DSA 1586-1: New xine-lib packages fix several vulnerabilities
Posted on: 05/22/2008 08:40 PM

The Debian Security Team published a new security update for Debian GNU/Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1586-1 security@debian.org
http://www.debian.org/security/ Devin Carraway
May 22, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xine-lib
Vulnerability : multiple
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2008-1482 CVE-2008-1686 CVE-2008-1878

Multiple vulnerabilities have been discovered in xine-lib, a library
which supplies most of the application functionality of the xine
multimedia player. The Common Vulnerabilities and Exposures project
identifies the following three problems:

CVE-2008-1482

Integer overflow vulnerabilities exist in xine's FLV, QuickTime,
RealMedia, MVE and CAK demuxers, as well as the EBML parser used
by the Matroska demuxer. These weaknesses allow an attacker to
overflow heap buffers and potentially execute arbitrary code by
supplying a maliciously crafted file of those types.

CVE-2008-1686

Insufficient input validation in the Speex implementation used
by this version of xine enables an invalid array access and the
execution of arbitrary code by supplying a maliciously crafted
Speex file.

CVE-2008-1878

Inadequate bounds checking in the NES Sound Format (NSF) demuxer
enables a stack buffer overflow and the execution of arbitrary
code through a maliciously crafted NSF file.

For the stable distribution (etch), these problems have been fixed in
version 1.1.2+dfsg-7.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.12-2.

We recommend that you upgrade your xine-lib packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg.orig.tar.gz
Size/MD5 checksum: 6716994 ae6525a76280a6e1979c3f4f89fd00f3
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.diff.gz
Size/MD5 checksum: 32397 9ef42da73934e6a981151549e97fd396
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.dsc
Size/MD5 checksum: 1585 b0949db5082a590b1afa4f477005f79f

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_alpha.deb
Size/MD5 checksum: 3410964 35526481cc816fad2d5692b33f4a3577
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_alpha.deb
Size/MD5 checksum: 118604 cfc8a8c900bd1182b3faddfeb09eba84
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_alpha.deb
Size/MD5 checksum: 3665492 49adcd016edc53b96bbc028bc3e428ae

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_amd64.deb
Size/MD5 checksum: 117506 f8305c6e72d9fd2a25cb7b144e0d696d
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_amd64.deb
Size/MD5 checksum: 3050404 b94199ba7a4a578db7eb0eefa42b725c
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_amd64.deb
Size/MD5 checksum: 3660324 635669edb747900be1b17a17dba1f564

arm architecture (ARM)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_arm.deb
Size/MD5 checksum: 118774 052c7ceae25865180a966f6e9e4eb573
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_arm.deb
Size/MD5 checksum: 2959500 bb1f326f6451a5681c592a56734b30da
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_arm.deb
Size/MD5 checksum: 2668528 19d061e0cc24b1bf935607207bc8c638

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_hppa.deb
Size/MD5 checksum: 3225530 ac2abcd37fe278b730a7a52db4690e2c
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_hppa.deb
Size/MD5 checksum: 119646 5190a9fd4691a7523f1ae2734d81691f
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_hppa.deb
Size/MD5 checksum: 2697042 ea3479f6dc14ed23f90fbb653ea714aa

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_i386.deb
Size/MD5 checksum: 117466 6bd9177c7a51abe868c0c4f4dfb1b6d7
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_i386.deb
Size/MD5 checksum: 3967634 5a85d97914a5bcb3033e8d3eaec4af4b
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_i386.deb
Size/MD5 checksum: 3350218 88382dafa93891b720985435619e1bee

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_ia64.deb
Size/MD5 checksum: 3765616 e38586e9ef6c7b1997679198cc263b9f
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_ia64.deb
Size/MD5 checksum: 2685148 2bbd6abfaa59b6d5d238916e1fe588c1
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_ia64.deb
Size/MD5 checksum: 117500 c6038901ade50caa3a84254f51b43081

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mips.deb
Size/MD5 checksum: 3036512 2e2b54ad4b4b45715528981791ce85c6
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mips.deb
Size/MD5 checksum: 2844538 03835764ba28aa277cf33b994ac2c515
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mips.deb
Size/MD5 checksum: 119386 292683637eeb0e0922516c27069b0a4a

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mipsel.deb
Size/MD5 checksum: 3017710 0fd6b63681e496817a5a741b942b3642
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mipsel.deb
Size/MD5 checksum: 2788988 e9bc0450d264dfc9f3522bc38f27fa61
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mipsel.deb
Size/MD5 checksum: 117528 656913c22767f942ea3ef2f8ad0edc80

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_powerpc.deb
Size/MD5 checksum: 3719568 4bf9a41390aa91305a7de075d8d2c52a
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_powerpc.deb
Size/MD5 checksum: 3209842 ee37b66a198c890770fcda734e30fab8
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_powerpc.deb
Size/MD5 checksum: 117512 e952851e820d0634de013e598c61c432

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_s390.deb
Size/MD5 checksum: 3173064 c1210b83707d76a4256c42393ef1e2d4
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_s390.deb
Size/MD5 checksum: 2719306 125a96fd91fc8cf88c69280500230e0e
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_s390.deb
Size/MD5 checksum: 117502 babe974673968538886456d4f5345cce

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_sparc.deb
Size/MD5 checksum: 3025332 591637b97267686c199c074ce3e92aba
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_sparc.deb
Size/MD5 checksum: 117520 f3b076031d34e283445c27fcb9031e63
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_sparc.deb
Size/MD5 checksum: 3369250 d8e3d16b7c014187398029cf2e75f0da


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show lt;pkggt;' and http://packages.debian.org/lt;pkggt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSDWqbmz0hbPcukPfAQIS9Af/XsCrcKNgL1sjQtys3dLMh3Fj2D1ZV/Hr
+M+ChkHv1UTshdsbqcuJU8nXF1s6y0PgfydMviV7vfoQk2tW/tO2CDbYEfwPvtga
UMy9ll/0iskJYSOKWQi/nCR5tQy4A0SoaaLexDRfmk1hnA3YZ5AWsWAKyhXXwunQ
/dwNwWJnuIQGpwJAbOYoiyvTR3LHpk//lM6w1MZ5s5fXJ+coB4lr0i/VJpKMzB3O
23h37NdrJVjBNmA5p2XYdfDO4u9cF+tHMo69NMZ5Swg3n4GPbaCKMt4qUu3GbKcJ
pUve/XPqlt2yPYIw3LlFRiOTkGdX+gmH6Tm9fT7gdAEbNwX2PX/rKQ==
=Jr5C
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_1586_1_new_xine_lib_packages_fix_several_vulnerabilities.html)