[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070309023934.GR6805@outflux.net>
Date: Thu, 8 Mar 2007 18:39:34 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-433-1] Xine vulnerability
===========================================================
Ubuntu Security Notice USN-433-1 March 09, 2007
xine-lib vulnerability
CVE-2007-1246
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
libxine1c2 1.0.1-1ubuntu10.8
Ubuntu 6.06 LTS:
libxine-main1 1.1.1+ubuntu2-7.6
Ubuntu 6.10:
libxine1 1.1.2+repacked1-0ubuntu3.3
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Moritz Jodeit discovered that the DMO loader of Xine did not correctly
validate the size of an allocated buffer. By tricking a user into
opening a specially crafted media file, an attacker could execute
arbitrary code with the user's privileges.
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.diff.gz
Size/MD5: 12146 b32c486037c9bd487f47677d77057aad
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.8.dsc
Size/MD5: 1187 e4c778b992408ec8e46e5500921545af
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_amd64.deb
Size/MD5: 109296 92a59b50d859f12affc42fee457ed93f
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_amd64.deb
Size/MD5: 3611908 9e6f2c0dad7b1050a71d1f29d3537ec1
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_i386.deb
Size/MD5: 109306 3224a1a8c0c259b90add235d58d10a7a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_i386.deb
Size/MD5: 4005002 81fd17d5eabfa12a3dea0d9c8fd79d7f
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_powerpc.deb
Size/MD5: 109320 eb1a5685b7288b8cc9ef6ae09d422aec
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_powerpc.deb
Size/MD5: 3850506 7801ba1b96b888c38b4e72f8fb4ccee1
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.8_sparc.deb
Size/MD5: 109312 22805f01c94ced268bd12cf951447af4
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.8_sparc.deb
Size/MD5: 3695682 e0fbc0aa0791685943a5094ea6519b2d
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.diff.gz
Size/MD5: 19845 149027147eff0f72e1d0af9faa0cd6cf
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.6.dsc
Size/MD5: 1113 6fdbc64e22ad7511a80cba1ea840b534
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz
Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_amd64.deb
Size/MD5: 115856 6146578aeeecdf61742b90dca3a97155
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_amd64.deb
Size/MD5: 2615268 a6cff8bccebfbe51d7b3a6916d9250b1
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_i386.deb
Size/MD5: 115852 6b404dc405aefcac89ec3eec339f25a0
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_i386.deb
Size/MD5: 2934402 ea3a45814952437ac9f792cf1e7586b3
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_powerpc.deb
Size/MD5: 115860 1484daaeb0459a88c1760a1330397e52
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_powerpc.deb
Size/MD5: 2724986 889c6b454382dd63cd89020c87faf547
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.6_sparc.deb
Size/MD5: 115860 b43491e3060c813b3530664cca2acd30
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.6_sparc.deb
Size/MD5: 2591802 1e116a509bfd2b93588c48f665b78055
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.3.diff.gz
Size/MD5: 71537 8eb0120c16f4a7fa6a104906b453f51a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.3.dsc
Size/MD5: 1445 0a0fb0af663abf737e59cb67099e45ef
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1.orig.tar.gz
Size/MD5: 4583422 9c05a6397838e4e2e9c419e898e4b930
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine-main1_1.1.2+repacked1-0ubuntu3.3_all.deb
Size/MD5: 39034 4df368ac302eb48b666e8324529fa056
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_amd64.deb
Size/MD5: 118968 17df05fc2764c33e4ba5615cf8962c2a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_amd64.deb
Size/MD5: 3442878 b4a5d4fc2bcd737cf0b63d8d3a1ad4b1
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_amd64.deb
Size/MD5: 2914566 91c324fe56add73266c33cbf38bc4536
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_i386.deb
Size/MD5: 118966 7c3bf270fba86dee9af4830cf36f41c8
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_i386.deb
Size/MD5: 3772104 b85545a9e2aa6b60165d4bd76c8057d3
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_i386.deb
Size/MD5: 3222286 14d569c60f5ffcd329ff5d9069ede6d9
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_powerpc.deb
Size/MD5: 118974 a43b661831de4510c30f1c0b96bbfa66
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_powerpc.deb
Size/MD5: 3469556 e27b2c49a649493bc9a93919475af667
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_powerpc.deb
Size/MD5: 3043210 a4cca521e0eff186d3c19a6c96eba3ce
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.3_sparc.deb
Size/MD5: 118978 c993d877a95c8e0a48d610b4883cf9e2
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.3_sparc.deb
Size/MD5: 3136598 57d6199ddad2e55bb5d7c0673c7ed5a2
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.3_sparc.deb
Size/MD5: 2857016 c79d6bac788a4c0fe262ada727b42c60
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists