Hi, * Steven M. Christey <[EMAIL PROTECTED]> [2008-11-26 09:27]: > ====================================================== > Name: CVE-2008-5234 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234 > Reference: BUGTRAQ:20080822 [oCERT-2008-008] multiple heap overflows in > xine-lib > Reference: > URL:http://www.securityfocus.com/archive/1/archive/1/495674/100/0/threaded > Reference: MISC:http://www.ocert.org/analysis/2008-008/analysis.txt > Reference: > CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869 > Reference: BID:30797 > Reference: URL:http://www.securityfocus.com/bid/30797 > Reference: FRSIRT:ADV-2008-2382 > Reference: URL:http://www.frsirt.com/english/advisories/2008/2382 > Reference: SECTRACK:1020703 > Reference: URL:http://securitytracker.com/id?1020703 > Reference: SECUNIA:31502 > Reference: URL:http://secunia.com/advisories/31502 > > Multiple heap-based buffer overflows in xine-lib 1.1.12, and other > versions before 1.1.15, allow remote attackers to execute arbitrary > code via vectors related to (1) a crafted metadata atom size processed > by the parse_moov_atom function in demux_qt.c and (2) frame reading in > the id3v23_interp_frame function in id3.c. NOTE: as of 20081122, it is > possible that vector 1 has not been fixed in 1.1.15. > [...] > ====================================================== > Name: CVE-2008-5246 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5246 > Reference: > CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869 > Reference: FRSIRT:ADV-2008-2382 > Reference: URL:http://www.frsirt.com/english/advisories/2008/2382 > Reference: SECTRACK:1020703 > Reference: URL:http://securitytracker.com/id?1020703 > > Multiple heap-based buffer overflows in xine-lib before 1.1.15 allow > remote attackers to execute arbitrary code via vectors that send ID3 > data to the (1) id3v22_interp_frame and (2) id3v24_interp_frame > functions in src/demuxers/id3.c. NOTE: the provenance of this > information is unknown; the details are obtained solely from third > party information.
Isn't the second part of CVE-2008-5234 the same like CVE-2008-5246? About CVE-2008-5246 and the provenance of this information, I can hereby confirm this. See http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d7;style=gitweb the length is user supplied + 1 used to allocate a buffer which is used for a read call later -> typical heap overflow. Cheers Nico > -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpGihdbG4yhs.pgp
Description: PGP signature
