Bug#464696: marked as done (libxine1: CVE-2008-0486 buffer overflow via crafted flac file)

Fri, 08 Feb 2008 16:42:45 -0800 

Your message dated Sat, 09 Feb 2008 00:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#464696: fixed in xine-lib 1.1.10.1-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libxine1
Version: 1.1.10-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libxine1.

CVE-2008-0486[0]:
| Array index vulnerability in libmpdemux/demux_audio.c in MPlayer
| 1.0rc2 and SVN before r25917, and possibly earlier versions, as used
| in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary
| code via a crafted FLAC tag, which triggers a buffer overflow.

I attached a patch ported from the mplayer fix to xine-lib.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0486

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

--- demux_flac.c	2008-01-25 22:54:50.000000000 +0100
+++ demux_flac.c.new	2008-02-08 14:02:37.000000000 +0100
@@ -212,6 +212,8 @@
             ptr += 4;
 
             comment = (char*) ptr;
+            if(&comment[length] < comments || &comment[length] >= &comments[block_length])
+                return;
             c = comment[length];
             comment[length] = 0;

Attachment: pgpky2pxcMXO3.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: xine-lib
Source-Version: 1.1.10.1-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine-dev_1.1.10.1-1_amd64.deb
libxine1-all-plugins_1.1.10.1-1_all.deb
  to pool/main/x/xine-lib/libxine1-all-plugins_1.1.10.1-1_all.deb
libxine1-bin_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-bin_1.1.10.1-1_amd64.deb
libxine1-console_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-console_1.1.10.1-1_amd64.deb
libxine1-dbg_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-dbg_1.1.10.1-1_amd64.deb
libxine1-doc_1.1.10.1-1_all.deb
  to pool/main/x/xine-lib/libxine1-doc_1.1.10.1-1_all.deb
libxine1-ffmpeg_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.10.1-1_amd64.deb
libxine1-gnome_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-gnome_1.1.10.1-1_amd64.deb
libxine1-misc-plugins_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.10.1-1_amd64.deb
libxine1-plugins_1.1.10.1-1_all.deb
  to pool/main/x/xine-lib/libxine1-plugins_1.1.10.1-1_all.deb
libxine1-x_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-x_1.1.10.1-1_amd64.deb
libxine1_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1_1.1.10.1-1_amd64.deb
xine-lib_1.1.10.1-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-1.diff.gz
xine-lib_1.1.10.1-1.dsc
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-1.dsc
xine-lib_1.1.10.1.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1.1.10.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Darren Salt <[EMAIL PROTECTED]> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 08 Feb 2008 17:25:21 +0000
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg 
libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg 
libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.10.1-1
Distribution: unstable
Urgency: high
Maintainer: [EMAIL PROTECTED]
Changed-By: Darren Salt <[EMAIL PROTECTED]>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, meta-package
 libxine1-all-plugins - the xine video/media player library, meta package
 libxine1-bin - the xine video/media player library, binary files
 libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for 
libxine1
 libxine1-dbg - debug symbols for libxine1
 libxine1-doc - the xine video player library, documentation files
 libxine1-ffmpeg - MPEG-related plugins for libxine1
 libxine1-gnome - GNOME-related plugins for libxine1
 libxine1-misc-plugins - Input, audio output and post plugins for libxine1
 libxine1-plugins - the xine video/media player library, meta package
 libxine1-x - X desktop video output plugins for libxine1
Closes: 462710 462964 464178 464321 464696
Changes: 
 xine-lib (1.1.10.1-1) unstable; urgency=high
 .
   * New upstream release.
     - CVE-2008-0486: Array index vulnerability which may allow remote
       attackers to execute arbitrary code via a crafted FLAC tag, which
       triggers a buffer overflow. (Closes: #464696)
     - Real codec detection was looking in the wrong places. (Closes: #462964)
 .
   [Darren Salt]
   * Add pkg-config dependency to libxine-dev, fixing xine-plugin FTBFS.
     (Closes: #464178, #464321)
   * Put libxine1-doc back into section doc until somewhere better is created
     for it. (Closes: #462710)
   * No longer build-conflict with libxine-dev from xine-lib-1.2. This is no
     longer needed due to link order changes.
Files: 
 c02992d339016ddbb2ec49e9c7c899e6 1749 libs optional xine-lib_1.1.10.1-1.dsc
 bfb55b256e286a0c42e5bc8e3f6a81eb 9133868 libs optional 
xine-lib_1.1.10.1.orig.tar.gz
 0abd8871f8a3a845b940f6327b6cbffa 25676 libs optional 
xine-lib_1.1.10.1-1.diff.gz
 2df6942091ba282028459f0b8c32f17b 141498 doc optional 
libxine1-doc_1.1.10.1-1_all.deb
 69a96a7e04145d55dd1382c59b037a05 50068 libs extra 
libxine1-plugins_1.1.10.1-1_all.deb
 5f9a0553cc0af7581910729d52b250d6 50078 libs extra 
libxine1-all-plugins_1.1.10.1-1_all.deb
 99ef9bd1202b75680aa5b1567ea243a1 1262 libs optional 
libxine1_1.1.10.1-1_amd64.deb
 76944f0eb19f6c63d8b17654b59419d5 1605980 libs optional 
libxine1-bin_1.1.10.1-1_amd64.deb
 9c5cdef0f15a2b6b9192dbc546899fdd 329840 libdevel optional 
libxine-dev_1.1.10.1-1_amd64.deb
 ef4ee1ba334cba0d5b5a5895c47636e5 385124 libs optional 
libxine1-ffmpeg_1.1.10.1-1_amd64.deb
 810e5d8466968fdeddcff6071022b1bd 15240 libs optional 
libxine1-gnome_1.1.10.1-1_amd64.deb
 cfcc74fd003f433cd0515c89da52ac4d 58100 libs extra 
libxine1-console_1.1.10.1-1_amd64.deb
 7573128e18e3b668a24aab0fe431d974 213756 libs optional 
libxine1-x_1.1.10.1-1_amd64.deb
 a6b80731cf9a51329e45551fcd2a494b 961674 libs optional 
libxine1-misc-plugins_1.1.10.1-1_amd64.deb
 9e014ff021e46789cb69fda45c244181 3932274 libs extra 
libxine1-dbg_1.1.10.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHrORssBKtjPGfWZ8RAhqJAKC77CDJNAqXybQf05s1tIm+Vye/bwCfVJTK
Ff5HsJLb6Pn4GisVFexKcK4=
=/vXL
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to