Sistemas Afectados

1. Descripción

   Mandriva liberó una actualización para xine-lib. Esta repara varias vulnerabilidades que posiblemente pueden explotarse por personas maliciosas para comprometer el sistema de un usuario.

   Se encontrarón dos buffer overflows en los manejadores de flujos MMS y RTSP en las librerias de Xine. Si un atacante puede engañar a un usuario a conectarse a una fuente de audio/video malicioso con una aplicación que utilice esta librería, podría tirar al cliente y posiblemente ejecutar código arbitrario con los privilegios del usuario que esta utilizando la aplicación.

   Ver:
   Vulnerabilidad de Buffer Overflow en Streams RSTP y MMS de xine-lib.

2. Impacto

   Acceso al sistema.

3. Solución

   Aplicar los paquetes actualizados.

   Mandrakelinux 10.1

   550971e0c9533747e55b9c0615113318  10.1/RPMS/libxine1-1-0.rc5.9.2.101mdk.i586.rpm
   94b15aaa55c4e1d0f64eaca7b92ea796  10.1/RPMS/libxine1-devel-1-0.rc5.9.2.101mdk.i586.rpm
   de1841e813240ced01c32d442a34b438  10.1/RPMS/xine-aa-1-0.rc5.9.2.101mdk.i586.rpm
   11e3fb3498c3e48b59ecf8b9c5b91763  10.1/RPMS/xine-arts-1-0.rc5.9.2.101mdk.i586.rpm
   511cc370bfb927bfd2a779b46f45eff1  10.1/RPMS/xine-dxr3-1-0.rc5.9.2.101mdk.i586.rpm
   399dbca3192848a831b016d485ec3712  10.1/RPMS/xine-esd-1-0.rc5.9.2.101mdk.i586.rpm
   5144e03cc71cae5a3000d2a16479656b  10.1/RPMS/xine-flac-1-0.rc5.9.2.101mdk.i586.rpm
   87b7393df91d513a4f26983709f055bc  10.1/RPMS/xine-gnomevfs-1-0.rc5.9.2.101mdk.i586.rpm
   b8c494c6287c4386885c39f1d313cbb2  10.1/RPMS/xine-plugins-1-0.rc5.9.2.101mdk.i586.rpm
   a42d3f1faaf62a6305560085bd4f28ff  10.1/SRPMS/xine-lib-1-0.rc5.9.2.101mdk.src.rpm
   

   Mandrakelinux 10.1/X86_64

   582cb1e8064eddeccc161c52cab94c81  x86_64/10.1/RPMS/lib64xine1-1-0.rc5.9.2.101mdk.x86_64.rpm
   cd0e88ba513858e3f42d744628489da3  x86_64/10.1/RPMS/lib64xine1-devel-1-0.rc5.9.2.101mdk.x86_64.rpm
   835f21902bb1178c4759a0a606331561  x86_64/10.1/RPMS/xine-aa-1-0.rc5.9.2.101mdk.x86_64.rpm
   e0d6de701af47189b3f77e36b02ed039  x86_64/10.1/RPMS/xine-arts-1-0.rc5.9.2.101mdk.x86_64.rpm
   52aa63a93484875ba4742ac5f79eefd8  x86_64/10.1/RPMS/xine-dxr3-1-0.rc5.9.2.101mdk.x86_64.rpm
   98d6c89b038fe484578485d04bc00e31  x86_64/10.1/RPMS/xine-esd-1-0.rc5.9.2.101mdk.x86_64.rpm
   4d732b3c0b110493b2525a7c8e5c3248  x86_64/10.1/RPMS/xine-flac-1-0.rc5.9.2.101mdk.x86_64.rpm
   7701b26552a780e7d6ebecfcd3fea3f5  x86_64/10.1/RPMS/xine-gnomevfs-1-0.rc5.9.2.101mdk.x86_64.rpm
   ca981d9b388e4c8cf94510a8efb87acd  x86_64/10.1/RPMS/xine-plugins-1-0.rc5.9.2.101mdk.x86_64.rpm
   a42d3f1faaf62a6305560085bd4f28ff  x86_64/10.1/SRPMS/xine-lib-1-0.rc5.9.2.101mdk.src.rpm
   

   Corporate Server 3.0

   69f5d7c07314875c6a01418d5c2b69db  corporate/3.0/RPMS/libxine1-1-0.rc3.6.4.C30mdk.i586.rpm
   bca6392f86326b3fc1eabc56d937313b  corporate/3.0/RPMS/xine-arts-1-0.rc3.6.4.C30mdk.i586.rpm
   2915ce6db2655d7e352bd01568b211c7  corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.4.C30mdk.i586.rpm
   7074a85157522b6dcb445cd2c8ce2776  corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.4.C30mdk.src.rpm
   

