lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070309023934.GR6805@outflux.net>
Date: Thu, 8 Mar 2007 18:39:34 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-433-1] Xine vulnerability

=========================================================== 
Ubuntu Security Notice USN-433-1             March 09, 2007
xine-lib vulnerability
CVE-2007-1246
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  libxine1c2                               1.0.1-1ubuntu10.8

Ubuntu 6.06 LTS:
  libxine-main1                            1.1.1+ubuntu2-7.6

Ubuntu 6.10:
  libxine1                                 1.1.2+repacked1-0ubuntu3.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Moritz Jodeit discovered that the DMO loader of Xine did not correctly 
validate the size of an allocated buffer.  By tricking a user into 
opening a specially crafted media file, an attacker could execute 
arbitrary code with the user's privileges.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.diff.gz
      Size/MD5:    12146 b32c486037c9bd487f47677d77057aad
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.dsc
      Size/MD5:     1187 e4c778b992408ec8e46e5500921545af
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
      Size/MD5:  7774954 9be804b337c6c3a2e202c5a7237cb0f8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_amd64.deb
      Size/MD5:   109296 92a59b50d859f12affc42fee457ed93f
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_amd64.deb
      Size/MD5:  3611908 9e6f2c0dad7b1050a71d1f29d3537ec1

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_i386.deb
      Size/MD5:   109306 3224a1a8c0c259b90add235d58d10a7a
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_i386.deb
      Size/MD5:  4005002 81fd17d5eabfa12a3dea0d9c8fd79d7f

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_powerpc.deb
      Size/MD5:   109320 eb1a5685b7288b8cc9ef6ae09d422aec
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_powerpc.deb
      Size/MD5:  3850506 7801ba1b96b888c38b4e72f8fb4ccee1

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_sparc.deb
      Size/MD5:   109312 22805f01c94ced268bd12cf951447af4
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_sparc.deb
      Size/MD5:  3695682 e0fbc0aa0791685943a5094ea6519b2d

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.diff.gz
      Size/MD5:    19845 149027147eff0f72e1d0af9faa0cd6cf
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.dsc
      Size/MD5:     1113 6fdbc64e22ad7511a80cba1ea840b534
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz
      Size/MD5:  6099365 5d0f3988e4d95f6af6f3caf2130ee992

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_amd64.deb
      Size/MD5:   115856 6146578aeeecdf61742b90dca3a97155
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_amd64.deb
      Size/MD5:  2615268 a6cff8bccebfbe51d7b3a6916d9250b1

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_i386.deb
      Size/MD5:   115852 6b404dc405aefcac89ec3eec339f25a0
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_i386.deb
      Size/MD5:  2934402 ea3a45814952437ac9f792cf1e7586b3

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_powerpc.deb
      Size/MD5:   115860 1484daaeb0459a88c1760a1330397e52
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_powerpc.deb
      Size/MD5:  2724986 889c6b454382dd63cd89020c87faf547

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_sparc.deb
      Size/MD5:   115860 b43491e3060c813b3530664cca2acd30
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_sparc.deb
      Size/MD5:  2591802 1e116a509bfd2b93588c48f665b78055

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.3.diff.gz
      Size/MD5:    71537 8eb0120c16f4a7fa6a104906b453f51a
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.3.dsc
      Size/MD5:     1445 0a0fb0af663abf737e59cb67099e45ef
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1.orig.tar.gz
      Size/MD5:  4583422 9c05a6397838e4e2e9c419e898e4b930

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine-main1_1.1.2+repacked1-0ubuntu3.3_all.deb
      Size/MD5:    39034 4df368ac302eb48b666e8324529fa056

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_amd64.deb
      Size/MD5:   118968 17df05fc2764c33e4ba5615cf8962c2a
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_amd64.deb
      Size/MD5:  3442878 b4a5d4fc2bcd737cf0b63d8d3a1ad4b1
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_amd64.deb
      Size/MD5:  2914566 91c324fe56add73266c33cbf38bc4536

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_i386.deb
      Size/MD5:   118966 7c3bf270fba86dee9af4830cf36f41c8
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_i386.deb
      Size/MD5:  3772104 b85545a9e2aa6b60165d4bd76c8057d3
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_i386.deb
      Size/MD5:  3222286 14d569c60f5ffcd329ff5d9069ede6d9

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_powerpc.deb
      Size/MD5:   118974 a43b661831de4510c30f1c0b96bbfa66
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_powerpc.deb
      Size/MD5:  3469556 e27b2c49a649493bc9a93919475af667
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_powerpc.deb
      Size/MD5:  3043210 a4cca521e0eff186d3c19a6c96eba3ce

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_sparc.deb
      Size/MD5:   118978 c993d877a95c8e0a48d610b4883cf9e2
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_sparc.deb
      Size/MD5:  3136598 57d6199ddad2e55bb5d7c0673c7ed5a2
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_sparc.deb
      Size/MD5:  2857016 c79d6bac788a4c0fe262ada727b42c60


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