ID CVE-2004-1188
Summary The pnm_get_chunk function in xine 0.99.2 and earlier, and other packages such as MPlayer that use the same code, does not properly verify that the chunk size is less than the PREAMBLE_SIZE, which causes a read operation with a negative length that leads to a buffer overflow via (1) RMF_TAG, (2) DATA_TAG, (3) PROP_TAG, (4) MDPR_TAG, and (5) CONT_TAG values, a different vulnerability than CVE-2004-1187.
References
Vulnerable Configurations
  • cpe:2.3:a:mplayer:mplayer:0.90
    cpe:2.3:a:mplayer:mplayer:0.90
  • cpe:2.3:a:mplayer:mplayer:0.90_pre
    cpe:2.3:a:mplayer:mplayer:0.90_pre
  • cpe:2.3:a:mplayer:mplayer:0.90_rc
    cpe:2.3:a:mplayer:mplayer:0.90_rc
  • cpe:2.3:a:mplayer:mplayer:0.90_rc4
    cpe:2.3:a:mplayer:mplayer:0.90_rc4
  • cpe:2.3:a:mplayer:mplayer:0.91
    cpe:2.3:a:mplayer:mplayer:0.91
  • cpe:2.3:a:mplayer:mplayer:0.92
    cpe:2.3:a:mplayer:mplayer:0.92
  • cpe:2.3:a:mplayer:mplayer:0.92.1
    cpe:2.3:a:mplayer:mplayer:0.92.1
  • cpe:2.3:a:mplayer:mplayer:0.92_cvs
    cpe:2.3:a:mplayer:mplayer:0.92_cvs
  • cpe:2.3:a:mplayer:mplayer:1.0_pre1
    cpe:2.3:a:mplayer:mplayer:1.0_pre1
  • cpe:2.3:a:mplayer:mplayer:1.0_pre2
    cpe:2.3:a:mplayer:mplayer:1.0_pre2
  • cpe:2.3:a:mplayer:mplayer:1.0_pre3
    cpe:2.3:a:mplayer:mplayer:1.0_pre3
  • cpe:2.3:a:mplayer:mplayer:1.0_pre3try2
    cpe:2.3:a:mplayer:mplayer:1.0_pre3try2
  • cpe:2.3:a:mplayer:mplayer:1.0_pre4
    cpe:2.3:a:mplayer:mplayer:1.0_pre4
  • cpe:2.3:a:mplayer:mplayer:1.0_pre5
    cpe:2.3:a:mplayer:mplayer:1.0_pre5
  • cpe:2.3:a:mplayer:mplayer:1.0_pre5try1
    cpe:2.3:a:mplayer:mplayer:1.0_pre5try1
  • cpe:2.3:a:mplayer:mplayer:1.0_pre5try2
    cpe:2.3:a:mplayer:mplayer:1.0_pre5try2
  • cpe:2.3:a:mplayer:mplayer:head_cvs
    cpe:2.3:a:mplayer:mplayer:head_cvs
  • cpe:2.3:a:xine:xine-lib:0.9.13
    cpe:2.3:a:xine:xine-lib:0.9.13
  • cpe:2.3:a:xine:xine-lib:0.9.8
    cpe:2.3:a:xine:xine-lib:0.9.8
  • cpe:2.3:a:xine:xine-lib:0.99
    cpe:2.3:a:xine:xine-lib:0.99
  • cpe:2.3:a:xine:xine-lib:1_alpha
    cpe:2.3:a:xine:xine-lib:1_alpha
  • cpe:2.3:a:xine:xine-lib:1_beta1
    cpe:2.3:a:xine:xine-lib:1_beta1
  • cpe:2.3:a:xine:xine-lib:1_beta10
    cpe:2.3:a:xine:xine-lib:1_beta10
  • cpe:2.3:a:xine:xine-lib:1_beta11
    cpe:2.3:a:xine:xine-lib:1_beta11
  • cpe:2.3:a:xine:xine-lib:1_beta12
    cpe:2.3:a:xine:xine-lib:1_beta12
  • cpe:2.3:a:xine:xine-lib:1_beta2
    cpe:2.3:a:xine:xine-lib:1_beta2
  • cpe:2.3:a:xine:xine-lib:1_beta3
    cpe:2.3:a:xine:xine-lib:1_beta3
  • cpe:2.3:a:xine:xine-lib:1_beta4
    cpe:2.3:a:xine:xine-lib:1_beta4
  • cpe:2.3:a:xine:xine-lib:1_beta5
    cpe:2.3:a:xine:xine-lib:1_beta5
  • cpe:2.3:a:xine:xine-lib:1_beta6
    cpe:2.3:a:xine:xine-lib:1_beta6
  • cpe:2.3:a:xine:xine-lib:1_beta7
    cpe:2.3:a:xine:xine-lib:1_beta7
  • cpe:2.3:a:xine:xine-lib:1_beta8
    cpe:2.3:a:xine:xine-lib:1_beta8
  • cpe:2.3:a:xine:xine-lib:1_beta9
    cpe:2.3:a:xine:xine-lib:1_beta9
  • cpe:2.3:a:xine:xine-lib:1_rc0
    cpe:2.3:a:xine:xine-lib:1_rc0
  • cpe:2.3:a:xine:xine-lib:1_rc1
    cpe:2.3:a:xine:xine-lib:1_rc1
  • cpe:2.3:a:xine:xine-lib:1_rc2
    cpe:2.3:a:xine:xine-lib:1_rc2
  • cpe:2.3:a:xine:xine-lib:1_rc3
    cpe:2.3:a:xine:xine-lib:1_rc3
  • cpe:2.3:a:xine:xine-lib:1_rc3a
    cpe:2.3:a:xine:xine-lib:1_rc3a
  • cpe:2.3:a:xine:xine-lib:1_rc3b
    cpe:2.3:a:xine:xine-lib:1_rc3b
  • cpe:2.3:a:xine:xine-lib:1_rc3c
    cpe:2.3:a:xine:xine-lib:1_rc3c
  • cpe:2.3:a:xine:xine-lib:1_rc4
    cpe:2.3:a:xine:xine-lib:1_rc4
  • cpe:2.3:a:xine:xine-lib:1_rc5
    cpe:2.3:a:xine:xine-lib:1_rc5
  • cpe:2.3:a:xine:xine-lib:1_rc6
    cpe:2.3:a:xine:xine-lib:1_rc6
  • cpe:2.3:a:xine:xine-lib:1_rc6a
    cpe:2.3:a:xine:xine-lib:1_rc6a
  • cpe:2.3:a:xine:xine-lib:1_rc7
    cpe:2.3:a:xine:xine-lib:1_rc7
  • cpe:2.3:a:xine:xine:0.9.13
    cpe:2.3:a:xine:xine:0.9.13
  • cpe:2.3:a:xine:xine:0.9.18
    cpe:2.3:a:xine:xine:0.9.18
  • cpe:2.3:a:xine:xine:0.9.8
    cpe:2.3:a:xine:xine:0.9.8
  • cpe:2.3:a:xine:xine:1_alpha
    cpe:2.3:a:xine:xine:1_alpha
  • cpe:2.3:a:xine:xine:1_beta1
    cpe:2.3:a:xine:xine:1_beta1
  • cpe:2.3:a:xine:xine:1_beta10
    cpe:2.3:a:xine:xine:1_beta10
  • cpe:2.3:a:xine:xine:1_beta11
    cpe:2.3:a:xine:xine:1_beta11
  • cpe:2.3:a:xine:xine:1_beta12
    cpe:2.3:a:xine:xine:1_beta12
  • cpe:2.3:a:xine:xine:1_beta2
    cpe:2.3:a:xine:xine:1_beta2
  • cpe:2.3:a:xine:xine:1_beta3
    cpe:2.3:a:xine:xine:1_beta3
  • cpe:2.3:a:xine:xine:1_beta4
    cpe:2.3:a:xine:xine:1_beta4
  • cpe:2.3:a:xine:xine:1_beta5
    cpe:2.3:a:xine:xine:1_beta5
  • cpe:2.3:a:xine:xine:1_beta6
    cpe:2.3:a:xine:xine:1_beta6
  • cpe:2.3:a:xine:xine:1_beta7
    cpe:2.3:a:xine:xine:1_beta7
  • cpe:2.3:a:xine:xine:1_beta8
    cpe:2.3:a:xine:xine:1_beta8
  • cpe:2.3:a:xine:xine:1_beta9
    cpe:2.3:a:xine:xine:1_beta9
  • cpe:2.3:a:xine:xine:1_rc0
    cpe:2.3:a:xine:xine:1_rc0
  • cpe:2.3:a:xine:xine:1_rc0a
    cpe:2.3:a:xine:xine:1_rc0a
  • cpe:2.3:a:xine:xine:1_rc1
    cpe:2.3:a:xine:xine:1_rc1
  • cpe:2.3:a:xine:xine:1_rc2
    cpe:2.3:a:xine:xine:1_rc2
  • cpe:2.3:a:xine:xine:1_rc3
    cpe:2.3:a:xine:xine:1_rc3
  • cpe:2.3:a:xine:xine:1_rc3a
    cpe:2.3:a:xine:xine:1_rc3a
  • cpe:2.3:a:xine:xine:1_rc3b
    cpe:2.3:a:xine:xine:1_rc3b
  • cpe:2.3:a:xine:xine:1_rc4
    cpe:2.3:a:xine:xine:1_rc4
  • cpe:2.3:a:xine:xine:1_rc5
    cpe:2.3:a:xine:xine:1_rc5
  • cpe:2.3:a:xine:xine:1_rc6
    cpe:2.3:a:xine:xine:1_rc6
  • cpe:2.3:a:xine:xine:1_rc6a
    cpe:2.3:a:xine:xine:1_rc6a
  • cpe:2.3:a:xine:xine:1_rc7
    cpe:2.3:a:xine:xine:1_rc7
  • cpe:2.3:a:xine:xine:1_rc8
    cpe:2.3:a:xine:xine:1_rc8
  • MandrakeSoft Mandrake Linux 10.0
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:-:amd64
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.0:-:amd64
