[Security Announce] [ MDKSA-2006:108 ] - Updated xine-lib packages fix buffer overflow vulnerabilities
Posted on: 06/21/2006 04:32 AM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:108
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xine-lib
Date : June 20, 2006
Affected: 10.2, 2006.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

A buffer overflow in the HTTP Plugin (xineplug_inp_http.so) for xine-lib
1.1.1 allows remote attackers to cause a denial of service (application
crash) via a long reply from an HTTP server, as demonstrated using gxine
0.5.6. (CVE-2006-2802)

In addition, a possible buffer overflow exists in the AVI demuxer,
similar in nature to CVE-2006-1502 for MPlayer. The Corporate 3 release
of xine-lib does not have this issue.

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2802
_______________________________________________________________________

Updated Packages:

Mandriva Linux 10.2:
d681a8b19b18a2dc5452e7df07e83e3f 10.2/RPMS/libxine1-1.0-8.3.102mdk.i586.rpm
fff9e7c0837d2231a6e3b2654f383e9d 10.2/RPMS/libxine1-devel-1.0-8.3.102mdk.i586.rpm
7e92134803618e43514f24b3709b4c55 10.2/RPMS/xine-aa-1.0-8.3.102mdk.i586.rpm
0ced315ae520ab8530e577d80b618bf3 10.2/RPMS/xine-arts-1.0-8.3.102mdk.i586.rpm
7e5c2fe58c56877e0b58e77c61f7a600 10.2/RPMS/xine-dxr3-1.0-8.3.102mdk.i586.rpm
2c16e0b8e7bb0d481f834fcf90749c66 10.2/RPMS/xine-esd-1.0-8.3.102mdk.i586.rpm
473b446c63ea1a698f82465925161c63 10.2/RPMS/xine-flac-1.0-8.3.102mdk.i586.rpm
07709eec2ca1e86350f966122752c175 10.2/RPMS/xine-gnomevfs-1.0-8.3.102mdk.i586.rpm
63a0d2f3244334e66e36b267100bd7b5 10.2/RPMS/xine-plugins-1.0-8.3.102mdk.i586.rpm
17c00929f7ae10ba2c7ebe8460396c6b 10.2/RPMS/xine-polyp-1.0-8.3.102mdk.i586.rpm
6d8bda0b35bb615d458053a5489f4e8e 10.2/RPMS/xine-smb-1.0-8.3.102mdk.i586.rpm
5efc378a2f15f33f080d938d27100861 10.2/SRPMS/xine-lib-1.0-8.3.102mdk.src.rpm

Mandriva Linux 10.2/X86_64:
4d21ed79acf486e861842133747594ae x86_64/10.2/RPMS/lib64xine1-1.0-8.3.102mdk.x86_64.rpm
20132d26d3a57c55992fe580333f74fe x86_64/10.2/RPMS/lib64xine1-devel-1.0-8.3.102mdk.x86_64.rpm
13bf0e99dbb3e4ec88848dfd59e6961f x86_64/10.2/RPMS/xine-aa-1.0-8.3.102mdk.x86_64.rpm
78cf2f4087c17f330499b5448e502865 x86_64/10.2/RPMS/xine-arts-1.0-8.3.102mdk.x86_64.rpm
c1c17f1c4373837dff5d22b3cf2391ce x86_64/10.2/RPMS/xine-dxr3-1.0-8.3.102mdk.x86_64.rpm
3aa27fd3bd5817d1fc75410dd0508aef x86_64/10.2/RPMS/xine-esd-1.0-8.3.102mdk.x86_64.rpm
6156eb751055ec1b6f2f6a578d7dff12 x86_64/10.2/RPMS/xine-flac-1.0-8.3.102mdk.x86_64.rpm
0e8c7357b1ab03f5f117e4033b4e5d77 x86_64/10.2/RPMS/xine-gnomevfs-1.0-8.3.102mdk.x86_64.rpm
6f9cf73474c200b3d50e48b53a3fd5f6 x86_64/10.2/RPMS/xine-plugins-1.0-8.3.102mdk.x86_64.rpm
3a8520e98e7acdf6f30dda1b12f76664 x86_64/10.2/RPMS/xine-polyp-1.0-8.3.102mdk.x86_64.rpm
8de73b5ea3c73607138581175e0670c1 x86_64/10.2/RPMS/xine-smb-1.0-8.3.102mdk.x86_64.rpm
5efc378a2f15f33f080d938d27100861 x86_64/10.2/SRPMS/xine-lib-1.0-8.3.102mdk.src.rpm

