Vulnerability Name:

CVE-2008-1482

Assigned:2008-03-20
Published:2008-03-20
Updated:2017-08-07
Summary:Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote attackers to trigger heap-based buffer overflows and possibly execute arbitrary code via (1) a crafted .FLV file, which triggers an overflow in demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an overflow in demuxers/demux_qt.c; (3) a crafted .RM file, which triggers an overflow in demuxers/demux_real.c; (4) a crafted .MVE file, which triggers an overflow in demuxers/demux_wc3movie.c; (5) a crafted .MKV file, which triggers an overflow in demuxers/ebml.c; or (6) a crafted .CAK file, which triggers an overflow in demuxers/demux_film.c.
CVSS v3 Severity:7.3 High (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-189
(ALLOWS_OTHER_ACCESS)
References:Source: MISC
Type: UNKNOWN
http://aluigi.altervista.org/adv/xinehof-adv.txt

Source: MISC
Type: UNKNOWN
http://aluigi.org/poc/xinehof.zip

Source: SUSE
Type: UNKNOWN
SUSE-SR:2008:008

Source: GENTOO
Type: UNKNOWN
GLSA-200808-01

Source: SREASON
Type: UNKNOWN
3769

Source: SLACKWARE
Type: UNKNOWN
SSA:2008-092-01

Source: DEBIAN
Type: UNKNOWN
DSA-1586

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2008:178

Source: BUGTRAQ
Type: UNKNOWN
20080320 Multiple heap overflows in xine-lib 1.1.11

Source: BID
Type: UNKNOWN
28370

Source: UBUNTU
Type: UNKNOWN
USN-635-1

Source: VUPEN
Type: UNKNOWN
ADV-2008-0981

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=438663

Source: XF
Type: UNKNOWN
xinelib-multiple-bo(41350)

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2945

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-2849

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xine:xine-lib:1.1.11:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:xine:xine-lib:1.1.11:*:*:*:*:*:*:*
  • AND
  • cpe:/a:gentoo:linux_eix:0.3:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:x86_64:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:8.04::lts:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20081482
    V
    CVE-2008-1482
    2018-08-15
    oval:org.mitre.oval:def:17590
    P
    USN-635-1 -- xine-lib vulnerabilities
    2014-06-30
    oval:org.mitre.oval:def:7965
    P
    DSA-1586 xine-lib -- multiple vulnerabilities
    2014-06-23
    oval:org.mitre.oval:def:18584
    P
    DSA-1586-1 xine-lib - multiple vulnerabilities
    2014-06-23
    oval:org.debian:def:1586
    V
    multiple vulnerabilities
    2008-05-22
    BACK
    xine xine-lib 1.1.11
    xine xine-lib 1.1.11
    gentoo linux eix 0.3
    canonical ubuntu 6.06
    mandrakesoft mandrake linux 2008.0 x86_64
    debian debian linux 4.0
    canonical ubuntu 7.04
    canonical ubuntu 7.10
    mandrakesoft mandrake linux 2008.0
    canonical ubuntu 8.04