lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1EmgeC-0004GY-QZ@mercury.mandriva.com>
Date: Wed, 14 Dec 2005 17:07:00 -0700
From: Mandriva Security Team <security@...driva.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2005:228 - Updated xine-lib packages fix buffer overflow vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2005:228
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : xine-lib
 Date    : December 14, 2005
 Affected: 2006.0, Corporate 3.0
 _______________________________________________________________________
 
 Problem Description:
 
 Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, 
 which can be exploited by malicious people to cause a DoS (Denial 
 of Service) and potentially to compromise a user's system.
 
 The vulnerability is caused due to a boundary error in the 
 "avcodec_default_get_buffer()" function of "utils.c" in libavcodec. 
 This can be exploited to cause a heap-based buffer overflow when a 
 specially-crafted 1x1 ".png" file containing a palette is read.
 
 Xine-lib is built with a private copy of ffmpeg containing this 
 same code. (Corporate Server 2.1 is not vulnerable)
 
 The updated packages have been patched to prevent this problem.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2006.0:
 106bddc3b9cb60714c00c9ca0709f24f  2006.0/RPMS/libxine1-1.1.0-9.2.20060mdk.i586.rpm
 080965d48571a7c6a21f5509b9edc6bb  2006.0/RPMS/libxine1-devel-1.1.0-9.2.20060mdk.i586.rpm
 1b5cab0dea7da6a896f076f40057b04f  2006.0/RPMS/xine-aa-1.1.0-9.2.20060mdk.i586.rpm
 749413958bae867d0e401cf3fb7ad2d4  2006.0/RPMS/xine-arts-1.1.0-9.2.20060mdk.i586.rpm
 6dacf41d2ebea975675eeec3daaa5ed2  2006.0/RPMS/xine-dxr3-1.1.0-9.2.20060mdk.i586.rpm
 1c0a5a698ffd77dac839cdd70e3a568b  2006.0/RPMS/xine-esd-1.1.0-9.2.20060mdk.i586.rpm
 ce3a5ecb960a91faafd6376eb1d79bfb  2006.0/RPMS/xine-flac-1.1.0-9.2.20060mdk.i586.rpm
 cff6a28e36785bb64f5cde6911d03a49  2006.0/RPMS/xine-gnomevfs-1.1.0-9.2.20060mdk.i586.rpm
 8cffb6762d014113bdcb78f3b7c682f9  2006.0/RPMS/xine-image-1.1.0-9.2.20060mdk.i586.rpm
 22a248a5660f5098dcbd0731a92ba7e0  2006.0/RPMS/xine-plugins-1.1.0-9.2.20060mdk.i586.rpm
 4a3ce0b28a549de15f9668f0236bf50c  2006.0/RPMS/xine-polyp-1.1.0-9.2.20060mdk.i586.rpm
 f5f118f2bbfb1bdd4f9a940450050e53  2006.0/RPMS/xine-smb-1.1.0-9.2.20060mdk.i586.rpm
 424b1913ecb7aa0f96b19c71500f65a3  2006.0/SRPMS/xine-lib-1.1.0-9.2.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 913f831f85eb7cce65d79c46febb1973  x86_64/2006.0/RPMS/lib64xine1-1.1.0-9.2.20060mdk.x86_64.rpm
 cb5cbf9e7e5e3d47818ef3fc6702b04b  x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-9.2.20060mdk.x86_64.rpm
 1559fb1a68019ed74047b602f14c0cc9  x86_64/2006.0/RPMS/xine-aa-1.1.0-9.2.20060mdk.x86_64.rpm
 931aec226e6266e10963d68e12cc3546  x86_64/2006.0/RPMS/xine-arts-1.1.0-9.2.20060mdk.x86_64.rpm
 966f1ef51f097657718d45e7611c64d8  x86_64/2006.0/RPMS/xine-dxr3-1.1.0-9.2.20060mdk.x86_64.rpm
 62bce4ff948e301e81ff228925dc96af  x86_64/2006.0/RPMS/xine-esd-1.1.0-9.2.20060mdk.x86_64.rpm
 c9b162cfd51ab3877711245d14af4e1c  x86_64/2006.0/RPMS/xine-flac-1.1.0-9.2.20060mdk.x86_64.rpm
 ffacd2cef4e3c181b12f663b19e7bda7  x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-9.2.20060mdk.x86_64.rpm
 199ca828d6e3314b67330c32d45cc4a3  x86_64/2006.0/RPMS/xine-image-1.1.0-9.2.20060mdk.x86_64.rpm
 81cb882870abf57921c96a66edf5185e  x86_64/2006.0/RPMS/xine-plugins-1.1.0-9.2.20060mdk.x86_64.rpm
 74a37edf5d9b2cb28a2ce758904b113b  x86_64/2006.0/RPMS/xine-polyp-1.1.0-9.2.20060mdk.x86_64.rpm
 f930bcfa573f7c250f54c48564e943e1  x86_64/2006.0/RPMS/xine-smb-1.1.0-9.2.20060mdk.x86_64.rpm
 424b1913ecb7aa0f96b19c71500f65a3  x86_64/2006.0/SRPMS/xine-lib-1.1.0-9.2.20060mdk.src.rpm

 Corporate 3.0:
 eb66ad363e7225f165cdbd67f6e26065  corporate/3.0/RPMS/libxine1-1-0.rc3.6.7.C30mdk.i586.rpm
 6c89df1070e6b26f35d75a48cb7405ad  corporate/3.0/RPMS/libxine1-devel-1-0.rc3.6.7.C30mdk.i586.rpm
 6e583c278819c349670a5a305fff766c  corporate/3.0/RPMS/xine-aa-1-0.rc3.6.7.C30mdk.i586.rpm
 e77f19f13166e42fd3df09fd9b9eba15  corporate/3.0/RPMS/xine-arts-1-0.rc3.6.7.C30mdk.i586.rpm
 89d7298da642be02345cdf98d33daf00  corporate/3.0/RPMS/xine-dxr3-1-0.rc3.6.7.C30mdk.i586.rpm
 1947fd6e09255382a3c797b81ba41200  corporate/3.0/RPMS/xine-esd-1-0.rc3.6.7.C30mdk.i586.rpm
 c39de7583826f7987a96f392daaad4ea  corporate/3.0/RPMS/xine-flac-1-0.rc3.6.7.C30mdk.i586.rpm
 9eb882a4d1925a5e75de338294d5fee3  corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.7.C30mdk.i586.rpm
 be189966eee8bb042e3066c9d96f0b4f  corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.7.C30mdk.i586.rpm
 cf0248a3252c55af1e15b01efae50298  corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.7.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 833c0e0f8468d4df40e300c0a72ac1cb  x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.7.C30mdk.x86_64.rpm
 7a802e66ab344aa9b151679d669b0620  x86_64/corporate/3.0/RPMS/lib64xine1-devel-1-0.rc3.6.7.C30mdk.x86_64.rpm
 18132113599b1330359a045d11410d5d  x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.7.C30mdk.x86_64.rpm
 94beaa6edc2fd1be6badef18d818dc0c  x86_64/corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.7.C30mdk.x86_64.rpm
 cf0248a3252c55af1e15b01efae50298  x86_64/corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.7.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDoIkfmqjQ0CJFipgRAsJPAJ90bC8k3OUmZ0/Ov+j4ART8b4W+9wCg6kdf
HQwPF/7Y6E3vpgrdYViCUEk=
=MIpp
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