Your message dated Wed, 02 Apr 2008 12:32:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#472639: fixed in xine-lib 1.1.10.1-2+lenny1
has caused the Debian Bug report #472639,
regarding xine-lib: CVE-2008-1482 multiple integer overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
472639: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472639
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: xine-lib
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2008-1482[0]:
| Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote
| attackers to trigger heap-based buffer overflows and possibly execute
| arbitrary code via (1) a crafted .FLV file, which triggers an overflow
| in demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an
| overflow in demuxers/demux_qt.c; (3) a crafted .RM file, which
| triggers an overflow in demuxers/demux_real.c; (4) a crafted .MVE
| file, which triggers an overflow in demuxers/demux_wc3movie.c; (5) a
| crafted .MKV file, which triggers an overflow in demuxers/ebml.c; or
| (6) a crafted .CAK file, which triggers an overflow in
| demuxers/demux_film.c.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpyVq55DMkju.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: xine-lib
Source-Version: 1.1.10.1-2+lenny1
We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:
libxine-dev_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine-dev_1.1.10.1-2+lenny1_amd64.deb
libxine1-all-plugins_1.1.10.1-2+lenny1_all.deb
to pool/main/x/xine-lib/libxine1-all-plugins_1.1.10.1-2+lenny1_all.deb
libxine1-bin_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1-bin_1.1.10.1-2+lenny1_amd64.deb
libxine1-console_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1-console_1.1.10.1-2+lenny1_amd64.deb
libxine1-dbg_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1-dbg_1.1.10.1-2+lenny1_amd64.deb
libxine1-doc_1.1.10.1-2+lenny1_all.deb
to pool/main/x/xine-lib/libxine1-doc_1.1.10.1-2+lenny1_all.deb
libxine1-ffmpeg_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.10.1-2+lenny1_amd64.deb
libxine1-gnome_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1-gnome_1.1.10.1-2+lenny1_amd64.deb
libxine1-misc-plugins_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.10.1-2+lenny1_amd64.deb
libxine1-plugins_1.1.10.1-2+lenny1_all.deb
to pool/main/x/xine-lib/libxine1-plugins_1.1.10.1-2+lenny1_all.deb
libxine1-x_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1-x_1.1.10.1-2+lenny1_amd64.deb
libxine1_1.1.10.1-2+lenny1_amd64.deb
to pool/main/x/xine-lib/libxine1_1.1.10.1-2+lenny1_amd64.deb
xine-lib_1.1.10.1-2+lenny1.diff.gz
to pool/main/x/xine-lib/xine-lib_1.1.10.1-2+lenny1.diff.gz
xine-lib_1.1.10.1-2+lenny1.dsc
to pool/main/x/xine-lib/xine-lib_1.1.10.1-2+lenny1.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated xine-lib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 01 Apr 2008 14:38:40 +0200
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg
libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg
libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.10.1-2+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Reinhard Tartler <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libxine-dev - the xine video player library, development packages
libxine1 - the xine video/media player library, meta-package
libxine1-all-plugins - the xine video/media player library, meta package
libxine1-bin - the xine video/media player library, binary files
libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for
libxine1
libxine1-dbg - debug symbols for libxine1
libxine1-doc - the xine video player library, documentation files
libxine1-ffmpeg - MPEG-related plugins for libxine1
libxine1-gnome - GNOME-related plugins for libxine1
libxine1-misc-plugins - Input, audio output and post plugins for libxine1
libxine1-plugins - the xine video/media player library, meta package
libxine1-x - X desktop video output plugins for libxine1
Closes: 472639
Changes:
xine-lib (1.1.10.1-2+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix various integer overflows in FLV, Qt, Real, WC3Movie, Matroska and FILM
demuxers, allowing remote attackers to trigger heap overflows and
possibly execute arbitrary code and other possible NULL pointer
dereferences caused my missing alloc checks.
(CVE-2008-1482; Closes: #472639)
Files:
c89737e3b5c8e44bbd6d06b7f7a2e389 1801 libs optional
xine-lib_1.1.10.1-2+lenny1.dsc
bfb55b256e286a0c42e5bc8e3f6a81eb 9133868 libs optional
xine-lib_1.1.10.1.orig.tar.gz
6827e4439be3e76186d6901c8c169d6d 33449 libs optional
xine-lib_1.1.10.1-2+lenny1.diff.gz
166aca857920dce5e7d9bf97c17d6432 142882 doc optional
libxine1-doc_1.1.10.1-2+lenny1_all.deb
ffed1180f2ca7c105c2ee209b65cff28 50384 libs extra
libxine1-plugins_1.1.10.1-2+lenny1_all.deb
33e99a4f6c73625a0c3393b5a65f39e8 50384 libs extra
libxine1-all-plugins_1.1.10.1-2+lenny1_all.deb
149d3d1561f151d3a80e7622719fafdc 1274 libs optional
libxine1_1.1.10.1-2+lenny1_amd64.deb
e685e505ed360c0d4dbd6d4779c0ce0a 1606716 libs optional
libxine1-bin_1.1.10.1-2+lenny1_amd64.deb
8d7099a89b6d250c9d5bf0e86206c7ad 328244 libdevel optional
libxine-dev_1.1.10.1-2+lenny1_amd64.deb
776af3417a583874cc2128958cf51a94 386648 libs optional
libxine1-ffmpeg_1.1.10.1-2+lenny1_amd64.deb
272564870a62f2e40cf448f01cd1aab7 15224 libs optional
libxine1-gnome_1.1.10.1-2+lenny1_amd64.deb
02bdbc0b70b9f4ebf5a4d14b68904f53 58094 libs extra
libxine1-console_1.1.10.1-2+lenny1_amd64.deb
2125ede9e9d24cbd410cafc2bda0abdd 214318 libs optional
libxine1-x_1.1.10.1-2+lenny1_amd64.deb
c988ad130b36bfe882c6f145e58c3b8a 813154 libs optional
libxine1-misc-plugins_1.1.10.1-2+lenny1_amd64.deb
b6afe5049f639e571ccfd53ac95237a6 3724688 libs extra
libxine1-dbg_1.1.10.1-2+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH8jXuHYflSXNkfP8RAsh5AJoCJ/cZ08tUUFUBnKpbfhI5J0XWmwCeJuI7
3+20GROR2t+H3YWa1KuivgM=
=opZx
-----END PGP SIGNATURE-----
--- End Message ---
