In association with heise online

19 March 2008, 17:15

Another vulnerability in xine-lib

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of xine scarcely have a moment's rest these days. Following their efforts in recent months to patch several security holes in the library, Secunia has discovered a new vulnerability that allows attackers to inject arbitrary code. According to the Secunia security advisory, the sdpplin_parse() function in the input/libreal/sdpplin.c file fails to check the length of the streamid SDP parameter in a real time streaming protocol (RTSP) stream, potentially resulting in a buffer overflow. This can enable attackers to overwrite memory arbitrarily with manipulated data streams and execute injected code or even a trojan.

There is currently no patch available to remedy the vulnerability. However, Secunia states that one should be available soon. Until Linux distributors distribute updated packets, applications that use xine-lib should not be used to open any RTSP data streams.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit