Ubuntu
xine-lib package

[xine-lib] [CVE-2008-0486] possible buffer overflow in the FLAC audio demuxer

Bug #195700 reported by disabled.user
262
Affects Status Importance Assigned to Milestone
xine-lib (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
High
Jamie Strandboge
Feisty
Fix Released
High
Jamie Strandboge
Gutsy
Fix Released
High
Jamie Strandboge

Bug Description

References:
MDVSA-2008:046 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:046)
MDVSA-2008:046-1 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:046-1)

Quoting MDVSA-2008:046:
"An array index vulnerability found in the FLAC audio demuxer might
allow remote attackers to execute arbitrary code via a crafted FLAC
tag, which triggers a buffer overflow. Although originally an MPlayer
issue, it also affects xine-lib due to code similarity."

Quoting MDVSA-2008:046-1:
"[...] The previous update used a bad patch which made Amarok interface
very unresponsive while playing FLAC files. This new update fixes
the security issue with a better patch."

Related branches

lp:ubuntu/karmic/xine-lib

CVE References

Revision history for this message
disabled.user (disabled.user-deactivatedaccount) wrote :

See also Bug#210163.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xine-lib - 1.1.11.1-1ubuntu1

---------------
xine-lib (1.1.11.1-1ubuntu1) hardy; urgency=low

  * New upstream Version, merge from debian/unstable.
    - Freeze exception Granted in LP: #204557
    - Inclused Security fixes: LP: #195700
  * Remaining Changes:
     - add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
       in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
     - Modify Maintainer value to match the DebianMaintainerField
       specification.

xine-lib (1.1.11.1-1) unstable; urgency=high

  * New upstream release.
    - CVE-2008-1482: integer overflows in FLV, Qt, Real, WC3Movie, Matroska
      and FILM demuxers, allowing remote attackers to trigger heap overflows
      and possibly execute arbitrary code. (Closes: #472639)

xine-lib (1.1.11-1) unstable; urgency=high

  * New upstream release.
    - CVE-2008-0073: Array index vulnerability which may allow remote
      attackers to execute arbitrary code via a crafted SDP parameter in an
      RTSP stream.
    - DVD reader code no longer uses UDF-provided file sizes as
      authoritative. (Closes: #463177)

  [Darren Salt]
  * Remove the versioning from the libmagick9-dev build-dep.
  * Disable the pulseaudio plugin (don't build, don't install) and remove
    the build-dep on libpulse-dev for now due to instability: xine-lib has
    been observed closing the stream due to audio problems.
    (Closes: #471676)

  [ Reinhard Tartler ]
  * add support for 'parallel' keyword in DEB_BUILD_OPTIONS

 -- Reinhard Tartler <email address hidden> Tue, 01 Apr 2008 09:33:39 +0200

Changed in xine-lib:
status: New → Fix Released
Jamie Strandboge (jdstrand)
Changed in xine-lib:
assignee: nobody → jdstrand
importance: Undecided → High
status: New → Confirmed
assignee: nobody → jdstrand
importance: Undecided → High
status: New → Confirmed
assignee: nobody → jdstrand
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

http://www.ubuntu.com/usn/usn-635-1

Changed in xine-lib:
status: Confirmed → Fix Released
status: Confirmed → Fix Released
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.