Application: Rhythmbox 0.11.5 OS: Linux - Ubuntu 8.04 Original Advisory: http://packetstormsecurity.org/0806-advisories/rhythmbox-dos.txt The original author of this advisory is Juan Pablo Lopez Yacubian Author of this advisory: WarGame - http://vx.netlux.org/wargamevx - wargame89@xxxxxxxx Compiling Rhythmbox 0.11.5 with debug support (-g) and making it parse the DoS playlist file you can get this backtrace: (gdb) run /home/wargame/prova.pls The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/wargame/test/bin/rhythmbox /home/wargame/prova.pls [Thread debugging using libthread_db enabled] [New Thread 0x7f01a0a907c0 (LWP 1757)] [New Thread 0x41691950 (LWP 1760)] (rhythmbox:1757): Rhythmbox-WARNING **: Unable to grab media player keys: Could not get owner of name 'org.gnome.SettingsDaemon': no such name [New Thread 0x41e92950 (LWP 1761)] [Thread 0x41e92950 (LWP 1761) exited] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f01a0a907c0 (LWP 1757)] 0x0000000000dc8820 in ?? () (gdb) backtrace #0 0x0000000000dc8820 in ?? () #1 0x00007f019a5306f1 in g_hash_table_lookup () from /usr/lib/libglib-2.0.so.0 #2 0x0000000000436487 in playlist_load_ended_cb (parser=0xdc1a00, uri=0xda34d0 "", metadata=0xbe7b90, mgr=0x7fffa8acd250) at rb-playlist-manager.c:576 #3 0x00007f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #4 0x00007f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0 #5 0x00007f019b3430d5 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #6 0x00007f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #7 0x00007f019ef89611 in ?? () from /usr/lib/libtotem-plparser.so.10 #8 0x00007f019ef8970e in ?? () from /usr/lib/libtotem-plparser.so.10 #9 0x00007f019ef85b2c in ?? () from /usr/lib/libtotem-plparser.so.10 #10 0x00000000004365e0 in rb_playlist_manager_parse_file (mgr=0xbe7b90, uri=0xdc8c00 "file:///home/wargame/prova.pls", error=0x7fffa8acd818) at rb-playlist-manager.c:621 #11 0x0000000000426375 in rb_shell_load_uri (shell=0x7c81a0, uri=0xdc8c00 "file:///home/wargame/prova.pls", play=1, error=0x7fffa8acd818) at rb-shell.c:3326 #12 0x000000000041e4cf in local_load_uri (filename=0xdc8c00 "file:///home/wargame/prova.pls", shell=0x7c81a0) at main.c:414 #13 0x000000000041e32b in load_uri_args (args=0x6b2150, handler=0x41e476 <local_load_uri>, user_data=0x7c81a0) at main.c:371 #14 0x000000000041e474 in removable_media_scan_finished (shell=0x7c81a0, data=0x0) at main.c:406 #15 0x00007f019b32dbcf in g_closure_invoke () from /usr/lib/libgobject-2.0.so.0 #16 0x00007f019b3416bc in ?? () from /usr/lib/libgobject-2.0.so.0 #17 0x00007f019b3430d5 in g_signal_emit_valist () from /usr/lib/libgobject-2.0.so.0 #18 0x00007f019b343483 in g_signal_emit () from /usr/lib/libgobject-2.0.so.0 #19 0x0000000000421066 in _scan_idle (shell=0x7c81a0) at rb-shell.c:1296 #20 0x00007f019a53d262 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 #21 0x00007f019a540516 in ?? () from /usr/lib/libglib-2.0.so.0 ---Type <return> to continue, or q <return> to quit--- #22 0x00007f019a5407d7 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 #23 0x00007f019d041f03 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 #24 0x000000000041e1bf in main (argc=2, argv=0x7fffa8ace278) at main.c:327 (gdb) Interesting info at rb-playlist-manager.c:576 : title = g_hash_table_lookup (metadata, TOTEM_PL_PARSER_FIELD_TITLE); In my opinion the crash happens around this function call. Have fun!
