine used for processing NES sound format (NSF) files. The demultiplexer uses a fixed size buffer into which it copies NSF song titles without any length checking.
xine-lib does not rely on file extensions to determine file content and select the appropriate filter for decoding. Crafted NSF files can therefore have extensions such as
.mp3, as used by the demo exploit found on milw0rm. Users of xine-lib based media players such as Totem and Kaffeine should therefore only open files from trusted sources even when using the latest version 1.1.12.
- Demonstration exploit on milw0rm