  • MandrakeSoft Mandrake Linux 10.1
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.1
  • cpe:2.3:o:mandrakesoft:mandrake_linux:10.1:-:x86_64
    cpe:2.3:o:mandrakesoft:mandrake_linux:10.1:-:x86_64
CVSS
Base: 10.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200501-07.NASL
    description The remote host is affected by the vulnerability described in GLSA-200501-07 (xine-lib: Multiple overflows) Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size in demux_aiff.c, making it vulnerable to a buffer overflow (CAN-2004-1300) . iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CAN-2004-1187). iDefense also discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CAN-2004-1188). Impact : A remote attacker could craft a malicious movie or convince a targeted user to connect to a malicious PNM server, which could result in the execution of arbitrary code with the rights of the user running any xine-lib frontend. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 16398
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16398
    title GLSA-200501-07 : xine-lib: Multiple overflows
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_85D76F02538011D9A9E70001020EED82.NASL
    description iDEFENSE and the MPlayer Team have found multiple vulnerabilities in MPlayer : - Potential heap overflow in Real RTSP streaming code - Potential stack overflow in MMST streaming code - Multiple buffer overflows in BMP demuxer - Potential heap overflow in pnm streaming code - Potential buffer overflow in mp3lib These vulnerabilities could allow a remote attacker to execute arbitrary code as the user running MPlayer. The problem in the pnm streaming code also affects xine.
    last seen 2019-02-21
    modified 2018-11-21
    plugin id 19013
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19013
    title FreeBSD : mplayer -- multiple vulnerabilities (85d76f02-5380-11d9-a9e7-0001020eed82)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-011.NASL
    description iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CVE-2004-1187). As well, they discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CVE-2004-1188). Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size making it vulnerable to a buffer overflow problem (CVE-2004-1300). The updated packages have been patched to prevent these problems.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16220
    published 2005-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16220
    title Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:011)
refmap via4
confirm
idefense 20041221 Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow Vulnerability
mandrake MDKSA-2005:011
xf xine-pnmgetchunk-bo(18638)
Last major update 10-09-2008 - 15:29
Published 10-01-2005 - 00:00
Last modified 10-07-2017 - 21:30
Back to Top