In association with heise online

10 January 2008, 17:11

xine-lib media library slips up when streaming

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A security vulnerability in the open source xine-lib library has been reported by Luigi Auriemma. It can be exploited by attackers using crafted Real Time Streaming Protocol (RTSP) data streams to inject malicious code. An update from the Xine development team is not yet available.

The rmff_dump_header function in the input/libreal/rmff.c file fails to take account of the header length when processing streams, which can result in a buffer overflowing on the heap. This can lead to execution of injected code.

The Xine development team only released the current version of the library on Sunday. No fix is available at the time of publication. Media players based on xine-lib such as totem and kaffeine are also affected. Until an update is available from Linux distributors, users should avoid opening RTSP data streams using xine-lib. The mplayer project also uses files from the Xine project, but its developers have incorporated length checking, making it unaffected by the flaw.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit