Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2004:105 - Updated xine-lib packages fix multiple vulnerabilities
From: Mandrake Linux Security Team <security () linux-mandrake com>
Date: 6 Oct 2004 19:40:48 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           xine-lib
 Advisory ID:            MDKSA-2004:105
 Date:                   October 6th, 2004

 Affected versions:      10.0
 ______________________________________________________________________

 Problem Description:

 A number of string overflows were discovered in the xine-lib program,
 some of which can be used for remote buffer overflow exploits that 
 lead to the execution of arbitrary code with the permissions of the
 user running a xine-lib-based media application.  xine-lib versions
 1-rc2 through, and including, 1-rc5 are vulnerable to these problems.
 
 As well, a heap overflow was found in the DVD subpicture decoder of
 xine-lib; this vulnerability is also remotely exploitable.  All
 versions of xine-lib prior to and including 0.5.2 through, and
 including, 1-rc5 are vulnerable to this problem.
 
 Patches from the xine-lib team have been backported and applied to
 the program to solve these problems.
 _______________________________________________________________________

 References:

  http://xinehq.de/index.php/security/XSA-2004-4
  http://xinehq.de/index.php/security/XSA-2004-5
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 10ce6885addcfa3a9ed0380805fcbce6  10.0/RPMS/libxine1-1-0.rc3.6.2.100mdk.i586.rpm
 2a1341dfa762f5208673ab20ec5d9092  10.0/RPMS/libxine1-devel-1-0.rc3.6.2.100mdk.i586.rpm
 a654845136034c4cdb30ed89a0ca81b7  10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.i586.rpm
 e70b118d3bdd2a9a9dc48143601f78a4  10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.i586.rpm
 1ff7a30cd60c470f4d89cebfaf33d5f8  10.0/RPMS/xine-dxr3-1-0.rc3.6.2.100mdk.i586.rpm
 2be55268cb20ff387313f662d19e5112  10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.i586.rpm
 8ea540e75311662ee5db57a0fa38e51a  10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.i586.rpm
 ba12f4c0368e6d81f6965c64e13796a0  10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.i586.rpm
 253a8c8dac5200fe7afc3d5d502be1ed  10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.i586.rpm
 0f65783b02ceea2ee697af41a4406d76  10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 12e4e1ef7a03cee73b025f106de3f05e  amd64/10.0/RPMS/lib64xine1-1-0.rc3.6.2.100mdk.amd64.rpm
 b04a4aa8e15009fe67e7cbd2b5d7304f  amd64/10.0/RPMS/lib64xine1-devel-1-0.rc3.6.2.100mdk.amd64.rpm
 dec9a4e10c6c1f3cda08a252bfa54963  amd64/10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.amd64.rpm
 76890b85ba9cc2ddd84bc8f7f79e1482  amd64/10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.amd64.rpm
 fbf465711eda60e57198666c0c693267  amd64/10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.amd64.rpm
 e5921bb72c4a819a685d736301643c4d  amd64/10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.amd64.rpm
 c79055804621f8ff95ad738a75bcc5d6  amd64/10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.amd64.rpm
 72781a34d4b3f83d2e4a3e5226ed5942  amd64/10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.amd64.rpm
 0f65783b02ceea2ee697af41a4406d76  amd64/10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBZEpAmqjQ0CJFipgRAlxcAJwIKy+YgZjkGEM/FS6iG0WKnXmtGQCgs5vw
o1mdmtdIISSyK1vpnbFzBuo=
=sYnL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • MDKSA-2004:105 - Updated xine-lib packages fix multiple vulnerabilities Mandrake Linux Security Team (Oct 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault