lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1LPlgy-00061v-NT@titan.mandriva.com>
Date: Wed, 21 Jan 2009 15:37:00 -0700
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:020 ] xine-lib


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:020
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : xine-lib
 Date    : January 21, 2009
 Affected: 2008.1, 2009.0
 _______________________________________________________________________

 Problem Description:

 Failure on Ogg files manipulation can lead remote attackers to cause
 a denial of service by using crafted files (CVE-2008-3231).
 
 Failure on manipulation of either MNG or Real or MOD files can lead
 remote attackers to cause a denial of service by using crafted files
 (CVE: CVE-2008-5233).
 
 Heap-based overflow allows remote attackers to execute arbitrary
 code by using Quicktime media files holding crafted metadata
 (CVE-2008-5234).
 
 Heap-based overflow allows remote attackers to execute arbitrary code
 by using either crafted Matroska or Real media files (CVE-2008-5236).
 
 Failure on manipulation of either MNG or Quicktime files can lead
 remote attackers to cause a denial of service by using crafted files
 (CVE-2008-5237).
 
 Multiple heap-based overflow on input plugins (http, net, smb, dvd,
 dvb, rtsp, rtp, pvr, pnm, file, gnome_vfs, mms) allow attackers to
 execute arbitrary code by handling that input channels. Further
 this problem can even lead attackers to cause denial of service
 (CVE-2008-5239).
 
 Heap-based overflow allows attackers to execute arbitrary code by using
 crafted Matroska media files (MATROSKA_ID_TR_CODECPRIVATE track entry
 element). Further a failure on handling of Real media files (CONT_TAG
 header) can lead to a denial of service attack (CVE-2008-5240).
 
 Integer underflow allows remote attackers to cause denial of service
 by using Quicktime media files (CVE-2008-5241).
 
 Failure on manipulation of Real media files can lead remote attackers
 to cause a denial of service by indexing an allocated buffer with a
 certain input value in a crafted file (CVE-2008-5243).
 
 Vulnerabilities of unknown impact - possibly buffer overflow - caused
 by a condition of video frame preallocation before ascertaining the
 required length in V4L video input plugin (CVE-2008-5245).
 
 Heap-based overflow allows remote attackers to execute arbitrary
 code by using crafted media files. This vulnerability is in the
 manipulation of ID3 audio file data tagging mainly used in MP3 file
 formats (CVE-2008-5246).
 
 This update provides the fix for all these security issues found in
 xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities: CVE-2008-5234,
 CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240,
 CVE-2008-5243 are found in xine-lib 1.1.15 of Mandriva 2009.0 and
 are also fixed by this update.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3231
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5233
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5236
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5237
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5239
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5240
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5241
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5243
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5245
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5246
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 e20605c83b2194ac4efa7d9094e26c56  2008.1/i586/libxine1-1.1.11.1-4.3mdv2008.1.i586.rpm
 2796213cebb765a137ea4b480251d0fc  2008.1/i586/libxine-devel-1.1.11.1-4.3mdv2008.1.i586.rpm
 7dda1f87f8e1e5b3b4a3731ef584d29f  2008.1/i586/xine-aa-1.1.11.1-4.3mdv2008.1.i586.rpm
 f081327bdbef86684ca1a156016d0077  2008.1/i586/xine-caca-1.1.11.1-4.3mdv2008.1.i586.rpm
 d190077b5400b3953ba31e18d8cb7626  2008.1/i586/xine-dxr3-1.1.11.1-4.3mdv2008.1.i586.rpm
 c2ffab2f96ce10b2561644695736bd78  2008.1/i586/xine-esd-1.1.11.1-4.3mdv2008.1.i586.rpm
 98954f07029734d6153c420e47ab569e  2008.1/i586/xine-flac-1.1.11.1-4.3mdv2008.1.i586.rpm
 206af31937afa63ada749249274ef290  2008.1/i586/xine-gnomevfs-1.1.11.1-4.3mdv2008.1.i586.rpm
 95077f02a8db4b588bad2fe7618579a0  2008.1/i586/xine-image-1.1.11.1-4.3mdv2008.1.i586.rpm
 98385b3fde836bb431005e5ec2d15d16  2008.1/i586/xine-jack-1.1.11.1-4.3mdv2008.1.i586.rpm
 27c796dfb2864bf261751cb94188ef0a  2008.1/i586/xine-plugins-1.1.11.1-4.3mdv2008.1.i586.rpm
 d7662beac2f687631211cc5f21a5fd01  2008.1/i586/xine-pulse-1.1.11.1-4.3mdv2008.1.i586.rpm
 7b623605925e3c9420f1ab8ad0305746  2008.1/i586/xine-sdl-1.1.11.1-4.3mdv2008.1.i586.rpm
 0f26da9d1f12e487fbbbd32d747baf04  2008.1/i586/xine-smb-1.1.11.1-4.3mdv2008.1.i586.rpm
 7109113566ede12eb553eb747b1894cf  2008.1/i586/xine-wavpack-1.1.11.1-4.3mdv2008.1.i586.rpm 
 7752e252488c7a11f6413aebba0538cb  2008.1/SRPMS/xine-lib-1.1.11.1-4.3mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 15eea220c231423c89aa0d3eb46bb26a  2008.1/x86_64/lib64xine1-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 db70d556a8e4190d4409a5c6b427014a  2008.1/x86_64/lib64xine-devel-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 e943aab8d6eb09aff4b619622c9783d1  2008.1/x86_64/xine-aa-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 327a3a028c63b20cab46baf8f5a7df92  2008.1/x86_64/xine-caca-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 ff48b0d2489bd34325652c0c109f6314  2008.1/x86_64/xine-dxr3-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 f842824c9a99809c74307a554057d8db  2008.1/x86_64/xine-esd-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 0fc11ffd9685459408d805ef3f4fd2c3  2008.1/x86_64/xine-flac-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 fb1e93406dbca711b6dc0b835ebf7be9  2008.1/x86_64/xine-gnomevfs-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 874da5b0797d8f7c1512bfc2b2e76d70  2008.1/x86_64/xine-image-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 5c6995998270809c69da455fa66453fd  2008.1/x86_64/xine-jack-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 e65b816e24b3f4f567065746f743483e  2008.1/x86_64/xine-plugins-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 45efd1b9e8951fb4d1c8a36aff223b00  2008.1/x86_64/xine-pulse-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 dde467ef740dce9cc5d4d848e2033e99  2008.1/x86_64/xine-sdl-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 60a7538c61a65939300e0b62799f6670  2008.1/x86_64/xine-smb-1.1.11.1-4.3mdv2008.1.x86_64.rpm
