Your message dated Mon, 12 Jun 2006 10:33:01 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#363370: fixed in xine-ui 0.99.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: xine-ui
Version: 0.99.3-1.3
Severity: serious
Posted to xine-devel by Diego Pettenó <[EMAIL PROTECTED]>:
: Seems like there's disclosure of a vulnerability in latest released xine-ui
: (0.99.4) at http://www.open-security.org/advisories/16 . The code that's
: there referred to is already fixed in current CVS since last August, I'm
: re-attaching the patch I submitted that time for who wants to fix this
: independently from a new release.
The patch (attached) is not present in 0.99.3-1.3.
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Travel less. Share transport more. PRODUCE LESS CARBON DIOXIDE.
If you think this tagline is confusing, then change one pig.
Index: xine-ui-0.99.4/src/xitk/main.c
===================================================================
--- xine-ui-0.99.4.orig/src/xitk/main.c
+++ xine-ui-0.99.4/src/xitk/main.c
@@ -456,7 +456,7 @@ static void print_formatted(char *title,
int len;
char *blanks = " ";
- printf(title);
+ printf("%s", title);
sprintf(buffer, "%s", blanks);
plugin = *plugins++;
@@ -469,7 +469,7 @@ static void print_formatted(char *title,
sprintf(buffer, "%s%s%s", buffer, (strlen(buffer) == strlen(blanks)) ?
"" : ", ", plugin);
}
else {
- printf(buffer);
+ printf("%s", buffer);
printf(",\n");
snprintf(buffer, sizeof(buffer), "%s%s", blanks, plugin);
}
@@ -478,7 +478,7 @@ static void print_formatted(char *title,
}
if(strlen(buffer))
- printf(buffer);
+ printf("%s", buffer);
printf(".\n\n");
}
Index: xine-ui-0.99.4/src/xitk/xine-toolkit/xitk.c
===================================================================
--- xine-ui-0.99.4.orig/src/xitk/xine-toolkit/xitk.c
+++ xine-ui-0.99.4/src/xitk/xine-toolkit/xitk.c
@@ -1875,7 +1875,7 @@ void xitk_init(Display *display, XColor
sprintf(buffer, "%s%s", buffer, " ]-");
if(verbosity)
- printf(buffer);
+ printf("%s", buffer);
gXitk->wm_type = xitk_check_wm(display);
--- End Message ---
--- Begin Message ---
Source: xine-ui
Source-Version: 0.99.4-1
We believe that the bug you reported is fixed in the latest version of
xine-ui, which is due to be installed in the Debian FTP archive:
xine-ui_0.99.4-1.diff.gz
to pool/main/x/xine-ui/xine-ui_0.99.4-1.diff.gz
xine-ui_0.99.4-1.dsc
to pool/main/x/xine-ui/xine-ui_0.99.4-1.dsc
xine-ui_0.99.4-1_i386.deb
to pool/main/x/xine-ui/xine-ui_0.99.4-1_i386.deb
xine-ui_0.99.4.orig.tar.gz
to pool/main/x/xine-ui/xine-ui_0.99.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[EMAIL PROTECTED]> (supplier of updated xine-ui package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 5 Jun 2006 18:08:45 +0200
Source: xine-ui
Binary: xine-ui
Architecture: source i386
Version: 0.99.4-1
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <[EMAIL PROTECTED]>
Changed-By: Reinhard Tartler <[EMAIL PROTECTED]>
Description:
xine-ui - the xine video player, user interface
Closes: 228633 363370
Changes:
xine-ui (0.99.4-1) unstable; urgency=high
.
[ Siggi Langauf ]
.
* fixed icon in menu entry (closes: #228633)
.
[ Reinhard Tartler ]
.
* new upstream release, featuring:
- Fixed deadlock, segfaults and mem-leaks, several other fixes and
enhancements,
can't remember details (thanks also to Marcelo Jimenez and Jakub Labath)
- Menu to reset video controls
- fixed menu shortcut strings allocation/freeing [bug #1223022]
- audio post plugin support
- use UTF-8 for Japanese locale if nl_langinfo doesn't work [bug #1096974]
- expand tabs in post-plugin help
- merge some osd menus from oxine
- aspect ratio fixed for multihead setups (especially TwinView)
[bugs #1089328, #1001702 and #989157]
- fixed parsing post plugin parameters of type double for some locales
- autoload subtitles with .txt extension too
- be more POSIX-compliant (head, tail) (build fix) [bug #1172729]
- Russian translations (thanks to Pavel Maryanov)
- forced not loading old playlist with -P option
.
* add debian/watch file for uscan.
* added myself to Uploaders
* high urgency upload because of security fix
* bumped standards version to 3.7.2, no changes needed
.
* SECURITY: Fix two format string bugs which could be possibly
remote-exploitable (Ubuntu: #41781, CVE-2006-1905). Imported from security
upload to ubuntu by Sebastian Dröge <[EMAIL PROTECTED]> (Closes: #363370)
Files:
99afe44039d27673b6e6ad432fc35d62 943 graphics optional xine-ui_0.99.4-1.dsc
90ea1f76747e9788a30a73e7f4a76cf6 2544984 graphics optional
xine-ui_0.99.4.orig.tar.gz
b9a307d1203d8955535200d23e1cf038 20703 graphics optional
xine-ui_0.99.4-1.diff.gz
3081892db40693f9366c0a9bb9fab48b 1628570 graphics optional
xine-ui_0.99.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEjaNwXKRQ3lK3SH4RAsCpAJ9AuyAi1I1n2kv0TXbkVajzUjOcyACgieWH
u8WXxOXDe7ItNw27bjzhGy4=
=MGP1
-----END PGP SIGNATURE-----
--- End Message ---
