Another vulnerability in xine-lib
The developers of xine scarcely have a moment's rest these days. Following their efforts in recent months to patch several security holes in the library, Secunia has discovered a new vulnerability that allows attackers to inject arbitrary code. According to the Secunia security advisory, the sdpplin_parse() function in the input/libreal/sdpplin.c file fails to check the length of the streamid SDP parameter in a real time streaming protocol (RTSP) stream, potentially resulting in a buffer overflow. This can enable attackers to overwrite memory arbitrarily with manipulated data streams and execute injected code or even a trojan.
There is currently no patch available to remedy the vulnerability. However, Secunia states that one should be available soon. Until Linux distributors distribute updated packets, applications that use xine-lib should not be used to open any RTSP data streams.
See also:
- xine-lib "sdpplin_parse()" Array Indexing Vulnerability, Secunia security advisory
(mba)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
