lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070312233512.GK31925@outflux.net>
Date: Mon, 12 Mar 2007 16:35:12 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-435-1] Xine vulnerability

=========================================================== 
Ubuntu Security Notice USN-435-1             March 12, 2007
xine-lib vulnerability
CVE-2007-1387
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  libxine1c2                               1.0.1-1ubuntu10.9

Ubuntu 6.06 LTS:
  libxine-main1                            1.1.1+ubuntu2-7.7

Ubuntu 6.10:
  libxine1                                 1.1.2+repacked1-0ubuntu3.4

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Moritz Jodeit discovered that the DirectShow loader of Xine did not 
correctly validate the size of an allocated buffer.  By tricking a user 
into opening a specially crafted media file, an attacker could execute 
arbitrary code with the user's privileges.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.9.diff.gz
      Size/MD5:    12233 675e1e62de2463b908fd32aeb9bfe60a
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.9.dsc
      Size/MD5:     1187 f9cdbdaba61da69e0b938dce158b0f3d
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
      Size/MD5:  7774954 9be804b337c6c3a2e202c5a7237cb0f8

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_amd64.deb
      Size/MD5:   109360 2fdbe1a14a39938370da76ba8bab0536
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_amd64.deb
      Size/MD5:  3611982 be994d0cc19f633ec74871cbd8a8d354

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_i386.deb
      Size/MD5:   109366 7b4eca37fe190aa0efbab7cfe66d6dcb
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_i386.deb
      Size/MD5:  4005084 2826411084dff3fe99d72478646bc9ed

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_powerpc.deb
      Size/MD5:   109354 8748b83cbdca49037a48236bf0a29192
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_powerpc.deb
      Size/MD5:  3850630 4fe2ded6b53b4f814cecef7929e94643

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_sparc.deb
      Size/MD5:   109372 01d4c3f30fea1f692476f92560c18e2b
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_sparc.deb
      Size/MD5:  3695886 c272d0b130739cbb690c2916ef246880

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.7.diff.gz
      Size/MD5:    19938 47e5b5f3b185adb45ad836e183a95c46
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.7.dsc
      Size/MD5:     1113 143dcfd0208da129a9f6b553be5774be
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz
      Size/MD5:  6099365 5d0f3988e4d95f6af6f3caf2130ee992

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_amd64.deb
      Size/MD5:   115898 155554542eec0dab285f5cc34b9704bf
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_amd64.deb
      Size/MD5:  2615330 5cf4471e1563637f4d9f6b084b6b365a

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_i386.deb
      Size/MD5:   115910 05ac35f926ba3f47d0d2eba8875bd3f8
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_i386.deb
      Size/MD5:  2934426 3206757c9cf743813477ff214be1e769

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_powerpc.deb
      Size/MD5:   115900 2f093ac6c4b3a0709a054ea9daca3a27
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_powerpc.deb
      Size/MD5:  2725058 a0cc602a29cc664c32d0cf5694112683

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_sparc.deb
      Size/MD5:   115904 8011e1182c9ae79001083f4215cc208d
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_sparc.deb
      Size/MD5:  2591836 cc1d268ee97f26872181c53c35323147

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.4.diff.gz
      Size/MD5:    71623 ebe35a66a8d80fb8425d04667aa2dd7a
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.4.dsc
      Size/MD5:     1445 fbd4b9208b9aa1ae17ffb695d8a4a1f8
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1.orig.tar.gz
      Size/MD5:  4583422 9c05a6397838e4e2e9c419e898e4b930

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine-main1_1.1.2+repacked1-0ubuntu3.4_all.deb
      Size/MD5:    39094 b038215bac1e84adc156a310d15c4caf

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_amd64.deb
      Size/MD5:   119040 3f1ec2c36475a53f39fa9d9bc2b57c3f
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_amd64.deb
      Size/MD5:  3443132 57f239a84d5b64ec8e69138771bb552e
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_amd64.deb
      Size/MD5:  2914616 8f3917f4a14166c826c3f6af13e899d3

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_i386.deb
      Size/MD5:   119036 707d317b42b46693e62ed780b75447a2
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_i386.deb
      Size/MD5:  3772102 95e2953730396910d2779014b1162cad
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_i386.deb
      Size/MD5:  3222320 6755a5b24b420e33913ee87e8ba79506

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_powerpc.deb
      Size/MD5:   119048 abeed7884e45749fb1a5f3ba63e343d2
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_powerpc.deb
      Size/MD5:  3469630 2dd5e21da5efcc1905e4de5949e6d551
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_powerpc.deb
      Size/MD5:  3043218 5f14c87b113723ebd45d869fdd691679

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_sparc.deb
      Size/MD5:   119050 ca4592904b009e44625953027da5b23b
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_sparc.deb
      Size/MD5:  3136760 cc8d9ce0cdf296eca70284609fe7642f
    http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_sparc.deb
      Size/MD5:  2857100 0f8e4b35211aebfbcc2bdb2cc12e6c4d


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