First XSPF-related security issue? -- was: Re: [oss-security] CVE id request: vlc

Hey,

I ran by this security issue in VLC's XSPF parser today, and thought you
might be interested. See the attached email and its links for details.
It might be worthwhile to check other implementations for similar bugs,
but it seems to be a very specific issue in VLC.

Anyway: It's a good sign companies are reviewing existing XSPF parser
code, we could ask them to give libspiff a shot (or contact the oCert
[1] people, they also offer OSS security reviews).

Regards,
Robert

[1] https://www.ocert.org/


======================================================
Name: CVE-2008-4558
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4558
Reference: MISC:http://www.coresecurity.com/content/vlc-xspf-memory-corruption

Array index error in VLC media player 0.9.2 allows remote attackers to
overwrite arbitrary memory and execute arbitrary code via an XSPF
playlist file with a negative identifier tag, which passes a signed
comparison.




_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

What I find especially interesting here is that
<identifier> is specified to hold a URI.  A number
is just a very special case of a relative URI...

Also I really hope this

  <location>C:\My%20Music\playlist.xspf</location>

is not what VLC was/is producing.

Robert, thanks for letting us know.



Sebastian

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Though it's worth pointing out that there is an error in the
understanding of XSPF: "The identifier attribute is a numeric value that
indicates the position of the track in the tracklist. "  They're
thinking of the trackNum element, which indicates the position of a
recording from an album in the original album sequence.

So I wonder if there are two more bugs in VLC -- using identifier as
trackNum, and having the same vulnerability in the trackNum code.

Sebastian Pipping wrote:

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Sebastian Pipping wrote:
> Also I really hope this
>
>   <location>C:\My%20Music\playlist.xspf</location>
>
> is not what VLC was/is producing.

!$!@#$

Yes.

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Lucas Gonze wrote:
> Though it's worth pointing out that there is an error in the
> understanding of XSPF: "The identifier attribute is a numeric value that
> indicates the position of the track in the tracklist. "  They're
> thinking of the trackNum element, which indicates the position of a
> recording from an album in the original album sequence.

I don't think they mixed it up with <trackNum> as they are referencing
the identifiers in a playlist extension:

   <playlist ...>
     ...
     <trackList>
       <track>
         <identifier>0</identifier>
         ...
       </track>
       <track>
         <identifier>1</identifier>
         ...
       </track>
       ...
     </trackList>
     <extension application="http://www.videolan.org/vlc/playlist/0">
       <item href="0" />
       <item href="1" />
       ...
     </extension>
   </playlist>

If I remember correctly this extension is VLC's way to put
several ("virtual") playlists into a single XSPF document.



Sebastian

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

So the href correlates with track identifier?  That's fascinating.

As a point of security, then, this is an issue with a proprietary
extension rather than with XSPF as a whole, and doesn't affect anyone
who doesn't use that extension.



Sebastian Pipping wrote:

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

On 10/15/08, Sebastian Pipping <webmaster@...> wrote:
> Also I really hope this
>
>   <location>C:\My%20Music\playlist.xspf</location>
>
> is not what VLC was/is producing.

Yes.  They still do not see this as a bug; it's a feature.  Yes, really.

On 10/15/08, Lucas Gonze <lucas@...> wrote:
> As a point of security, then, this is an issue with a proprietary
> extension rather than with XSPF as a whole, and doesn't affect anyone
> who doesn't use that extension.

And the world is once again safe thanks to the Amazing XSPF.

-Ivo

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Ivo Emanuel Gonçalves wrote:
> On 10/15/08, Sebastian Pipping <webmaster@...> wrote:
>> Also I really hope this
>>
>>   <location>C:\My%20Music\playlist.xspf</location>
>>
>> is not what VLC was/is producing.
>
> Yes.  They still do not see this as a bug; it's a feature.  Yes, really.

The OS X version of VLC doesn't do this, which makes me think of the way
that Windows developers often have tunnel vision.  When I got to Yahoo
and found that Yahoo's client software was doing the same thing it took
almost a year to get it fixed because Windows-only thinking was so
deeply ingrained.

Got a pointer to a bug report?  Maybe we can escalate the issue.




_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

On Wednesday 15 October 2008, Lucas Gonze wrote:
> So the href correlates with track identifier?  That's fascinating.
>
> As a point of security, then, this is an issue with a proprietary
> extension rather than with XSPF as a whole, and doesn't affect anyone
> who doesn't use that extension.

It does not matter whether XSPF or one extension is where the issue
manifests, as the *format* is not to be blamed for this security issue,
but VLC's parser implementation. So XSPF is not any more or less secure
just because some code failed.
On a side note, a format rarely is to be blamed for security issues (the
only recent exception that comes to my mind is the XML entity explosion
attack, aka "billion laughs").


Robert


_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Ivo Emanuel Gonçalves wrote:
>> Also I really hope this
>>
>>   <location>C:\My%20Music\playlist.xspf</location>
>>
>> is not what VLC was/is producing.
>
> Yes.  They still do not see this as a bug; it's a feature.  Yes, really.

Are we talking about reading or writing here?  Both?



Sebastian



_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

On 10/15/08, Lucas Gonze <lucas@...> wrote:
> Got a pointer to a bug report?  Maybe we can escalate the issue.

