xine security policy
As with any complex application that may handle data from various, possibly untrusted, sources, a media player such as xine is a highly critical piece of software:
People may be tempted to create content that causes the player to do things that the user didn't want to do. In the worst case, an attacker might be able to exploit a bug to gain control over the whole machine that is running such software.
While we are doing everything we can to avoid such bugs, there is still a chance that more or less severe security issues arise. We are addressing those issues as soon as we become aware of them, usually by fixing the security relevant bug.
All known security bugs are listed in our xine Security Announcements, which were regularly sent to the xine-announce mailing list and archived here, or in the CVE archive.
If you have a security bug report to make, please file a new bug in our bug tracker on the Security component, or if you want to contact our developers first, please write to the xine development team.
xine security advisories
xine-lib
- CVE-2009-1274: integer overflow in the Quicktime demuxer
- Fixed in: 1.1.16.3.
- CVE-2009-0698: integer overflow in the 4XM demuxer
- Fixed in: 1.1.16.3.
- CVE-2008-5248: crashes with MP3 files with metadata consisting only of separators
- Fixed in: 1.1.15.
- CVE-2008-5245: V4L video frame preallocation, unknown size
- Fixed in: 1.1.15.
- CVE-2008-5243: buffer indexing using untrusted or unchecked values
- Fixed in: 1.1.16.
- CVE-2008-5242: unchecked memory allocation using untrusted values
- Fixed in: 1.1.16.
- CVE-2008-5241: integer underflow in Quicktime compressed atom handling
- Fixed in: 1.1.16.
- CVE-2008-5240: unchecked memory allocation using untrusted values
- Fixed in: 1.1.16.
- CVE-2008-5239: unchecked or incompletely-checked read function results
- Fixed in: 1.1.16.
- CVE-2008-5237: multiple integer overflows
- Fixed in: 1.1.16.
- CVE-2008-5236: multiple buffer overflows
- Fixed in: 1.1.16.
- CVE-2008-5235: possible buffer overflows in Real demuxing
- Fixed in: 1.1.15.
- CVE-2008-5234: heap overflow in Quicktime atom parsing & ID3 decoding
- Fixed in: 1.1.16.
- CVE-2008-5233: check for memory allocation failures
- Fixed in: 1.1.15.
- CVE-2008-3231: crashes with various corrupted media files
- Fixed in: 1.1.15.
- CVE-2008-1878: stack overflow in the nsf demuxer
- Fixed in: 1.1.13.
- CVE-2008-1686: unchecked array index, in the speex decoder, used to dereference a function pointer
- Fixed in: 1.1.12; not affected: 1-beta12 and older.
- CVE-2008-1482: integer overflows, potential buffer overflows in various demuxers
- Fixed in: 1.1.11.1.
- CVE-2008-1161: buffer overflow in the Matroska demuxer
- Fixed in: 1.1.10.1; not affected: 1-rc3a and older.
- CVE-2008-1110: heap overflow in the ASF demuxer (part 2)
- Fixed in: 1.1.10; not affected: 1.1.2 and older.
- CVE-2008-0486: array index bug, potential heap overflow in FLAC parsing
- Fixed in: 1.1.10.1; not affected: 1.1.1 and older.
- CVE-2008-0238: heap overflow in RTSP streaming clients
- Fixed in: 1.1.9.1.
- CVE-2008-0225: heap overflow in RTSP streaming clients
- Fixed in: 1.1.9.1.
- CVE-2008-0073: array index bug in RTSP SDP parsing
- Fixed in: 1.1.11.
- CVE-2007-1387: buffer overflow in DirectShow video decoding
- Fixed in: 1.1.5.
- CVE-2007-1246: buffer overflow in DMO video decoding
- Fixed in: 1.1.5.
- CVE-2006-6172: buffer overflow in the Real RTSP stream handler
- Fixed in: 1.1.3.
- CVE-2006-2802: buffer overflow in the HTTP plugin
- Fixed in: 1.1.2.
- CVE-2006-2200: stack overflow in MMS streaming clients
- Fixed in: 1.1.3.
- CVE-2006-1664: buffer overflow in list item deletion code, affecting MPEG handling
- Fixed in: 1.1.2.
- CVE-2005-4048: heap overflow in ffmpeg PNG decoder
- Fixed in: 1.1.2; not affected: =0.x.
xine-ui
- CVE-2007-0254: format string vulnerability in playlist error reporting
- Fixed in: 0.99.5.
- CVE-2006-1905: format string vulnerability in playlist file handling
- Fixed in: 0.99.5.
- CVE-2004-0372: symlink vulnerability in xine-bugreport & xine-check
- Fixed in: 0.99.1.
gxine
- CVE-2007-0406: local buffer overflow
- Fixed in: 0.5.10.
- CVE-2005-1692: format string vulnerability in error reporting
- Fixed in: 0.4.5.
- CVE-2004-1034: buffer overflow in the HTTP fetcher code
- Fixed in: 0.4.0-rc1.