Your message dated Mon, 12 Jan 2009 03:02:12 +0000
with message-id <e1lmd48-0002bs...@ries.debian.org>
and subject line Bug#509265: fixed in xine-lib 1.1.14-4
has caused the Debian Bug report #509265,
regarding CVE-2008-5237: Several integer overflows
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
509265: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509265
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xine-lib
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2008-5237[0]:
| Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and
| earlier versions, allow remote attackers to cause a denial of service
| (crash) or possibly execute arbitrary code via (1) crafted width and
| height values that are not validated by the mymng_process_header
| function in demux_mng.c before use in an allocation calculation or (2)
| crafted current_atom_size and string_size values processed by the
| parse_reference_atom function in demux_qt.c.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5237
http://security-tracker.debian.net/tracker/CVE-2008-5237
--- End Message ---
--- Begin Message ---
Source: xine-lib
Source-Version: 1.1.14-4
We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:
libxine-dev_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine-dev_1.1.14-4_amd64.deb
libxine1-all-plugins_1.1.14-4_all.deb
to pool/main/x/xine-lib/libxine1-all-plugins_1.1.14-4_all.deb
libxine1-bin_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1-bin_1.1.14-4_amd64.deb
libxine1-console_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1-console_1.1.14-4_amd64.deb
libxine1-dbg_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1-dbg_1.1.14-4_amd64.deb
libxine1-doc_1.1.14-4_all.deb
to pool/main/x/xine-lib/libxine1-doc_1.1.14-4_all.deb
libxine1-ffmpeg_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.14-4_amd64.deb
libxine1-gnome_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1-gnome_1.1.14-4_amd64.deb
libxine1-misc-plugins_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.14-4_amd64.deb
libxine1-plugins_1.1.14-4_all.deb
to pool/main/x/xine-lib/libxine1-plugins_1.1.14-4_all.deb
libxine1-x_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1-x_1.1.14-4_amd64.deb
libxine1_1.1.14-4_amd64.deb
to pool/main/x/xine-lib/libxine1_1.1.14-4_amd64.deb
xine-lib_1.1.14-4.diff.gz
to pool/main/x/xine-lib/xine-lib_1.1.14-4.diff.gz
xine-lib_1.1.14-4.dsc
to pool/main/x/xine-lib/xine-lib_1.1.14-4.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 509...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Darren Salt <li...@youmustbejoking.demon.co.uk> (supplier of updated xine-lib
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 07 Jan 2009 18:57:29 +0000
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg
libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg
libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.14-4
Distribution: testing-proposed-updates
Urgency: high
Maintainer: li...@youmustbejoking.demon.co.uk
Changed-By: Darren Salt <li...@youmustbejoking.demon.co.uk>
Description:
libxine-dev - the xine video player library, development packages
libxine1 - the xine video/media player library, meta-package
libxine1-all-plugins - the xine video/media player library, meta package
libxine1-bin - the xine video/media player library, binary files
libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for
libxine1
libxine1-dbg - debug symbols for libxine1
libxine1-doc - the xine video player library, documentation files
libxine1-ffmpeg - MPEG-related plugins for libxine1
libxine1-gnome - GNOME-related plugins for libxine1
libxine1-misc-plugins - Input, audio output and post plugins for libxine1
libxine1-plugins - the xine video/media player library, meta package
libxine1-x - X desktop video output plugins for libxine1
Closes: 507165 508313 509008 509265 509352 509353 509521 510662
Changes:
xine-lib (1.1.14-4) testing-proposed-updates; urgency=high
.
* Security fixes backported from 1.1.16:
- CVE-2008-5234: Heap overflow in Quicktime atom parsing.
(Closes: #508313)
- CVE-2008-5236: Multiple buffer overflows. (Closes: #509521)
- CVE-2008-5237: Multiple integer overflows. (Closes: #509265)
- CVE-2008-5239: Unchecked or incompletely-checked read function results.
(Closes: #509353)
- CVE-2008-5240 & CVE-2008-5242: Unchecked memory allocations using
untrusted values. (Closes: #509352, #507165)
- CVE-2008-5241: Integer underflow in qt compressed atom handling.
(Closes: #509008)
- CVE-2008-5243: Buffer indexing using untrusted or unchecked values.
- Avoid segfault on invalid track type in Matroska files.
- Avoid underflow (compressed atoms) in the Qt demuxer.
* Other backports from 1.1.16:
- Fix a couple of potential hangs, both of which can be triggered by an
MMS stream in which the demuxer cannot find a valid GUID.
- Avoid possible hangs with xxmc, reported to happen with openchrome.
