Did you know xine will download and execute scripts?

Saturday, 19 July 2014

Today I was poking around the source of Xine, the well-known media player. During the course of this poking I spotted that Xine has skin support - something I've been blissfully ignorant of for many years.

How do these skins work? You bring up the skin-browser, by default this is achieved by pressing "Ctrl-d". The browser will show you previews of the skins available, and allow you to install them.

How does Xine know what skins are available? It downloads the contents of:

NOTE: This is an insecure URL.

The downloaded file is a simple XML thing, containing references to both preview-images and download locations.

For example the theme "Sunset" has the following details:

  • Download link: http://xine.sourceforge.net/skins/Sunset.tar.gz
  • Preview link: http://xine.sourceforge.net/skins/Sunset.png

if you choose to install the skin the Sunset.tar.gz file is downloaded, via HTTP, extracted, and the shell-script doinst.sh is executed, if present.

So if you control DNS on your LAN you can execute arbitrary commands if you persuade a victim to download your "corporate xine theme".

Probably a low-risk attack, but still a surprise.



Comments On This Entry

[gravitar] Inigo

Submitted at 21:48:19 on 19 july 2014

To execute commands... as root.

And adding TLS sources to apt, does not fix issues like this one.

[gravitar] Cameron Norman

Submitted at 00:37:12 on 20 july 2014

Look at the instructions for Debian here:


Please help them...

[author] Steve Kemp

Submitted at 09:55:02 on 20 july 2014

Sadly that's not so unusual - just look at all the "cool" projects that can be installed via:

curl http://get.cool.project/ | sh
[gravitar] Martin

Submitted at 12:37:18 on 20 july 2014

That's why I totally obsessive to an almost pathological degree about using only software packaged in Debian. E.g. I never use Iceweasel plugins other than from Debian. I would be very much in favour of disabling plugin download in Iceweasel (if somebody wants alien plugins, they easily could use Firefox) and also disabling this stupid function in Debians version of xine. It is almost irresponsible to leave it in, IMHO.

[gravitar] Anobium

Submitted at 04:56:08 on 22 july 2014

No bug report?


Comments are closed on posts which are more than ten days old.

Recent Posts

Recent Tags