I'm pretty sure I filed up a ticket but I searched through all my
email and can't find it.  Either I thought I did and ended up not
doing it (hey, it can happen to anyone) or I deleted the record.
Either way, can't provide a link.

On 10/15/08, Sebastian Pipping <webmaster@...> wrote:
> Are we talking about reading or writing here?  Both?

When I tested last year it was both, but supposedly it got fixed, so
I'll say it's only while writing.  I'll see if I can test the latest
VLC on one of the computers in the office; half of them run Windows.

-Ivo

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

>>        <track>
>>          <identifier>0</identifier>
>>          ...
>>        </track>
>>      </trackList>
>>      <extension application="http://www.videolan.org/vlc/playlist/0">
>>        <item href="0" />
>>      </extension>

Seems like their use of "identifier" is really to do what the xml:id
attribute does already, and not what an XSPF identifier does.  So
here's what I'm wondering: given that xml:id is a freebie with XML and
doesn't need to be defined by XML-based data formats like XSPF, what
could VLC be using instead of their extension to refer to those IDs?

BTW, it is interesting to notice that their extension creates a format
with the same shape as iTunes library XML.  Seems to be one of those
patterns that crops up in nature on its own.

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Ivo Emanuel Gonçalves wrote:
> When I tested last year it was both, but supposedly it got fixed, so
> I'll say it's only while writing.

I just checked.  VLC 0.9.4 gives me locations like this:

   <location>file://C%3A\foo\bar.mp3</location>

Sigh, valid URIs cannot be that hard...

Also the written file contains the absolute path to the
file itself in //playlist.location.  For file on a website
this might be a good idea but for local files its much
more a privacy issue.  I've seen this with Inkscape before.

So I guess that's two bugs to open.



Sebastian

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Sebastian Pipping wrote:
> I just checked.  VLC 0.9.4 gives me locations like this:
>
>    <location>file://C%3A\foo\bar.mp3</location>
>
> Sigh, valid URIs cannot be that hard...

       
I just got this from 0.9.4 on XP:
<location>C:\Documents%20and%20Settings\Owner\My%20Documents\test.xspf</location>

The problem as always is convincing people who work on media players
that playlists are internet media types which ought to be shareable.
VLC's way of doing this works fine as long as only VLC is going to open
the playlists it creates.



_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Lucas Gonze wrote:
Right, the playlist location doesn't even start with "file://".
The track locations do.  So we have two levels of URI invalidity
in a single file. :-)



Sebastian

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

On Wednesday 15 October 2008, Lucas Gonze wrote:
> Though it's worth pointing out that there is an error in the
> understanding of XSPF: "The identifier attribute is a numeric value
> that indicates the position of the track in the tracklist. "  They're
> thinking of the trackNum element, which indicates the position of a
> recording from an album in the original album sequence.

This is VLC #1421 [ https://trac.videolan.org/vlc/ticket/1421 ]


Robert


_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

On Thursday 16 October 2008, Sebastian Pipping wrote:
> Also the written file contains the absolute path to the
> file itself in //playlist.location.  For file on a website
> this might be a good idea but for local files its much
> more a privacy issue.  I've seen this with Inkscape before.

This is VLC #1244 [ https://trac.videolan.org/vlc/ticket/1244 ], which
is closed.


Robert


_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Just opened...


[0.9.4] XSPF output hurts privacy
https://trac.videolan.org/vlc/ticket/2217

[0.9.4] XSPF output carries invalid URIs
https://trac.videolan.org/vlc/ticket/2218



Sebastian

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Robert Buchholz wrote:
> This is VLC #1244 [ https://trac.videolan.org/vlc/ticket/1244 ], which
> is closed.

I think you're mixing up relative path support with a privacy
issue here.



Sebastian

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist

Lucas Gonze wrote:
> Seems like their use of "identifier" is really to do what the xml:id
> attribute does already, and not what an XSPF identifier does.  So
> here's what I'm wondering: given that xml:id is a freebie with XML and
> doesn't need to be defined by XML-based data formats like XSPF, what
> could VLC be using instead of their extension to refer to those IDs?

In 0.9.4 it seems they move from using <identifier> to <vlc:id>
wrapped by an <extension> like this:

   <playlist ...>
       ...
       <trackList>
           <track>
               ...
               <extension ...>
                   <vlc:id>0</vlc:id>
               </extension>
           </track>
           <track>
               ...
               <extension ...>
                   <vlc:id>1</vlc:id>
               </extension>
           </track>
       </trackList>
       <extension ...>
           <vlc:node title="title of my playlist">
               <vlc:item tid="0" />
               <vlc:item tid="1" />
               ...
           </vlc:node>
       </extension>
   </playlist>

A minimal conversion using xml:id could result in something like

   <playlist ...>
       ...
       <trackList>
           <track xml:id="0">
               ...
           </track>
           <track xml:id="1">
               ...
           </track>
       </trackList>
       <extension ...>
           <vlc:node title="title of my playlist">
               <vlc:item tid="0" />
               <vlc:item tid="1" />
               ...
           </vlc:node>
       </extension>
   </playlist>

I'll have to fix libSpiff to support this but that should not keep
them from doing it right.



Sebastian

_______________________________________________
Playlist mailing list
Playlist@...
http://lists.musicbrainz.org/mailman/listinfo/playlist