* Fix FTBFS on i386 (with amd64 kernel). (Closes: #510662)
Checksums-Sha1:
76d3e0290408d8e068d4741936159fcb0aea0f4b 2205 xine-lib_1.1.14-4.dsc
5c6e23e093bbb09721f3a27f13bc6679bf3ce8fe 53075 xine-lib_1.1.14-4.diff.gz
b0a705f101f224d9f7a238ff40d53bc35b4cc4a8 145498 libxine1-doc_1.1.14-4_all.deb
605fb2537e6ad64829f9ad3bb0fe4270da97c066 53834
libxine1-plugins_1.1.14-4_all.deb
8cc3221ffa954753befe9ab16f04cbc7f1124e56 53846
libxine1-all-plugins_1.1.14-4_all.deb
b4082b54e9564bff4fddfb3a594c1a465cddb352 1266 libxine1_1.1.14-4_amd64.deb
2b0932bb5e8b25f81272129389c13e1cfdf62d08 1616480
libxine1-bin_1.1.14-4_amd64.deb
af28f17792904a565d110a1b7cff1109e9fcfc97 331480 libxine-dev_1.1.14-4_amd64.deb
e6acd1589a1024214442bd5cc544f11f88b234c4 231982
libxine1-ffmpeg_1.1.14-4_amd64.deb
999ab98c01d275df2cccea7dc4702892304c4918 15426
libxine1-gnome_1.1.14-4_amd64.deb
1ba7c1443f6319a09094ed564c00eb47c2787bb9 58762
libxine1-console_1.1.14-4_amd64.deb
13733b678e2bc2cbda67c94755abacfc39a55534 214710 libxine1-x_1.1.14-4_amd64.deb
8117f0c0a14e622d2d2b6a5220e6014bfe0af785 934314
libxine1-misc-plugins_1.1.14-4_amd64.deb
b1bf65fe40ce4201d626e819a6cae22ceb0ae164 3725108
libxine1-dbg_1.1.14-4_amd64.deb
Checksums-Sha256:
24d0a9bc571167d80427020f4b3be63718ab320dfc80f16b92e3d42bd26f6050 2205
xine-lib_1.1.14-4.dsc
c6c1b70e18a029d6988e6e9a030590537ad6ddbad4ef0c08c757d168c92d0e8b 53075
xine-lib_1.1.14-4.diff.gz
8e0d20241daba05c4ba168b2269424d1c23bbecfe368545f0478d23030a92222 145498
libxine1-doc_1.1.14-4_all.deb
8874d30cba57407b43b6e09f99b4be356e924f088070496e4c55b0960bb7ed73 53834
libxine1-plugins_1.1.14-4_all.deb
1e12676f189407c168d8b9f0857c108d1c625c576fddaec058fd17a0c2227ec6 53846
libxine1-all-plugins_1.1.14-4_all.deb
83636051954f0d6ac93cf5083ef6540cfbe227809f74888a5f8e08b56ecd1740 1266
libxine1_1.1.14-4_amd64.deb
0f335ca579f298f6919531a9ab9b567e14b58cb90ab2616fdbab2630cc451c79 1616480
libxine1-bin_1.1.14-4_amd64.deb
0f6fb3b1860b489a167e5f9b31aaa0c13a5456ebe3fd531c7d0471dbeeb1e394 331480
libxine-dev_1.1.14-4_amd64.deb
28e2b19df89d3632650ccda5cf5fc01f2ee381a5e0d5e46753ab82ffd7e8656e 231982
libxine1-ffmpeg_1.1.14-4_amd64.deb
749e74628171378e40b9afb552928d99571b6170907670b9967f50b37a1b25b4 15426
libxine1-gnome_1.1.14-4_amd64.deb
009d01790985baa5ae269e746d5f0465c161fd5889c559d8afa1904857373b83 58762
libxine1-console_1.1.14-4_amd64.deb
e5cc67e3560a388d9551f86cf83ffbcd67df7ab6e01b0c5a349db0ffd52b49b0 214710
libxine1-x_1.1.14-4_amd64.deb
ca4399883106706199fa247f45e6b02d8aa165b03158df343ab039d00a7dd7d5 934314
libxine1-misc-plugins_1.1.14-4_amd64.deb
be338766005691bb2e08d21a54a690e8c2b0b60feef688f1fc26ec94f5f95645 3725108
libxine1-dbg_1.1.14-4_amd64.deb
Files:
2390d6b26e4220639d401805abcd1099 2205 libs optional xine-lib_1.1.14-4.dsc
77526a1b8e63f91e10759567aaa7bab7 53075 libs optional xine-lib_1.1.14-4.diff.gz
f06daae36fd3477786fc87ed06553e6c 145498 doc optional
libxine1-doc_1.1.14-4_all.deb
9c93a3e509630b07b43da46a379e3954 53834 libs extra
libxine1-plugins_1.1.14-4_all.deb
fa51da70b45a5a7d0bfaa0fad0bcac97 53846 libs extra
libxine1-all-plugins_1.1.14-4_all.deb
0c8610e22284a6eecaad60bd5bfede66 1266 libs optional libxine1_1.1.14-4_amd64.deb
4f0ab64fb1a59e00e4311a9d08a801e4 1616480 libs optional
libxine1-bin_1.1.14-4_amd64.deb
d86bc35311effab46c87449ad9442639 331480 libdevel optional
libxine-dev_1.1.14-4_amd64.deb
9e17f801f064c95742209de16b613013 231982 libs optional
libxine1-ffmpeg_1.1.14-4_amd64.deb
9dd80a8de227e06fa343cc248b52b3d5 15426 libs optional
libxine1-gnome_1.1.14-4_amd64.deb
0a007db1ba1a0e54fd7712e3abe26c06 58762 libs extra
libxine1-console_1.1.14-4_amd64.deb
d5cf8d420884a7c832debdc9e492ed01 214710 libs optional
libxine1-x_1.1.14-4_amd64.deb
8bc78efe9edcf949667e41e9b8d2c10f 934314 libs optional
libxine1-misc-plugins_1.1.14-4_amd64.deb
2ea5235ad04b6190512cff5986638d6f 3725108 libs extra
libxine1-dbg_1.1.14-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJamCvsBKtjPGfWZ8RAhetAJ45XiITJ9BatSWGFWvVv1s+Q3OHuQCglhwm
rDVstXsp+mwxPA6E3M9IgdY=
=m0PP
-----END PGP SIGNATURE-----
--- End Message ---
