lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1EPZlh-0005pY-K7@mercury.mandriva.com>
Date: Wed, 12 Oct 2005 00:07:13 -0600
From: Mandriva Security Team <security@...driva.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:180 - Updated xine-lib packages fixes cddb vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                Mandriva Linux Security Update Advisory
 _______________________________________________________________________

 Package name:           xine-lib
 Advisory ID:            MDKSA-2005:180
 Date:                   October 11th, 2005

 Affected versions:	 10.1, 10.2, 2006.0, Corporate 3.0
 ______________________________________________________________________

 Problem Description:

 When playing an Audio CD, a xine-lib based media application contacts
 a CDDB server to retrieve metadata like the title and artist's name. 
 During processing of this data, a response from the server, which is 
 located in memory on the stack, is passed to the fprintf() function 
 as a format string. An attacker can set up a malicious CDDB server 
 and trick the client into using this server instead of the pre-
 configured one. Alternatively, any user and therefore the attacker can
 modify entries in the official CDDB server. Using this format string
 vulnerability, attacker-chosen data can be written to an attacker-chosen
 memory location.  This allows the attacker to alter the control flow
 and to execute malicious code with the permissions of the user running
 the application.
 
 This problem was reported by Ulf Harnhammar from the Debian Security 
 Audit Project.
 
 The updated packages have been patched to correct this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2967
  http://xinehq.de/index.php/security/XSA-2005-1
 ______________________________________________________________________

 Updated Packages:
  
 Mandrivalinux 10.1:
 3f07ca856ac1574af04fbe1b27ee965e  10.1/RPMS/libxine1-1-0.rc5.9.3.101mdk.i586.rpm
 023408c3ee89298c373a3a6927a3061e  10.1/RPMS/libxine1-devel-1-0.rc5.9.3.101mdk.i586.rpm
 f15dbebfea2af1a970b7d2efd9294553  10.1/RPMS/xine-aa-1-0.rc5.9.3.101mdk.i586.rpm
 964bf0c612fdd2ad9f4d3f0189db4c5d  10.1/RPMS/xine-arts-1-0.rc5.9.3.101mdk.i586.rpm
 942189b2e906e9318bb729841499714c  10.1/RPMS/xine-dxr3-1-0.rc5.9.3.101mdk.i586.rpm
 d87d3f48cf4378de0cd66a763df69a22  10.1/RPMS/xine-esd-1-0.rc5.9.3.101mdk.i586.rpm
 f015327c624aa069668a8faddc7989da  10.1/RPMS/xine-flac-1-0.rc5.9.3.101mdk.i586.rpm
 fe16081d5be8ae716f139e7cc7971738  10.1/RPMS/xine-gnomevfs-1-0.rc5.9.3.101mdk.i586.rpm
 b595c492e3d38c394a05bef235a8b50e  10.1/RPMS/xine-plugins-1-0.rc5.9.3.101mdk.i586.rpm
 ae824a8ad57afa4af74d14ac36aec48f  10.1/SRPMS/xine-lib-1-0.rc5.9.3.101mdk.src.rpm

 Mandrivalinux 10.1/X86_64:
 c56c742c25b4e7ef55363bc433ada6b6  x86_64/10.1/RPMS/lib64xine1-1-0.rc5.9.3.101mdk.x86_64.rpm
 8174e6c20c36883482a8c92ac7a32dd4  x86_64/10.1/RPMS/lib64xine1-devel-1-0.rc5.9.3.101mdk.x86_64.rpm
 3f07ca856ac1574af04fbe1b27ee965e  x86_64/10.1/RPMS/libxine1-1-0.rc5.9.3.101mdk.i586.rpm
 c4b594b75216ec745901c2bc910aa854  x86_64/10.1/RPMS/xine-aa-1-0.rc5.9.3.101mdk.x86_64.rpm
 0aa452c0c36a9a7eae6bc8276c585133  x86_64/10.1/RPMS/xine-arts-1-0.rc5.9.3.101mdk.x86_64.rpm
 bf3e6970c3b37d80eee58be3804aaef1  x86_64/10.1/RPMS/xine-dxr3-1-0.rc5.9.3.101mdk.x86_64.rpm
 419d4acc74bd3368f4ad7e841b71583f  x86_64/10.1/RPMS/xine-esd-1-0.rc5.9.3.101mdk.x86_64.rpm
 a934d38fc6bc894afcd51fc443c5387a  x86_64/10.1/RPMS/xine-flac-1-0.rc5.9.3.101mdk.x86_64.rpm
 c71f58dd79bbd7a67ade68f9f0c47537  x86_64/10.1/RPMS/xine-gnomevfs-1-0.rc5.9.3.101mdk.x86_64.rpm
 9d2dbdaf3887b90af8f6f275956fba25  x86_64/10.1/RPMS/xine-plugins-1-0.rc5.9.3.101mdk.x86_64.rpm
 ae824a8ad57afa4af74d14ac36aec48f  x86_64/10.1/SRPMS/xine-lib-1-0.rc5.9.3.101mdk.src.rpm

 Mandrivalinux 10.2:
 b59bd74be8211752b1f8b14eaaeb4caf  10.2/RPMS/libxine1-1.0-8.2.102mdk.i586.rpm
 7df88b45784d86b120232238e80c2ae9  10.2/RPMS/libxine1-devel-1.0-8.2.102mdk.i586.rpm
 22f9a1ef543d6e6b8b409e995c05f549  10.2/RPMS/xine-aa-1.0-8.2.102mdk.i586.rpm
 6b288c5aec71967bb93031d1d6781f18  10.2/RPMS/xine-arts-1.0-8.2.102mdk.i586.rpm
 e94fbd981fa69cdf4205f73620d65d58  10.2/RPMS/xine-dxr3-1.0-8.2.102mdk.i586.rpm
 4ac7f54e7442efeac8a8f27ea94cce31  10.2/RPMS/xine-esd-1.0-8.2.102mdk.i586.rpm
 93fb8780846b76c53743f74113c5d789  10.2/RPMS/xine-flac-1.0-8.2.102mdk.i586.rpm
 79cf02e9f22be6638927dec066926b5d  10.2/RPMS/xine-gnomevfs-1.0-8.2.102mdk.i586.rpm
 fb9103583e2eb19ad301d6a3042fad86  10.2/RPMS/xine-plugins-1.0-8.2.102mdk.i586.rpm
 bd90a1fe71bd91383caf9ea5d87e2abc  10.2/RPMS/xine-polyp-1.0-8.2.102mdk.i586.rpm
 4067888181bc7c025901b054ec7c8fd6  10.2/RPMS/xine-smb-1.0-8.2.102mdk.i586.rpm
 3d1f4d92c41f977edf895388f4784337  10.2/SRPMS/xine-lib-1.0-8.2.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 772e4a1a0aac6006474768a0601545a3  x86_64/10.2/RPMS/lib64xine1-1.0-8.2.102mdk.x86_64.rpm
 c72a8b14fbe656c62f8368fbc9449931  x86_64/10.2/RPMS/lib64xine1-devel-1.0-8.2.102mdk.x86_64.rpm
 f6123a88fc6b3c7edd68dccbc75efc8d  x86_64/10.2/RPMS/xine-aa-1.0-8.2.102mdk.x86_64.rpm
 9768022de3f23e61649671a76de6d4a3  x86_64/10.2/RPMS/xine-arts-1.0-8.2.102mdk.x86_64.rpm
 6636acc15686f32d827c367ae0e0af83  x86_64/10.2/RPMS/xine-dxr3-1.0-8.2.102mdk.x86_64.rpm
 bd80ab843edcb769edbe95bee307848e  x86_64/10.2/RPMS/xine-esd-1.0-8.2.102mdk.x86_64.rpm
 70c16130252aca43d5cac5d30d258dbc  x86_64/10.2/RPMS/xine-flac-1.0-8.2.102mdk.x86_64.rpm
 19546fbd231735cdb52488c78bb3138c  x86_64/10.2/RPMS/xine-gnomevfs-1.0-8.2.102mdk.x86_64.rpm
 e14f01a64d3080fc35ee3f7280ae9336  x86_64/10.2/RPMS/xine-plugins-1.0-8.2.102mdk.x86_64.rpm
 8281c290d3e926279706b049dd4247da  x86_64/10.2/RPMS/xine-polyp-1.0-8.2.102mdk.x86_64.rpm
 46f8be45f38977aa67731c5da830c43b  x86_64/10.2/RPMS/xine-smb-1.0-8.2.102mdk.x86_64.rpm
 3d1f4d92c41f977edf895388f4784337  x86_64/10.2/SRPMS/xine-lib-1.0-8.2.102mdk.src.rpm

 Mandrivalinux 2006.0:
 ad0dd01a46c84cb5ce8a28ce5710da28  2006.0/RPMS/libxine1-1.1.0-8.1.20060mdk.i586.rpm
 b63c878314d9d393a43082f1940fd063  2006.0/RPMS/libxine1-devel-1.1.0-8.1.20060mdk.i586.rpm
 77404b4ea4908b51843f26b4face7a21  2006.0/RPMS/xine-aa-1.1.0-8.1.20060mdk.i586.rpm
 efec9d133963c8c8d1d052ea8d1a811d  2006.0/RPMS/xine-arts-1.1.0-8.1.20060mdk.i586.rpm
 bb1f5e764c4cc933659ebe7ba2c61d88  2006.0/RPMS/xine-dxr3-1.1.0-8.1.20060mdk.i586.rpm
 b74cffa6e5683afb50ed015555b2afe8  2006.0/RPMS/xine-esd-1.1.0-8.1.20060mdk.i586.rpm
 f8c48d2fc87e8f562754ce36dcf7f74a  2006.0/RPMS/xine-flac-1.1.0-8.1.20060mdk.i586.rpm
 b8f365ce839aa783637edd4687f89a64  2006.0/RPMS/xine-gnomevfs-1.1.0-8.1.20060mdk.i586.rpm
 2fed4fcf4867293705de055f0b2095d3  2006.0/RPMS/xine-image-1.1.0-8.1.20060mdk.i586.rpm
 7ee9724ef73423691f4c2622824d50e3  2006.0/RPMS/xine-plugins-1.1.0-8.1.20060mdk.i586.rpm
 732ac66a4b4a8356c8afbfc6770ac6ac  2006.0/RPMS/xine-polyp-1.1.0-8.1.20060mdk.i586.rpm
 f4afb35e994c48af37529481df73df9c  2006.0/RPMS/xine-smb-1.1.0-8.1.20060mdk.i586.rpm
 f8551a36e839b1c284f157d042395477  2006.0/SRPMS/xine-lib-1.1.0-8.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 c9e6b7176514f797a6b4d444d630783e  x86_64/2006.0/RPMS/lib64xine1-1.1.0-8.1.20060mdk.x86_64.rpm
 9997e0b3a7712a94c98964d2a387d010  x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-8.1.20060mdk.x86_64.rpm
 8c32b4302fe882f057cc307ef546356e  x86_64/2006.0/RPMS/xine-aa-1.1.0-8.1.20060mdk.x86_64.rpm
 a18e2771a126b49d93d588d7ff57f22d  x86_64/2006.0/RPMS/xine-arts-1.1.0-8.1.20060mdk.x86_64.rpm
 188e16a6da35e64d77ef1007f770959e  x86_64/2006.0/RPMS/xine-dxr3-1.1.0-8.1.20060mdk.x86_64.rpm
 cd4045af591254a68d48dbceb5885bc5  x86_64/2006.0/RPMS/xine-esd-1.1.0-8.1.20060mdk.x86_64.rpm
 40c947de3d1df3e33a0f4c26f096b0c8  x86_64/2006.0/RPMS/xine-flac-1.1.0-8.1.20060mdk.x86_64.rpm
 cdd6293c4edc8751989f605eb4bb3f45  x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-8.1.20060mdk.x86_64.rpm
 249af817e4dac7f580ef1d9614ec66da  x86_64/2006.0/RPMS/xine-image-1.1.0-8.1.20060mdk.x86_64.rpm
 4161debdffeaf757be1d97a28e9d7c02  x86_64/2006.0/RPMS/xine-plugins-1.1.0-8.1.20060mdk.x86_64.rpm
 6c5c31192529ddca8794de618f4ce0f4  x86_64/2006.0/RPMS/xine-polyp-1.1.0-8.1.20060mdk.x86_64.rpm
 eb1a6c7e8297098dff9d2896f83f2f2f  x86_64/2006.0/RPMS/xine-smb-1.1.0-8.1.20060mdk.x86_64.rpm
 f8551a36e839b1c284f157d042395477  x86_64/2006.0/SRPMS/xine-lib-1.1.0-8.1.20060mdk.src.rpm

 Corporate 3.0:
 e93f0caab04c2752c07faaff0f97922f  corporate/3.0/RPMS/libxine1-1-0.rc3.6.5.C30mdk.i586.rpm
 b7cc7339b05df194eac9ef7a17878271  corporate/3.0/RPMS/xine-arts-1-0.rc3.6.5.C30mdk.i586.rpm
 0e2cfe89dd82835669dcff0780923982  corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.5.C30mdk.i586.rpm
 8658f0c1e16ef59142cbe2c685043b26  corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.5.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 f43b406288771a962829e7b9686c2eba  x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.5.C30mdk.x86_64.rpm
 aa294b88759a08022052f0bdff44ad6a  x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.5.C30mdk.x86_64.rpm
 27247dc4bb05cef5bfbe97631b12de2e  x86_64/corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.5.C30mdk.x86_64.rpm
 8658f0c1e16ef59142cbe2c685043b26  x86_64/corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.5.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDTKgRmqjQ0CJFipgRAjRcAKDV7Nalb4u00rWeG25Tfm/0Plc0HQCfYKUA
2LWSLF4Xu7XaLivCNsmzOvA=
=8Q5N
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