CVE-2008-5236

2008-11-2601:30:00

CWE-119

[email protected]

web.nvd.nist.gov

cve-2008-5236

xine-lib

buffer overflow

remote code execution

security vulnerability

demux_matroska

demux_real

demux_realaudio

nvd

7.5 High

AI Score

Confidence

Low

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.106 Low

EPSS

Percentile

95.0%

JSON

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to execute arbitrary code via vectors related to (1) a crafted EBML element length processed by the parse_block_group function in demux_matroska.c; (2) a certain combination of sps, w, and h values processed by the real_parse_audio_specific_data and demux_real_send_chunk functions in demux_real.c; and (3) an unspecified combination of three values processed by the open_ra_file function in demux_realaudio.c. NOTE: vector 2 reportedly exists because of an incomplete fix in 1.1.15.

CPENameOperatorVersion
xine:xinexineeq1
xine:xinexineeq1.1.10.1
xine:xinexineeq1.0.1
xine:xinexineeq1.1.0
xine:xinexineeq1.1.1
xine:xinexineeq1.0.3a
xine:xinexineeq1.1.3
xine:xinexineeq1.0.2
xine:xinexineeq1.0
xine:xinexineeq1.1.11.1

CPE	Name	Operator	Version
xine:xine	xine	eq	1
xine:xine	xine	eq	1.1.10.1
xine:xine	xine	eq	1.0.1
xine:xine	xine	eq	1.1.0
xine:xine	xine	eq	1.1.1
xine:xine	xine	eq	1.0.3a
xine:xine	xine	eq	1.1.3
xine:xine	xine	eq	1.0.2
xine:xine	xine	eq	1.0
xine:xine	xine	eq	1.1.11.1