[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070312233512.GK31925@outflux.net>
Date: Mon, 12 Mar 2007 16:35:12 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-435-1] Xine vulnerability
===========================================================
Ubuntu Security Notice USN-435-1 March 12, 2007
xine-lib vulnerability
CVE-2007-1387
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.10:
libxine1c2 1.0.1-1ubuntu10.9
Ubuntu 6.06 LTS:
libxine-main1 1.1.1+ubuntu2-7.7
Ubuntu 6.10:
libxine1 1.1.2+repacked1-0ubuntu3.4
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Moritz Jodeit discovered that the DirectShow loader of Xine did not
correctly validate the size of an allocated buffer. By tricking a user
into opening a specially crafted media file, an attacker could execute
arbitrary code with the user's privileges.
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.9.diff.gz
Size/MD5: 12233 675e1e62de2463b908fd32aeb9bfe60a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.9.dsc
Size/MD5: 1187 f9cdbdaba61da69e0b938dce158b0f3d
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_amd64.deb
Size/MD5: 109360 2fdbe1a14a39938370da76ba8bab0536
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_amd64.deb
Size/MD5: 3611982 be994d0cc19f633ec74871cbd8a8d354
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_i386.deb
Size/MD5: 109366 7b4eca37fe190aa0efbab7cfe66d6dcb
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_i386.deb
Size/MD5: 4005084 2826411084dff3fe99d72478646bc9ed
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_powerpc.deb
Size/MD5: 109354 8748b83cbdca49037a48236bf0a29192
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_powerpc.deb
Size/MD5: 3850630 4fe2ded6b53b4f814cecef7929e94643
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.9_sparc.deb
Size/MD5: 109372 01d4c3f30fea1f692476f92560c18e2b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.9_sparc.deb
Size/MD5: 3695886 c272d0b130739cbb690c2916ef246880
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.7.diff.gz
Size/MD5: 19938 47e5b5f3b185adb45ad836e183a95c46
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.7.dsc
Size/MD5: 1113 143dcfd0208da129a9f6b553be5774be
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz
Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_amd64.deb
Size/MD5: 115898 155554542eec0dab285f5cc34b9704bf
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_amd64.deb
Size/MD5: 2615330 5cf4471e1563637f4d9f6b084b6b365a
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_i386.deb
Size/MD5: 115910 05ac35f926ba3f47d0d2eba8875bd3f8
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_i386.deb
Size/MD5: 2934426 3206757c9cf743813477ff214be1e769
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_powerpc.deb
Size/MD5: 115900 2f093ac6c4b3a0709a054ea9daca3a27
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_powerpc.deb
Size/MD5: 2725058 a0cc602a29cc664c32d0cf5694112683
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.7_sparc.deb
Size/MD5: 115904 8011e1182c9ae79001083f4215cc208d
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.7_sparc.deb
Size/MD5: 2591836 cc1d268ee97f26872181c53c35323147
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.4.diff.gz
Size/MD5: 71623 ebe35a66a8d80fb8425d04667aa2dd7a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1-0ubuntu3.4.dsc
Size/MD5: 1445 fbd4b9208b9aa1ae17ffb695d8a4a1f8
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.2+repacked1.orig.tar.gz
Size/MD5: 4583422 9c05a6397838e4e2e9c419e898e4b930
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine-main1_1.1.2+repacked1-0ubuntu3.4_all.deb
Size/MD5: 39094 b038215bac1e84adc156a310d15c4caf
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_amd64.deb
Size/MD5: 119040 3f1ec2c36475a53f39fa9d9bc2b57c3f
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_amd64.deb
Size/MD5: 3443132 57f239a84d5b64ec8e69138771bb552e
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_amd64.deb
Size/MD5: 2914616 8f3917f4a14166c826c3f6af13e899d3
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_i386.deb
Size/MD5: 119036 707d317b42b46693e62ed780b75447a2
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_i386.deb
Size/MD5: 3772102 95e2953730396910d2779014b1162cad
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_i386.deb
Size/MD5: 3222320 6755a5b24b420e33913ee87e8ba79506
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_powerpc.deb
Size/MD5: 119048 abeed7884e45749fb1a5f3ba63e343d2
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_powerpc.deb
Size/MD5: 3469630 2dd5e21da5efcc1905e4de5949e6d551
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_powerpc.deb
Size/MD5: 3043218 5f14c87b113723ebd45d869fdd691679
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.2+repacked1-0ubuntu3.4_sparc.deb
Size/MD5: 119050 ca4592904b009e44625953027da5b23b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.2+repacked1-0ubuntu3.4_sparc.deb
Size/MD5: 3136760 cc8d9ce0cdf296eca70284609fe7642f
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.2+repacked1-0ubuntu3.4_sparc.deb
Size/MD5: 2857100 0f8e4b35211aebfbcc2bdb2cc12e6c4d
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists