Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in xine-lib
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in xine-lib
ID: MDVSA-2009:298
Distribution: Mandriva
Plattformen: Mandriva Corporate 3.0
Datum: Sa, 14. November 2009, 01:06
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274
Applikationen: Xine

Originalnachricht

This is a multi-part message in MIME format...

------------=_1258157189-24326-489


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:298
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xine-lib
Date : November 13, 2009
Affected: Corporate 3.0
_______________________________________________________________________

Problem Description:

Vulnerabilities have been discovered and corrected in xine-lib:

- xine-lib before 1.1.15 allows remote attackers to cause a denial
of service (crash) via mp3 files with metadata consisting only of
separators (CVE-2008-5248)

- Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
large count value in an STTS atom, which triggers a heap-based buffer
overflow (CVE-2009-1274)

- Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c)
in xine-lib 1.1.16.1 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a 4X movie
file with a large current_track value, a similar issue to CVE-2009-0385
(CVE-2009-0698)

This update fixes these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
47002044e449dde281941081839c6fa9
corporate/3.0/i586/libxine1-1-0.rc3.6.18.C30mdk.i586.rpm
0abdd642e1014e67f83445818c69d666
corporate/3.0/i586/libxine1-devel-1-0.rc3.6.18.C30mdk.i586.rpm
2190418670c91e44a8b48fe1c29afaa5
corporate/3.0/i586/xine-aa-1-0.rc3.6.18.C30mdk.i586.rpm
95a464b49a559cbc57eee48ae37224b9
corporate/3.0/i586/xine-arts-1-0.rc3.6.18.C30mdk.i586.rpm
e95764e9cec627b27b416e001e7e7482
corporate/3.0/i586/xine-dxr3-1-0.rc3.6.18.C30mdk.i586.rpm
8829d42bc844675045b6153fe36021f1
corporate/3.0/i586/xine-esd-1-0.rc3.6.18.C30mdk.i586.rpm
7c5d8aea1c07df147cb4ae9b9a0c5464
corporate/3.0/i586/xine-flac-1-0.rc3.6.18.C30mdk.i586.rpm
136374c1cf768fd20bd16384a43d2677
corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.18.C30mdk.i586.rpm
0566b33424cf000e5c708fa3b4114f03
corporate/3.0/i586/xine-plugins-1-0.rc3.6.18.C30mdk.i586.rpm
2a3fd8d1416bcdb149ae0176b024894d
corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.18.C30mdk.src.rpm

Corporate 3.0/X86_64:
5bae0dd040512b8ca9192623241e25ff
corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.18.C30mdk.x86_64.rpm
5c7e07610511ae684a31ce859c8ebcf6
corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.18.C30mdk.x86_64.rpm
f7431390bbd6b04bd7e1c6d684c033e1
corporate/3.0/x86_64/xine-aa-1-0.rc3.6.18.C30mdk.x86_64.rpm
094905da7c51e1d15d9af52735a8b8e1
corporate/3.0/x86_64/xine-arts-1-0.rc3.6.18.C30mdk.x86_64.rpm
5490e9cc4ca21c0f00dbe1d097f00232
corporate/3.0/x86_64/xine-esd-1-0.rc3.6.18.C30mdk.x86_64.rpm
e144fea85dcfc1749dff42824c66eb40
corporate/3.0/x86_64/xine-flac-1-0.rc3.6.18.C30mdk.x86_64.rpm
276d7b3f1d16c3bb730124b483edcc40
corporate/3.0/x86_64/xine-gnomevfs-1-0.rc3.6.18.C30mdk.x86_64.rpm
a638804b41ab4fec8bb16118da7e19fe
corporate/3.0/x86_64/xine-plugins-1-0.rc3.6.18.C30mdk.x86_64.rpm
2a3fd8d1416bcdb149ae0176b024894d
corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.18.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFK/cnPmqjQ0CJFipgRAkD1AJ9ijkhXTb3c8+BfefIpF5DMCkhFOwCdH+w5
m2PUfeKqIDMhR50WpumwmRY=
=gQmZ
-----END PGP SIGNATURE-----


------------=_1258157189-24326-489
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1258157189-24326-489--
Pro-Linux
Unterstützer werden
Neue Nachrichten
Werbung