Package: xine-lib Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for xine-lib.
CVE-2008-5234[0]: | Multiple heap-based buffer overflows in xine-lib 1.1.12, and other | versions before 1.1.15, allow remote attackers to execute arbitrary | code via vectors related to (1) a crafted metadata atom size processed | by the parse_moov_atom function in demux_qt.c and (2) frame reading in | the id3v23_interp_frame function in id3.c. NOTE: as of 20081122, it is | possible that vector 1 has not been fixed in 1.1.15. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. Note that this issue is not fixed in the upstream development version, checks for string_size being 0 are still missing enabling possibilities to overflow thebuffer. The patch was sent to the wrong bug report, the patch is: http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=fix-for-ocert-2008-008-1a.diff;att=1;bug=507165 For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234 http://security-tracker.debian.net/tracker/CVE-2008-5234 -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpk7Mweg39tW.pgp
Description: PGP signature