   Corporate Server 3.0/X86_64

   e5d09fd1ddfb8402f2421b0e0c497d7b  x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.4.C30mdk.x86_64.rpm
   96533a024652ac48d8889a112dd44d21  x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.4.C30mdk.x86_64.rpm
   2b0e14bf23b4d796db5e891fd4deeb0c  x86_64/corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.4.C30mdk.x86_64.rpm
   7074a85157522b6dcb445cd2c8ce2776  x86_64/corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.4.C30mdk.src.rpm
   

   Mandrivalinux LE2005

   430c8823bb13725c84054f53c225db85  10.2/RPMS/libxine1-1.0-8.1.102mdk.i586.rpm
   b1381fe50275119d25a28dac339f7272  10.2/RPMS/libxine1-devel-1.0-8.1.102mdk.i586.rpm
   5b58c4c78584519bf0b19fc9661aada7  10.2/RPMS/xine-aa-1.0-8.1.102mdk.i586.rpm
   de7f073c74dfd0fb3d628d3964631e4e  10.2/RPMS/xine-arts-1.0-8.1.102mdk.i586.rpm
   ff972b033b522c32e25193428677a2d2  10.2/RPMS/xine-dxr3-1.0-8.1.102mdk.i586.rpm
   17d12fb16e3f58beb0c69ade3034712d  10.2/RPMS/xine-esd-1.0-8.1.102mdk.i586.rpm
   0aaae60a3bc0037e3268f8b78cd2bb5e  10.2/RPMS/xine-flac-1.0-8.1.102mdk.i586.rpm
   90b8ad60771a03730e228ee44ae24578  10.2/RPMS/xine-gnomevfs-1.0-8.1.102mdk.i586.rpm
   740d9b80e2b79ded5700d9cdaec347a4  10.2/RPMS/xine-plugins-1.0-8.1.102mdk.i586.rpm
   18023362e073c89066f60cbd81426b09  10.2/RPMS/xine-polyp-1.0-8.1.102mdk.i586.rpm
   61ffb443bb979976ec77b82ffd4fe842  10.2/RPMS/xine-smb-1.0-8.1.102mdk.i586.rpm
   a5eea7f704a81f23517ae7a719bc0fe6  10.2/SRPMS/xine-lib-1.0-8.1.102mdk.src.rpm
   

   Mandrivalinux LE2005/X86_64

   3a53fc0bb164f341f9c48f10439bb914  x86_64/10.2/RPMS/lib64xine1-1.0-8.1.102mdk.x86_64.rpm
   f644048646b981c918231edba554c425  x86_64/10.2/RPMS/lib64xine1-devel-1.0-8.1.102mdk.x86_64.rpm
   9c015a898a61d8e62d667b595708c4c5  x86_64/10.2/RPMS/xine-aa-1.0-8.1.102mdk.x86_64.rpm
   327101ebfd1c13965040cb137a5adca5  x86_64/10.2/RPMS/xine-arts-1.0-8.1.102mdk.x86_64.rpm
   2256180be6b611f77b31b157db13dc0a  x86_64/10.2/RPMS/xine-dxr3-1.0-8.1.102mdk.x86_64.rpm
   9b51c2821a74b4033c5ef5e01459054d  x86_64/10.2/RPMS/xine-esd-1.0-8.1.102mdk.x86_64.rpm
   96be9cbb1ca7cab59be7cd6423a1d983  x86_64/10.2/RPMS/xine-flac-1.0-8.1.102mdk.x86_64.rpm
   a9fb22f91a888a3f11a1ae0072d27b39  x86_64/10.2/RPMS/xine-gnomevfs-1.0-8.1.102mdk.x86_64.rpm
   14211f1b9e951174b2b5e7f9fdac4cc8  x86_64/10.2/RPMS/xine-plugins-1.0-8.1.102mdk.x86_64.rpm
   ca4006966fca3ce833c726cbe8507644  x86_64/10.2/RPMS/xine-polyp-1.0-8.1.102mdk.x86_64.rpm
   69b8fea875be5d2c85e0dd20659c533c  x86_64/10.2/RPMS/xine-smb-1.0-8.1.102mdk.x86_64.rpm
   a5eea7f704a81f23517ae7a719bc0fe6  x86_64/10.2/SRPMS/xine-lib-1.0-8.1.102mdk.src.rpm
   

4. Apéndices

   Mayor información.

   http://www.mandriva.com/
   http://www.seguridad.unam.mx/vulnerabilidades/

La Coordinación de Seguridad de la Información/UNAM-CERT agradece el apoyo en la elaboración ó traducción y revisión de éste Documento a:

• Floriberto López Velázquez (flopez at seguridad dot unam dot mx)