Mandriva Linux 2006.0:
904b1e86d75ee4bfa8281502b8d8dd60 2006.0/RPMS/libxine1-1.1.0-9.3.20060mdk.i586.rpm
ddae938ae14b61dc19311e3b1c43c732 2006.0/RPMS/libxine1-devel-1.1.0-9.3.20060mdk.i586.rpm
52d14f097de9909ae7fa7cb4cc079a69 2006.0/RPMS/xine-aa-1.1.0-9.3.20060mdk.i586.rpm
723156ddabd5ee3f88693e578d96e56d 2006.0/RPMS/xine-arts-1.1.0-9.3.20060mdk.i586.rpm
5f28c1bc6bf0688c6ecb260e00531846 2006.0/RPMS/xine-dxr3-1.1.0-9.3.20060mdk.i586.rpm
84dd3acde96126f2b6f0146a0a24dade 2006.0/RPMS/xine-esd-1.1.0-9.3.20060mdk.i586.rpm
3d216fdcc4bd0c0e768b6d779a0e1d49 2006.0/RPMS/xine-flac-1.1.0-9.3.20060mdk.i586.rpm
3a62513a70e360c38f3c82ea2d3e7310 2006.0/RPMS/xine-gnomevfs-1.1.0-9.3.20060mdk.i586.rpm
7e044bd1b04ee2531f5f5cd4fe7daad3 2006.0/RPMS/xine-image-1.1.0-9.3.20060mdk.i586.rpm
d75c1fcc21a53f88c5abe88497968421 2006.0/RPMS/xine-plugins-1.1.0-9.3.20060mdk.i586.rpm
dabedf3272f152fb60bb5a413050c7e0 2006.0/RPMS/xine-polyp-1.1.0-9.3.20060mdk.i586.rpm
e1885c8818bafdd885f96eaf8c12ef7f 2006.0/RPMS/xine-smb-1.1.0-9.3.20060mdk.i586.rpm
ff8503a1b8087bc9181f07678438553d 2006.0/SRPMS/xine-lib-1.1.0-9.3.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
bfe9c3b5b5df347001df5cfd0bb2f644 x86_64/2006.0/RPMS/lib64xine1-1.1.0-9.3.20060mdk.x86_64.rpm
94d8aa7a860ba4aa93f655c09ad1c366 x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-9.3.20060mdk.x86_64.rpm
0a4c15b7e94af988af673273e8258328 x86_64/2006.0/RPMS/xine-aa-1.1.0-9.3.20060mdk.x86_64.rpm
299d73e1d222b28c1c2901896e2507ed x86_64/2006.0/RPMS/xine-arts-1.1.0-9.3.20060mdk.x86_64.rpm
26add5380db72a42ef9bd67508f48dad x86_64/2006.0/RPMS/xine-dxr3-1.1.0-9.3.20060mdk.x86_64.rpm
51cb6ba50f28b1868691460376639a6c x86_64/2006.0/RPMS/xine-esd-1.1.0-9.3.20060mdk.x86_64.rpm
e970668f572b7e7a62530b778b3fb493 x86_64/2006.0/RPMS/xine-flac-1.1.0-9.3.20060mdk.x86_64.rpm
f5293bf40bd328e14c1291c68237b1d8 x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-9.3.20060mdk.x86_64.rpm
537a00c6c9509a99d9112440dd49e7d1 x86_64/2006.0/RPMS/xine-image-1.1.0-9.3.20060mdk.x86_64.rpm
8b752a25e5220b0a846a44f16789b7c9 x86_64/2006.0/RPMS/xine-plugins-1.1.0-9.3.20060mdk.x86_64.rpm
b66deaeca87b2e72508e1ca72024f59e x86_64/2006.0/RPMS/xine-polyp-1.1.0-9.3.20060mdk.x86_64.rpm
e89abe16a92fc7fa2cafc9e0ab031ac5 x86_64/2006.0/RPMS/xine-smb-1.1.0-9.3.20060mdk.x86_64.rpm
ff8503a1b8087bc9181f07678438553d x86_64/2006.0/SRPMS/xine-lib-1.1.0-9.3.20060mdk.src.rpm

