Update fixes critical vulnerability in Xine libraries
Users of the open source media player Xine should update their program libraries - xine lib versions prior to 1.1.3 contain a security vulnerability that could permit an attacker to infiltrate malware onto a computer via media files. Other players besides Xine use the same libraries. The vulnerability is in the asmrp_eval function in the Real Media input plugin (src/input/libreal/real.c) and is the result of a buffer overflow provoked by too many entries in the rulebook of a stream. A rulebook contains settings, such as information on filters to be used during play-back etc. A server could send crafted rulebooks to a client.
In addition, the latest version of the xine lib fixes an old vulnerability in the libmms library for processing Microsoft's Streaming Protocol. This vulnerability could also be exploited to infiltrate and execute code. The Linux distributor Ubuntu has already released a patch and other suppliers are expected to follow suit shortly.
- Probably buffer overrun exploit in Real Media input plugin, bug report on SourceForge