Debian: New xine-lib packages fix several vulnerabilities

    Date22 May 2008
    CategoryDebian
    4875
    Posted ByLinuxSecurity Advisories
    Integer overflow vulnerabilities exist in xine's FLV, QuickTime, RealMedia, MVE and CAK demuxers, as well as the EBML parser used by the Matroska demuxer. These weaknesses allow an attacker to overflow heap buffers and potentially execute arbitrary code by supplying a maliciously crafted file of those types.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1586-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Devin Carraway
    May 22, 2008                          http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : xine-lib
    Vulnerability  : multiple
    Problem type   : local (remote)
    Debian-specific: no
    CVE Id(s)      : CVE-2008-1482 CVE-2008-1686 CVE-2008-1878
    
    Multiple vulnerabilities have been discovered in xine-lib, a library
    which supplies most of the application functionality of the xine
    multimedia player.  The Common Vulnerabilities and Exposures project
    identifies the following three problems:
    
    CVE-2008-1482
    
        Integer overflow vulnerabilities exist in xine's FLV, QuickTime,
        RealMedia, MVE and CAK demuxers, as well as the EBML parser used
        by the Matroska demuxer.  These weaknesses allow an attacker to
        overflow heap buffers and potentially execute arbitrary code by
        supplying a maliciously crafted file of those types.
    
    CVE-2008-1686
    
        Insufficient input validation in the Speex implementation used
        by this version of xine enables an invalid array access and the
        execution of arbitrary code by supplying a maliciously crafted
        Speex file.
    
    CVE-2008-1878
    
        Inadequate bounds checking in the NES Sound Format (NSF) demuxer
        enables a stack buffer overflow and the execution of arbitrary
        code through a maliciously crafted NSF file.
    
    For the stable distribution (etch), these problems have been fixed in
    version 1.1.2+dfsg-7.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 1.1.12-2.
    
    We recommend that you upgrade your xine-lib packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg.orig.tar.gz
        Size/MD5 checksum:  6716994 ae6525a76280a6e1979c3f4f89fd00f3
      http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.diff.gz
        Size/MD5 checksum:    32397 9ef42da73934e6a981151549e97fd396
      http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.dsc
        Size/MD5 checksum:     1585 b0949db5082a590b1afa4f477005f79f
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_alpha.deb
        Size/MD5 checksum:  3410964 35526481cc816fad2d5692b33f4a3577
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_alpha.deb
        Size/MD5 checksum:   118604 cfc8a8c900bd1182b3faddfeb09eba84
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_alpha.deb
        Size/MD5 checksum:  3665492 49adcd016edc53b96bbc028bc3e428ae
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_amd64.deb
        Size/MD5 checksum:   117506 f8305c6e72d9fd2a25cb7b144e0d696d
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_amd64.deb
        Size/MD5 checksum:  3050404 b94199ba7a4a578db7eb0eefa42b725c
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_amd64.deb
        Size/MD5 checksum:  3660324 635669edb747900be1b17a17dba1f564
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_arm.deb
        Size/MD5 checksum:   118774 052c7ceae25865180a966f6e9e4eb573
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_arm.deb
        Size/MD5 checksum:  2959500 bb1f326f6451a5681c592a56734b30da
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_arm.deb
        Size/MD5 checksum:  2668528 19d061e0cc24b1bf935607207bc8c638
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_hppa.deb
        Size/MD5 checksum:  3225530 ac2abcd37fe278b730a7a52db4690e2c
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_hppa.deb
        Size/MD5 checksum:   119646 5190a9fd4691a7523f1ae2734d81691f
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_hppa.deb
        Size/MD5 checksum:  2697042 ea3479f6dc14ed23f90fbb653ea714aa
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_i386.deb
        Size/MD5 checksum:   117466 6bd9177c7a51abe868c0c4f4dfb1b6d7
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_i386.deb
        Size/MD5 checksum:  3967634 5a85d97914a5bcb3033e8d3eaec4af4b
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_i386.deb
        Size/MD5 checksum:  3350218 88382dafa93891b720985435619e1bee
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_ia64.deb
        Size/MD5 checksum:  3765616 e38586e9ef6c7b1997679198cc263b9f
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_ia64.deb
        Size/MD5 checksum:  2685148 2bbd6abfaa59b6d5d238916e1fe588c1
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_ia64.deb
        Size/MD5 checksum:   117500 c6038901ade50caa3a84254f51b43081
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mips.deb
        Size/MD5 checksum:  3036512 2e2b54ad4b4b45715528981791ce85c6
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mips.deb
        Size/MD5 checksum:  2844538 03835764ba28aa277cf33b994ac2c515
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mips.deb
        Size/MD5 checksum:   119386 292683637eeb0e0922516c27069b0a4a
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mipsel.deb
        Size/MD5 checksum:  3017710 0fd6b63681e496817a5a741b942b3642
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mipsel.deb
        Size/MD5 checksum:  2788988 e9bc0450d264dfc9f3522bc38f27fa61
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mipsel.deb
        Size/MD5 checksum:   117528 656913c22767f942ea3ef2f8ad0edc80
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_powerpc.deb
        Size/MD5 checksum:  3719568 4bf9a41390aa91305a7de075d8d2c52a
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_powerpc.deb
        Size/MD5 checksum:  3209842 ee37b66a198c890770fcda734e30fab8
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_powerpc.deb
        Size/MD5 checksum:   117512 e952851e820d0634de013e598c61c432
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_s390.deb
        Size/MD5 checksum:  3173064 c1210b83707d76a4256c42393ef1e2d4
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_s390.deb
        Size/MD5 checksum:  2719306 125a96fd91fc8cf88c69280500230e0e
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_s390.deb
        Size/MD5 checksum:   117502 babe974673968538886456d4f5345cce
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_sparc.deb
        Size/MD5 checksum:  3025332 591637b97267686c199c074ce3e92aba
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_sparc.deb
        Size/MD5 checksum:   117520 f3b076031d34e283445c27fcb9031e63
      http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_sparc.deb
        Size/MD5 checksum:  3369250 d8e3d16b7c014187398029cf2e75f0da
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.