Kaffeine, gxine: Remotely exploitable buffer overflow

2004-11-07T00:00:00
ID GLSA-200411-14
Type gentoo
Reporter Gentoo Foundation
Modified 2006-05-22T00:00:00

Description

Background

Kaffeine and gxine are graphical front-ends for xine-lib multimedia library.

Description

KF of Secure Network Operations has discovered an overflow that occurs during the Content-Type header processing of Kaffeine. The vulnerable code in Kaffeine is reused from gxine, making gxine vulnerable as well.

Impact

An attacker could create a specially-crafted Content-type header from a malicious HTTP server, and crash a user's instance of Kaffeine or gxine, potentially allowing the execution of arbitrary code.

Workaround

There is no known workaround at this time.

Resolution

All Kaffeine users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-video/kaffeine-0.4.3b-r1"

All gxine users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-video/gxine-0.3.3-r1"