Corporate 3.0:
66d0662ba00565b4476925a9902d0f9a corporate/3.0/RPMS/libxine1-1-0.rc3.6.9.C30mdk.i586.rpm
2a084d80fe44d600fe0e609cde830539 corporate/3.0/RPMS/libxine1-devel-1-0.rc3.6.9.C30mdk.i586.rpm
b57f175e35f525f6b6b753823fc325d2 corporate/3.0/RPMS/xine-aa-1-0.rc3.6.9.C30mdk.i586.rpm
e0d664e3fc1a2b8d99102e24c496a272 corporate/3.0/RPMS/xine-arts-1-0.rc3.6.9.C30mdk.i586.rpm
38c038ef6e7d075308c4a2611b3f584c corporate/3.0/RPMS/xine-dxr3-1-0.rc3.6.9.C30mdk.i586.rpm
6afecd5f975522201bec5646fbd2ae21 corporate/3.0/RPMS/xine-esd-1-0.rc3.6.9.C30mdk.i586.rpm
c8895ac5be58e07ed8cd15cd81e350e6 corporate/3.0/RPMS/xine-flac-1-0.rc3.6.9.C30mdk.i586.rpm
c255ed0880402fe216f217056c9672ea corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.9.C30mdk.i586.rpm
b61bb1c61c95522f1dd5757fa3bd4a71 corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.9.C30mdk.i586.rpm
d0a1c45466bb122ec7e4fb9caefa2cad corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.9.C30mdk.src.rpm

Corporate 3.0/X86_64:
6b61bb4adaf12bcbf3b0a499321eaad0 x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.9.C30mdk.x86_64.rpm
de9ab25205ea761b93a80167a580f833 x86_64/corporate/3.0/RPMS/lib64xine1-devel-1-0.rc3.6.9.C30mdk.x86_64.rpm
21cff9416555046fbb635597c21488ee x86_64/corporate/3.0/RPMS/xine-aa-1-0.rc3.6.9.C30mdk.x86_64.rpm
ae45767a2cec62c5bd4881cfd6128679 x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.9.C30mdk.x86_64.rpm
b936148403fc056d0c6427de93dd43e9 x86_64/corporate/3.0/RPMS/xine-esd-1-0.rc3.6.9.C30mdk.x86_64.rpm
077ef2b064905109f8dc9f0473fb92e2 x86_64/corporate/3.0/RPMS/xine-flac-1-0.rc3.6.9.C30mdk.x86_64.rpm
0524630808f7398834e8234ddcbef63e x86_64/corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.9.C30mdk.x86_64.rpm
438c3ca4e2050d253d6d0108db150811 x86_64/corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.9.C30mdk.x86_64.rpm
d0a1c45466bb122ec7e4fb9caefa2cad x86_64/corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.9.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEmHBfmqjQ0CJFipgRAlbUAKDUUil0PlZfHc0NjOkdEi0QXQf11ACcC+FW
E+NQPFSVEummnHm6+6kmdxU=
=ft5m
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006108__updated_xine_lib_packages_fix_buffer_overflow_vulnerabilities.html)