Source: xine-lib Severity: grave Tags: security patch Hi, Tobias Klein discovered an integer overflow in the quicktime STTS atom processing that leads to a heap-based buffer overflow probably resulting in arbitrary code execution.
As you are also upstream of xine I expect you are aware of: http://trapkit.de/advisories/TKADV2009-005.txt. You fixed this bug in 1.1.16.3. A few words from my side, I expect you to contact the security team in case you get notified of a security issue in xine in the future as it's not nice to see other people notifying us while we our Debian maintainer is also the upstream. Sorry but this workflow sucks! Debian can allocate CVE ids if you need them and I see no reason why a fixed package is not already in unstable. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry if we get one in time. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgprNcJhv0GXI.pgp
Description: PGP signature
