VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-1455

CVE-2004-1455

Description

Xine-lib rc5 and earlier has a stack buffer overflow via a crafted playlist with a long vcd:// URL, allowing remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Xine-lib rc5 and earlier has a stack buffer overflow via a crafted playlist with a long vcd:// URL, allowing remote code execution.

Vulnerability

A stack-based buffer overflow exists in xine-lib versions 1_rc5-r2 and earlier, triggered through the vcd:// input source identifier management buffer. The vulnerability resides in the playlist parsing functionality; a crafted playlist containing an overly long vcd:// URL can overflow a stack buffer.

Exploitation

An attacker constructs a malicious playlist file (e.g., with an .asx extension but also potentially disguised as an MP3, AVI, or MPEG file using a valid header) that includes a vcd:// line with an excessively long path. The victim must open this playlist in a player built on xine-lib. No additional authentication or special network position is required; the attack can be conducted remotely if the attacker can deliver the playlist file (via email, web download, etc.) [1][2].

Impact

Successful exploitation allows arbitrary code execution with the privileges of the user running the player, leading to full compromise of the affected system: attacker gains control, ability to execute shellcode, and potential for further local or network-based actions [1][2].

Mitigation

The vulnerability is fixed in xine-lib version 1_rc5-r3 and later. Users should upgrade to at least that version. No known workaround exists for earlier versions [2].

References
  1. 'Open Security Group Advisory #6'
  2. VCD MRL buffer overflow (GLSA 200408-18) — Gentoo security

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

18
  • Xine/Xine Lib18 versions
    cpe:2.3:a:xine:xine-lib:1_beta1:*:*:*:*:*:*:*+ 17 more
    • cpe:2.3:a:xine:xine-lib:1_beta1:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta10:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta11:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta2:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta3:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta4:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta5:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta6:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta7:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta8:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_beta9:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_rc3a:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_rc3b:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_rc3c:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_rc4:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_rc5:*:*:*:*:*:*:*
    • cpe:2.3:a:xine:xine-lib:1_rc5_r2:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.