[Security Announce] [ MDKSA-2007:057 ] - Updated xine-lib packages to address buffer overflow vulnerability
Posted on: 03/08/2007 04:45 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:057
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xine-lib
Date : March 8, 2007
Affected: 2007.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

The DMO_VideoDecoder_Open function in dmo/DMO_VideoDecoder.c in
xine-lib does not set the biSize before use in a memcpy, which allows
user-assisted remote attackers to cause a buffer overflow and possibly
execute arbitrary code.

Updated packages have been patched to address this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
241273125b4e2014a0fa1580c7ed0413 2007.0/i586/libxine1-1.1.2-3.3mdv2007.0.i586.rpm
e2855220283ec658301068cf00bb266a 2007.0/i586/libxine1-devel-1.1.2-3.3mdv2007.0.i586.rpm
b98b3376e156fb87a34f30aad34e65e5 2007.0/i586/xine-aa-1.1.2-3.3mdv2007.0.i586.rpm
88d1b8d538dcff220bf528674d0bf5b0 2007.0/i586/xine-arts-1.1.2-3.3mdv2007.0.i586.rpm
ce54bd05bd941b2224c549bf685c0a08 2007.0/i586/xine-dxr3-1.1.2-3.3mdv2007.0.i586.rpm
0e33ea09058a1cd82fd8720278243c14 2007.0/i586/xine-esd-1.1.2-3.3mdv2007.0.i586.rpm
0e8c92ffdc4c3c8073531a72a47da8ca 2007.0/i586/xine-flac-1.1.2-3.3mdv2007.0.i586.rpm
3d7eb8f9a5f45ddebd7ccc20cec808f0 2007.0/i586/xine-gnomevfs-1.1.2-3.3mdv2007.0.i586.rpm
5a1390613c4505b2bfcd326ff0156b0c 2007.0/i586/xine-image-1.1.2-3.3mdv2007.0.i586.rpm
79899e7608558bb490003b9cba2a978c 2007.0/i586/xine-plugins-1.1.2-3.3mdv2007.0.i586.rpm
ed4c39cfe82d66caa19c023a8495c4a1 2007.0/i586/xine-sdl-1.1.2-3.3mdv2007.0.i586.rpm
9256f65fff35cd6c25fd0b19823dcc8a 2007.0/i586/xine-smb-1.1.2-3.3mdv2007.0.i586.rpm
0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
d92a6bebe5c1e915ed6dca150f32de2e 2007.0/x86_64/lib64xine1-1.1.2-3.3mdv2007.0.x86_64.rpm
eb0c2f9d95f04e3d9c8ea1282c41f5dc 2007.0/x86_64/lib64xine1-devel-1.1.2-3.3mdv2007.0.x86_64.rpm
cd81757a9c25e480d10932cb4d40f6e0 2007.0/x86_64/xine-aa-1.1.2-3.3mdv2007.0.x86_64.rpm
acbaf60373d75281d3c3c7da24d7a1de 2007.0/x86_64/xine-arts-1.1.2-3.3mdv2007.0.x86_64.rpm
38997b2bd174345dcec41682569868c1 2007.0/x86_64/xine-dxr3-1.1.2-3.3mdv2007.0.x86_64.rpm
2425cc89f26171fc32f889ccf0b5b96c 2007.0/x86_64/xine-esd-1.1.2-3.3mdv2007.0.x86_64.rpm
5ddcb92e47e6f35de1db5482edf98a9c 2007.0/x86_64/xine-flac-1.1.2-3.3mdv2007.0.x86_64.rpm
c68e811900a94bd92d65832f64bcdb8a 2007.0/x86_64/xine-gnomevfs-1.1.2-3.3mdv2007.0.x86_64.rpm
f6aa73615c7c9a7238838641afc6af6a 2007.0/x86_64/xine-image-1.1.2-3.3mdv2007.0.x86_64.rpm
4437aff317d159abbd1785fbe53368e7 2007.0/x86_64/xine-plugins-1.1.2-3.3mdv2007.0.x86_64.rpm
4f062b56c298e09b0ec364c18814917f 2007.0/x86_64/xine-sdl-1.1.2-3.3mdv2007.0.x86_64.rpm
fa2a314dbde0ccedf85043e10d94f3d3 2007.0/x86_64/xine-smb-1.1.2-3.3mdv2007.0.x86_64.rpm
0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm

Corporate 3.0:
dffe302693d57f09ad55573f20400258 corporate/3.0/i586/libxine1-1-0.rc3.6.15.C30mdk.i586.rpm
76bb6cba723566a5a0a02043d5e02fe2 corporate/3.0/i586/libxine1-devel-1-0.rc3.6.15.C30mdk.i586.rpm
24645aa6d547c1077236248eb54645f0 corporate/3.0/i586/xine-aa-1-0.rc3.6.15.C30mdk.i586.rpm
246938c45fe9d795c96aa349bf8cd107 corporate/3.0/i586/xine-arts-1-0.rc3.6.15.C30mdk.i586.rpm
0af50984ecd9fd2979f3da178871ac1d corporate/3.0/i586/xine-dxr3-1-0.rc3.6.15.C30mdk.i586.rpm
80b08a823d7793fb677bbb121a07f9cb corporate/3.0/i586/xine-esd-1-0.rc3.6.15.C30mdk.i586.rpm
31c8ad519bfab253300f5d575ea22f5b corporate/3.0/i586/xine-flac-1-0.rc3.6.15.C30mdk.i586.rpm
38bcaf1e4bf6f673c0e39048e7701348 corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.15.C30mdk.i586.rpm
27627560d6c1c7e5aa2fd63bde435b37 corporate/3.0/i586/xine-plugins-1-0.rc3.6.15.C30mdk.i586.rpm
3f124f14f5fa8b1e7e3f3917afda3705 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.15.C30mdk.src.rpm

Corporate 3.0/X86_64:
0182ddc1159b46c24589b397412733e1 corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.15.C30mdk.x86_64.rpm
01cb9805548452a161da99ad385ed474 corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.15.C30mdk.x86_64.rpm
b121a2b09b0da74ad2553f94319c2771 corporate/3.0/x86_64/xine-aa-1-0.rc3.6.15.C30mdk.x86_64.rpm
91534b8494ab6ac1eec6c47261f6389b corporate/3.0/x86_64/xine-arts-1-0.rc3.6.15.C30mdk.x86_64.rpm
81d95f1a15722144e856384e4fe4a27b corporate/3.0/x86_64/xine-esd-1-0.rc3.6.15.C30mdk.x86_64.rpm
f35de55cb2d1b241c60479728ab84ca0 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.15.C30mdk.x86_64.rpm
b83e2f8b1cbf0802077ee0f7bc1ac6ec corporate/3.0/x86_64/xine-gnomevfs-1-0.rc3.6.15.C30mdk.x86_64.rpm
aa6982efb1978493f4d278e5d7ee8787 corporate/3.0/x86_64/xine-plugins-1-0.rc3.6.15.C30mdk.x86_64.rpm
3f124f14f5fa8b1e7e3f3917afda3705 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.15.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF7/rEmqjQ0CJFipgRAtZdAJ94tgd8KDteZ2S363e6T0kKNlNV/ACeMI5H
JdD2wOBXCUVX7Vv3c2bdD1Y=
=X6nW
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007057__updated_xine_lib_packages_to_address_buffer_overflow_vulnerability.html)