 8299bd25bf4210bf581d388c3851c8fd  2008.1/x86_64/xine-wavpack-1.1.11.1-4.3mdv2008.1.x86_64.rpm 
 7752e252488c7a11f6413aebba0538cb  2008.1/SRPMS/xine-lib-1.1.11.1-4.3mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 db86806b346a19af18f22f3e793bd266  2009.0/i586/libxine1-1.1.15-2.1mdv2009.0.i586.rpm
 32a824de7dee97737a54219faf4da864  2009.0/i586/libxine-devel-1.1.15-2.1mdv2009.0.i586.rpm
 febbff4f16305d786b76d797afbd76c3  2009.0/i586/xine-aa-1.1.15-2.1mdv2009.0.i586.rpm
 479b9612afa9f981677014875d626af4  2009.0/i586/xine-caca-1.1.15-2.1mdv2009.0.i586.rpm
 55a5e88f7d3ac02951ef755989312359  2009.0/i586/xine-dxr3-1.1.15-2.1mdv2009.0.i586.rpm
 42d4d32463d1470910561111d0351e57  2009.0/i586/xine-esd-1.1.15-2.1mdv2009.0.i586.rpm
 fe3d00919b4eeba7020c591ef95fb31c  2009.0/i586/xine-flac-1.1.15-2.1mdv2009.0.i586.rpm
 c27cfc577dcffb08a8fe9ba1543d4bd7  2009.0/i586/xine-gnomevfs-1.1.15-2.1mdv2009.0.i586.rpm
 e072ee51827f291907e63f23c2f4e8ee  2009.0/i586/xine-image-1.1.15-2.1mdv2009.0.i586.rpm
 228c3559ac7e406908202d53b3a5b3db  2009.0/i586/xine-jack-1.1.15-2.1mdv2009.0.i586.rpm
 138f5fc047b0afd005fecdc3a975d809  2009.0/i586/xine-plugins-1.1.15-2.1mdv2009.0.i586.rpm
 f76e99f5c99c636d470f69307fdcf4d3  2009.0/i586/xine-pulse-1.1.15-2.1mdv2009.0.i586.rpm
 43b4744691ca05b20e3316c990b8037c  2009.0/i586/xine-sdl-1.1.15-2.1mdv2009.0.i586.rpm
 1fff1967ca97e7bcdbb7d85e764c50b1  2009.0/i586/xine-smb-1.1.15-2.1mdv2009.0.i586.rpm
 f318867fd21acd90b9b0e7ff4e3967db  2009.0/i586/xine-wavpack-1.1.15-2.1mdv2009.0.i586.rpm 
 98ca1c95a5cc5aac8ccfd65e4e0bcb5d  2009.0/SRPMS/xine-lib-1.1.15-2.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 3c249d6b95e0147f2c57dad0a086a16b  2009.0/x86_64/lib64xine1-1.1.15-2.1mdv2009.0.x86_64.rpm
 9d963e6af6b09edabb3751b380657153  2009.0/x86_64/lib64xine-devel-1.1.15-2.1mdv2009.0.x86_64.rpm
 d7da52bf129d65fb7116c925b2c75ebe  2009.0/x86_64/xine-aa-1.1.15-2.1mdv2009.0.x86_64.rpm
 8435fc05bc2a84451065368f65c3632f  2009.0/x86_64/xine-caca-1.1.15-2.1mdv2009.0.x86_64.rpm
 944c05fc4d01e4873e3b0a6b8f395940  2009.0/x86_64/xine-dxr3-1.1.15-2.1mdv2009.0.x86_64.rpm
 d19a6444246b111ade7ec188fbb155cc  2009.0/x86_64/xine-esd-1.1.15-2.1mdv2009.0.x86_64.rpm
 472e69a5598ced5e7dd16bb14a715eb4  2009.0/x86_64/xine-flac-1.1.15-2.1mdv2009.0.x86_64.rpm
 718b6f614c319809c1697193182d84ec  2009.0/x86_64/xine-gnomevfs-1.1.15-2.1mdv2009.0.x86_64.rpm
 eca3159086e7b81a833c6dea02cd9cee  2009.0/x86_64/xine-image-1.1.15-2.1mdv2009.0.x86_64.rpm
 06d9cab15a7f41c8bde4033337b79a44  2009.0/x86_64/xine-jack-1.1.15-2.1mdv2009.0.x86_64.rpm
 d0f6810bdfb1fdcc5537e9162cbb50a6  2009.0/x86_64/xine-plugins-1.1.15-2.1mdv2009.0.x86_64.rpm
 280fe06e59d4636050107b629bbf4c81  2009.0/x86_64/xine-pulse-1.1.15-2.1mdv2009.0.x86_64.rpm
 967d8f5dbe03f147f22937131fc8efbf  2009.0/x86_64/xine-sdl-1.1.15-2.1mdv2009.0.x86_64.rpm
 1e8f29a385319105428a4e1d6304e900  2009.0/x86_64/xine-smb-1.1.15-2.1mdv2009.0.x86_64.rpm
 a51c34a193b95295b3e52259f265a7dd  2009.0/x86_64/xine-wavpack-1.1.15-2.1mdv2009.0.x86_64.rpm 
 98ca1c95a5cc5aac8ccfd65e4e0bcb5d  2009.0/SRPMS/xine-lib-1.1.15-2.1mdv2009.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJd3ctmqjQ0CJFipgRAtxTAJwOIspMORxTup7iPzOd+i+x4c1mSACgjFWG
Su9x7Bo18+Vfyv7hKDdv1hk=
=G0EZ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