ID CVE-2004-1187
Summary Heap-based buffer overflow in the pnm_get_chunk function for xine 0.99.2, and other packages such as MPlayer that use the same code, allows remote attackers to execute arbitrary code via long PNA_TAG values, a different vulnerability than CVE-2004-1188.
References
Vulnerable Configurations
  • cpe:2.3:a:mplayer:mplayer:0.90
    cpe:2.3:a:mplayer:mplayer:0.90
  • cpe:2.3:a:mplayer:mplayer:0.90_pre
    cpe:2.3:a:mplayer:mplayer:0.90_pre
  • cpe:2.3:a:mplayer:mplayer:0.90_rc
    cpe:2.3:a:mplayer:mplayer:0.90_rc
  • cpe:2.3:a:mplayer:mplayer:0.90_rc4
    cpe:2.3:a:mplayer:mplayer:0.90_rc4
  • cpe:2.3:a:mplayer:mplayer:0.91
    cpe:2.3:a:mplayer:mplayer:0.91
  • cpe:2.3:a:mplayer:mplayer:0.92
    cpe:2.3:a:mplayer:mplayer:0.92
  • cpe:2.3:a:mplayer:mplayer:0.92.1
    cpe:2.3:a:mplayer:mplayer:0.92.1
  • cpe:2.3:a:mplayer:mplayer:0.92_cvs
    cpe:2.3:a:mplayer:mplayer:0.92_cvs
  • cpe:2.3:a:mplayer:mplayer:1.0_pre1
    cpe:2.3:a:mplayer:mplayer:1.0_pre1
  • cpe:2.3:a:mplayer:mplayer:1.0_pre2
    cpe:2.3:a:mplayer:mplayer:1.0_pre2
  • cpe:2.3:a:mplayer:mplayer:1.0_pre3
    cpe:2.3:a:mplayer:mplayer:1.0_pre3
  • cpe:2.3:a:mplayer:mplayer:1.0_pre3try2
    cpe:2.3:a:mplayer:mplayer:1.0_pre3try2
  • cpe:2.3:a:mplayer:mplayer:1.0_pre4
    cpe:2.3:a:mplayer:mplayer:1.0_pre4
  • cpe:2.3:a:mplayer:mplayer:1.0_pre5
    cpe:2.3:a:mplayer:mplayer:1.0_pre5
  • cpe:2.3:a:mplayer:mplayer:1.0_pre5try1
    cpe:2.3:a:mplayer:mplayer:1.0_pre5try1
  • cpe:2.3:a:mplayer:mplayer:1.0_pre5try2
    cpe:2.3:a:mplayer:mplayer:1.0_pre5try2
  • cpe:2.3:a:mplayer:mplayer:head_cvs
    cpe:2.3:a:mplayer:mplayer:head_cvs
  • cpe:2.3:a:xine:xine-lib:0.9.13
    cpe:2.3:a:xine:xine-lib:0.9.13
  • cpe:2.3:a:xine:xine-lib:0.9.8
    cpe:2.3:a:xine:xine-lib:0.9.8
  • cpe:2.3:a:xine:xine-lib:0.99
    cpe:2.3:a:xine:xine-lib:0.99
  • cpe:2.3:a:xine:xine-lib:1_alpha
    cpe:2.3:a:xine:xine-lib:1_alpha
  • cpe:2.3:a:xine:xine-lib:1_beta1
    cpe:2.3:a:xine:xine-lib:1_beta1
  • cpe:2.3:a:xine:xine-lib:1_beta10
    cpe:2.3:a:xine:xine-lib:1_beta10
  • cpe:2.3:a:xine:xine-lib:1_beta11
    cpe:2.3:a:xine:xine-lib:1_beta11
  • cpe:2.3:a:xine:xine-lib:1_beta12
    cpe:2.3:a:xine:xine-lib:1_beta12
  • cpe:2.3:a:xine:xine-lib:1_beta2
    cpe:2.3:a:xine:xine-lib:1_beta2
  • cpe:2.3:a:xine:xine-lib:1_beta3
    cpe:2.3:a:xine:xine-lib:1_beta3
  • cpe:2.3:a:xine:xine-lib:1_beta4
    cpe:2.3:a:xine:xine-lib:1_beta4
  • cpe:2.3:a:xine:xine-lib:1_beta5
    cpe:2.3:a:xine:xine-lib:1_beta5
  • cpe:2.3:a:xine:xine-lib:1_beta6
    cpe:2.3:a:xine:xine-lib:1_beta6
  • cpe:2.3:a:xine:xine-lib:1_beta7
    cpe:2.3:a:xine:xine-lib:1_beta7
  • cpe:2.3:a:xine:xine-lib:1_beta8
    cpe:2.3:a:xine:xine-lib:1_beta8
  • cpe:2.3:a:xine:xine-lib:1_beta9
    cpe:2.3:a:xine:xine-lib:1_beta9
  • cpe:2.3:a:xine:xine-lib:1_rc0
    cpe:2.3:a:xine:xine-lib:1_rc0
  • cpe:2.3:a:xine:xine-lib:1_rc1
    cpe:2.3:a:xine:xine-lib:1_rc1
  • cpe:2.3:a:xine:xine-lib:1_rc2
    cpe:2.3:a:xine:xine-lib:1_rc2
  • cpe:2.3:a:xine:xine-lib:1_rc3
    cpe:2.3:a:xine:xine-lib:1_rc3
  • cpe:2.3:a:xine:xine-lib:1_rc3a
    cpe:2.3:a:xine:xine-lib:1_rc3a
  • cpe:2.3:a:xine:xine-lib:1_rc3b
    cpe:2.3:a:xine:xine-lib:1_rc3b
  • cpe:2.3:a:xine:xine-lib:1_rc3c
    cpe:2.3:a:xine:xine-lib:1_rc3c
  • cpe:2.3:a:xine:xine-lib:1_rc4
    cpe:2.3:a:xine:xine-lib:1_rc4
  • cpe:2.3:a:xine:xine-lib:1_rc5
    cpe:2.3:a:xine:xine-lib:1_rc5
  • cpe:2.3:a:xine:xine-lib:1_rc6
    cpe:2.3:a:xine:xine-lib:1_rc6
  • cpe:2.3:a:xine:xine-lib:1_rc6a
    cpe:2.3:a:xine:xine-lib:1_rc6a
  • cpe:2.3:a:xine:xine-lib:1_rc7
    cpe:2.3:a:xine:xine-lib:1_rc7
  • cpe:2.3:a:xine:xine:0.9.13
    cpe:2.3:a:xine:xine:0.9.13
  • cpe:2.3:a:xine:xine:0.9.18
    cpe:2.3:a:xine:xine:0.9.18
  • cpe:2.3:a:xine:xine:0.9.8
    cpe:2.3:a:xine:xine:0.9.8
  • cpe:2.3:a:xine:xine:1_alpha
    cpe:2.3:a:xine:xine:1_alpha
  • cpe:2.3:a:xine:xine:1_beta1
    cpe:2.3:a:xine:xine:1_beta1
  • cpe:2.3:a:xine:xine:1_beta10
    cpe:2.3:a:xine:xine:1_beta10
  • cpe:2.3:a:xine:xine:1_beta11
    cpe:2.3:a:xine:xine:1_beta11
  • cpe:2.3:a:xine:xine:1_beta12
    cpe:2.3:a:xine:xine:1_beta12
  • cpe:2.3:a:xine:xine:1_beta2
    cpe:2.3:a:xine:xine:1_beta2
  • cpe:2.3:a:xine:xine:1_beta3
    cpe:2.3:a:xine:xine:1_beta3
  • cpe:2.3:a:xine:xine:1_beta4
    cpe:2.3:a:xine:xine:1_beta4
  • cpe:2.3:a:xine:xine:1_beta5
    cpe:2.3:a:xine:xine:1_beta5
  • cpe:2.3:a:xine:xine:1_beta6
    cpe:2.3:a:xine:xine:1_beta6
  • cpe:2.3:a:xine:xine:1_beta7
    cpe:2.3:a:xine:xine:1_beta7
  • cpe:2.3:a:xine:xine:1_beta8
    cpe:2.3:a:xine:xine:1_beta8
  • cpe:2.3:a:xine:xine:1_beta9
    cpe:2.3:a:xine:xine:1_beta9
  • cpe:2.3:a:xine:xine:1_rc0
    cpe:2.3:a:xine:xine:1_rc0
  • cpe:2.3:a:xine:xine:1_rc0a
    cpe:2.3:a:xine:xine:1_rc0a
  • cpe:2.3:a:xine:xine:1_rc1
    cpe:2.3:a:xine:xine:1_rc1
  • cpe:2.3:a:xine:xine:1_rc2
    cpe:2.3:a:xine:xine:1_rc2
  • cpe:2.3:a:xine:xine:1_rc3
    cpe:2.3:a:xine:xine:1_rc3
  • cpe:2.3:a:xine:xine:1_rc3a
    cpe:2.3:a:xine:xine:1_rc3a
  • cpe:2.3:a:xine:xine:1_rc3b
    cpe:2.3:a:xine:xine:1_rc3b
  • cpe:2.3:a:xine:xine:1_rc4
    cpe:2.3:a:xine:xine:1_rc4
  • cpe:2.3:a:xine:xine:1_rc5
    cpe:2.3:a:xine:xine:1_rc5
  • cpe:2.3:a:xine:xine:1_rc6
    cpe:2.3:a:xine:xine:1_rc6
  • cpe:2.3:a:xine:xine:1_rc6a
    cpe:2.3:a:xine:xine:1_rc6a
  • cpe:2.3:a:xine:xine:1_rc7
    cpe:2.3:a:xine:xine:1_rc7
  • cpe:2.3:a:xine:xine:1_rc8
    cpe:2.3:a:xine:xine:1_rc8
  • MandrakeSoft Mandrake Linux 10.0
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:-:amd64
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:-:amd64
  • MandrakeSoft Mandrake Linux 10.1
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.1
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.1:-:x86_64
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.1:-:x86_64
CVSS
Base: 10.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200501-07.NASL
    description The remote host is affected by the vulnerability described in GLSA-200501-07 (xine-lib: Multiple overflows) Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size in demux_aiff.c, making it vulnerable to a buffer overflow (CAN-2004-1300) . iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CAN-2004-1187). iDefense also discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CAN-2004-1188). Impact : A remote attacker could craft a malicious movie or convince a targeted user to connect to a malicious PNM server, which could result in the execution of arbitrary code with the rights of the user running any xine-lib frontend. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 16398
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16398
    title GLSA-200501-07 : xine-lib: Multiple overflows
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_85D76F02538011D9A9E70001020EED82.NASL
    description iDEFENSE and the MPlayer Team have found multiple vulnerabilities in MPlayer : - Potential heap overflow in Real RTSP streaming code - Potential stack overflow in MMST streaming code - Multiple buffer overflows in BMP demuxer - Potential heap overflow in pnm streaming code - Potential buffer overflow in mp3lib These vulnerabilities could allow a remote attacker to execute arbitrary code as the user running MPlayer. The problem in the pnm streaming code also affects xine.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 19013
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19013
    title FreeBSD : mplayer -- multiple vulnerabilities (85d76f02-5380-11d9-a9e7-0001020eed82)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-011.NASL
    description iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CVE-2004-1187). As well, they discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CVE-2004-1188). Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size making it vulnerable to a buffer overflow problem (CVE-2004-1300). The updated packages have been patched to prevent these problems.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16220
    published 2005-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16220
    title Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:011)
refmap via4
confirm
idefense 20041221 Multiple Vendor Xine version 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability
mandrake MDKSA-2005:011
xf xine-pnatag-bo(18640)
Last major update 10-09-2008 - 15:29
Published 10-01-2005 - 00:00
Last modified 10-07-2017 - 21:30
Back to Top