xine/gxine CD Player Remote Format String Bug BACKGROUND "xine is a free multimedia player. It plays back CDs, DVDs, and VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet. It interprets many of the most common multimedia formats available - and some of the most uncommon formats, too." gxine is a "gtk-based media player style gui + mozilla plugin". ( from http://www.xinehq.de/ ) Both programs are available in many Linux distributions and *BSD ports collections. BUG When you use xine or gxine to play a CD, the programs will connect to a CDDB server to retrieve the record's artist/band and title as well as the song titles. The programs write this information to a cache file, and the code in xine-lib that performs this action suffers from a format string bug, allowing remote execution of arbitrary code. It is worth noting that CDDB servers allow any user to add or modify information about records. It is also worth noting that the vulnerable code in xine-lib writes all information about a record that the server sends to it to the cache file, including comments. Thus, this bug could be used for automated mass attacks against anyone in the world who listens to a particular CD in xine or gxine. There is also a potential for social engineering attacks. The vulnerable code is found in the xine-lib library that both xine and gxine use. The vulnerable versions are at least xine-lib-0.9.13, 1.0, 1.0.1, 1.0.2 and 1.1.0. The bug has the identifier CAN-2005-2967. WORKAROUND To avoid this vulnerability, the user can switch off CDDB lookups under Settings / Setup - change Configuration experience level to Advanced, press Apply, go to the Media tab, deselect Query CDDB, press Apply and finally OK. TESTING AND PATCHING I have attached a fake CDDB server that exhibits this problem. (You do not need to change server to get hit by this bug, as the CDDB servers allow anyone to add or modify information, but I think it was nicer to test it this way.) You run this server, then you start xine or gxine, change Configuration experience level to Master of the known universe, press Apply, go to the Media tab, enter the malicious CDDB server's host name under CDDB server name, press Apply and then OK. Finally, you put a CD in the computer's CD drive and press the CD button in the programs. The format string bug will then crash xine or gxine. Apart from the server, I have also attached a patch that corrects the problem. The upstream developers as well as the vendor-sec mailing list were contacted, and the 8th of October was agreed upon as the release date. // Ulf Harnhammar for the Debian Security Audit Project http://www.debian.org/security/audit/