製品・ソフトウェアに関する情報

JVN脆弱性詳細

xine-lib の demuxers/demux_qt.c における整数オーバーフローの脆弱性

Title	xine-lib の demuxers/demux_qt.c における整数オーバーフローの脆弱性
Summary	xine-lib の demuxers/demux_qt.c の qt_error parse_trak_atom 関数には、整数オーバーフローの脆弱性が存在します。
Possible impacts	第三者により、STTS atom 内の過度に大きい count 値を伴う Quicktime ムービーファイルを介して、ヒープベースのバッファオーバーフローを誘発され、任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 8, 2009, midnight
Registration Date	Dec. 20, 2012, 7:10 p.m.
Last Update	Dec. 20, 2012, 7:10 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

Xine

xine-lib 1.1.16.2 およびそれ以前

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2009-1274	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274
National Vulnerability Database (NVD)
2	CVE-2009-1274	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1274

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Xine
1	[SECURITY] Fedora 10 Update: xine-lib-1.1.16.3-1.fc10	https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00215.html

Change Log

No	Changed Details	Date of change
0	[2012年12月20日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2009-1274

Summary	Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow.
Summary	Desbordamiento de entero en la función qt_error parse_trak_atom en demuxers/demux_qt.c en xine-lib v1.1.16.2 y anteriores permite a atacantes remotos ejecutar código de su elección a través de un fichero de vídeo Quicktime, con un valor largo de contador en un elemento STTS, lo que provoca un desbordamiento de búfer basado en montículo.
Publication Date	April 9, 2009, 3:30 a.m.
Registration Date	Jan. 29, 2021, 1:17 p.m.
Last Update	April 23, 2026, 9:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:xine:xine-lib:1.1.0:::::::*
cpe:2.3:a:xine:xine-lib:1.1.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.10:::::::*
cpe:2.3:a:xine:xine-lib:1.1.10.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.11:::::::*
cpe:2.3:a:xine:xine-lib:1.1.11.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.12:::::::*
cpe:2.3:a:xine:xine-lib:1.1.13:::::::*
cpe:2.3:a:xine:xine-lib:1.1.14:::::::*
cpe:2.3:a:xine:xine-lib:1.1.15:::::::*
cpe:2.3:a:xine:xine-lib:1.1.16.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.16.2:::::::*

Related information, measures and tools

No	URL	refsource
1	http://bugs.xine-project.org/show_bug.cgi?id=224	cve@mitre.org
2	http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html	cve@mitre.org
3	http://osvdb.org/53288	cve@mitre.org
4	http://secunia.com/advisories/34593	cve@mitre.org
5	http://secunia.com/advisories/34712	cve@mitre.org
6	http://secunia.com/advisories/35416	cve@mitre.org
7	http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233	cve@mitre.org
8	http://www.mandriva.com/security/advisories?name=MDVSA-2009:298	cve@mitre.org
9	http://www.mandriva.com/security/advisories?name=MDVSA-2009:299	cve@mitre.org
10	http://www.securityfocus.com/archive/1/502481/100/0/threaded	cve@mitre.org
11	http://www.securityfocus.com/bid/34384	cve@mitre.org
12	http://www.securitytracker.com/id?1021989	cve@mitre.org
13	http://www.trapkit.de/advisories/TKADV2009-005.txt	cve@mitre.org
14	http://www.vupen.com/english/advisories/2009/0937	cve@mitre.org
15	https://exchange.xforce.ibmcloud.com/vulnerabilities/49714	cve@mitre.org
16	https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00210.html	cve@mitre.org
17	https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00215.html	cve@mitre.org
18	http://bugs.xine-project.org/show_bug.cgi?id=224	af854a3a-2127-422b-91ae-364da2661108
19	http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html	af854a3a-2127-422b-91ae-364da2661108
20	http://osvdb.org/53288	af854a3a-2127-422b-91ae-364da2661108
21	http://secunia.com/advisories/34593	af854a3a-2127-422b-91ae-364da2661108
22	http://secunia.com/advisories/34712	af854a3a-2127-422b-91ae-364da2661108
23	http://secunia.com/advisories/35416	af854a3a-2127-422b-91ae-364da2661108
24	http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233	af854a3a-2127-422b-91ae-364da2661108
25	http://www.mandriva.com/security/advisories?name=MDVSA-2009:298	af854a3a-2127-422b-91ae-364da2661108
26	http://www.mandriva.com/security/advisories?name=MDVSA-2009:299	af854a3a-2127-422b-91ae-364da2661108
27	http://www.securityfocus.com/archive/1/502481/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
28	http://www.securityfocus.com/bid/34384	af854a3a-2127-422b-91ae-364da2661108
29	http://www.securitytracker.com/id?1021989	af854a3a-2127-422b-91ae-364da2661108
30	http://www.trapkit.de/advisories/TKADV2009-005.txt	af854a3a-2127-422b-91ae-364da2661108
31	http://www.vupen.com/english/advisories/2009/0937	af854a3a-2127-422b-91ae-364da2661108
32	https://exchange.xforce.ibmcloud.com/vulnerabilities/49714	af854a3a-2127-422b-91ae-364da2661108
33	https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00210.html	af854a3a-2127-422b-91ae-364da2661108
34	https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00215.html	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:xine:xine-lib:1.1.0:::::::*
cpe:2.3:a:xine:xine-lib:1.1.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.10:::::::*
cpe:2.3:a:xine:xine-lib:1.1.10.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.11:::::::*
cpe:2.3:a:xine:xine-lib:1.1.11.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.12:::::::*
cpe:2.3:a:xine:xine-lib:1.1.13:::::::*
cpe:2.3:a:xine:xine-lib:1.1.14:::::::*
cpe:2.3:a:xine:xine-lib:1.1.15:::::::*
cpe:2.3:a:xine:xine-lib:1.1.16.1:::::::*
cpe:2.3:a:xine:xine-lib:1.1.16.2:::::::*