source: http://www.securityfocus.com/bid/17769/info

The xine package is susceptible to a remote format-string vulnerability. 

This issue arises when the application handles specially crafted filenames. An attacker can exploit this vulnerability by crafting a malicious filename that contains format specifiers and then coercing unsuspecting users to try to execute the affected application with the malicious filename as an argument.

A successful attack may crash the application or lead to arbitrary code execution. 

Version 0.99.4 of xine is vulnerable to this issue; other versions may also be affected.

The following command is sufficient to demonstrate this issue:
xine %p-%p.mp3

This will result in a file-not-found dialog being displayed. The dialog will report that the file that was not found has a name similar to '0x811ac8e-0xbe1fdabc.mp3'


Author : KaDaL-X
email : king_purba@yahoo.co.uk
website : http://kandangjamur.net

Software tested 
Version : 0.99.4
Vendor : http://xine.sourceforge.net

Proof Of Concept :
Type in your unix console something like this :

kandangjamur$xine %p-%p.mp3

Then, there are two error alert box causing by this command :
1. There is no input pluggin available to handle
2. The specified file or mrl Plese check it twice (0x811ac8e-0xbe1fdabc.mp3) <-- format string error

Vulnerable code :

In src/xitk/main.c

/* (file name or mrl) */
      case XINE_MSG_FILE_NOT_FOUND:
        snprintf(buffer, sizeof(buffer), "%s", _("The specified file or mrl is not found. Please check it twic
e."));
        if(data->explanation)
          sprintf(buffer, "%s (%s)", buffer, (char *) data + data->parameters);
        break;

The vulnerable variable is (char *) data + data->parameters, but i don't analyze this code to make clear
this problem (sorry). By giving comment in sprintf() function can be used to fix this issue,
but many format string issue may be happen on file main.c causing by (char *) data + data->parameters