Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2008-5242

Severity CVSS v4.0:
Pending analysis
Type:
CWE-119 Buffer Errors
Publication date:
26/11/2008
Last modified:
09/04/2025

Description

demux_qt.c in xine-lib 1.1.12, and other 1.1.15 and earlier versions, does not validate the count field before calling calloc for STSD_ATOM atom allocation, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted media file.

Impact

Vector 2.0
AV:N/AC:M/Au:N/C:P/I:P/A:P CVSS v2.0 Severity and Metrics:

Base Score: 6.80 MEDIUM
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Attack Vector (AV): Network
Attack Complexity (AC): Medium
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): Physical
Availability (A): Physical

Base Score 2.0
6.80
Severity 2.0
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:xine:xine-lib:*:*:*:*:*:*:*:* 1.1.15 (including)
cpe:2.3:a:xine:xine-lib:0.9.13:*:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc0a:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc1:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc2:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc3:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc3a:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc3b:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc3c:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc4:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc4a:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc5:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc6a:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc7:*:*:*:*:*:*
cpe:2.3:a:xine:xine-lib:1:rc8:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools