[Security Announce] [ MDKSA-2007:062 ] - Updated xine-lib packages to address buffer overflow vulnerability
Posted on: 03/13/2007 07:50 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:062
http://www.mandriva.com/security/
_______________________________________________________________________

Package : xine-lib
Date : March 13, 2007
Affected: 2007.0, Corporate 3.0
_______________________________________________________________________

Problem Description:

The DS_VideoDecoder_Open function in DirectShow/DS_VideoDecoder.c in
xine-lib does not set the biSize before use in a memcpy, which allows
user-assisted remote attackers to cause a buffer overflow and possibly
execute arbitrary code.

Updated packages have been patched to address this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1387
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
d2e289c13ea882d14f817ba71e41d336 2007.0/i586/libxine1-1.1.2-3.4mdv2007.0.i586.rpm
aa4fd726e47070a83a132850fa684d62 2007.0/i586/libxine1-devel-1.1.2-3.4mdv2007.0.i586.rpm
4feb666d7b2045248cffd66f8b9df0a0 2007.0/i586/xine-aa-1.1.2-3.4mdv2007.0.i586.rpm
207381458e062535033eaa0722c12274 2007.0/i586/xine-arts-1.1.2-3.4mdv2007.0.i586.rpm
19562b2d31db0847167c0ce4dfcd298a 2007.0/i586/xine-dxr3-1.1.2-3.4mdv2007.0.i586.rpm
e1e2f2b823e97816141bc01debc74815 2007.0/i586/xine-esd-1.1.2-3.4mdv2007.0.i586.rpm
29bd3e9f33a6baeb52f483bf6f4c4cbc 2007.0/i586/xine-flac-1.1.2-3.4mdv2007.0.i586.rpm
547d3973370af31d1d2150388047242e 2007.0/i586/xine-gnomevfs-1.1.2-3.4mdv2007.0.i586.rpm
9f5f6e832d6111b05d2a1d5252324556 2007.0/i586/xine-image-1.1.2-3.4mdv2007.0.i586.rpm
cdacc373a7c641de3399ac592bb7ce31 2007.0/i586/xine-plugins-1.1.2-3.4mdv2007.0.i586.rpm
65ca8caf2a8b6b04ca6329c8f2eb5fac 2007.0/i586/xine-sdl-1.1.2-3.4mdv2007.0.i586.rpm
0f1952c700b3f85ad0ee7ece6bd57924 2007.0/i586/xine-smb-1.1.2-3.4mdv2007.0.i586.rpm
93c875b4198b703e422d1476890fef45 2007.0/SRPMS/xine-lib-1.1.2-3.4mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
2a0bc2e8e573d5175c3f593369f38c6b 2007.0/x86_64/lib64xine1-1.1.2-3.4mdv2007.0.x86_64.rpm
82388a626d123e90c70ce277de200823 2007.0/x86_64/lib64xine1-devel-1.1.2-3.4mdv2007.0.x86_64.rpm
348919ec1de9625cd8bbd7e2d88522c7 2007.0/x86_64/xine-aa-1.1.2-3.4mdv2007.0.x86_64.rpm
2013b83608d6494fda52ffdca89009d0 2007.0/x86_64/xine-arts-1.1.2-3.4mdv2007.0.x86_64.rpm
03cc8705d3b75ae6225f1e8d0c0824be 2007.0/x86_64/xine-dxr3-1.1.2-3.4mdv2007.0.x86_64.rpm
859faa7710626d9dbb6f42db98372392 2007.0/x86_64/xine-esd-1.1.2-3.4mdv2007.0.x86_64.rpm
d74ee116ce6f7a97fa7d17ea88ef96f5 2007.0/x86_64/xine-flac-1.1.2-3.4mdv2007.0.x86_64.rpm
274fae23965408f6f2f7e34804688002 2007.0/x86_64/xine-gnomevfs-1.1.2-3.4mdv2007.0.x86_64.rpm
4e43ff21256efff199566263c61acce8 2007.0/x86_64/xine-image-1.1.2-3.4mdv2007.0.x86_64.rpm
97ebd01e9b799505b1f45405f766348c 2007.0/x86_64/xine-plugins-1.1.2-3.4mdv2007.0.x86_64.rpm
b2acd2f8fbbe8bdf611bd4ace8fbd5e9 2007.0/x86_64/xine-sdl-1.1.2-3.4mdv2007.0.x86_64.rpm
714dbb090940c603c04af2e5ee49a015 2007.0/x86_64/xine-smb-1.1.2-3.4mdv2007.0.x86_64.rpm
93c875b4198b703e422d1476890fef45 2007.0/SRPMS/xine-lib-1.1.2-3.4mdv2007.0.src.rpm

Corporate 3.0:
64b04dd03e7dd8c2fdf0eafe1657f847 corporate/3.0/i586/libxine1-1-0.rc3.6.16.C30mdk.i586.rpm
a993a7335234de0a04897e08ccf051c2 corporate/3.0/i586/libxine1-devel-1-0.rc3.6.16.C30mdk.i586.rpm
caba4626022fba5a9cf25d5ad14efabb corporate/3.0/i586/xine-aa-1-0.rc3.6.16.C30mdk.i586.rpm
c0c51c0d727989e0ab6ce4e2c634ba4d corporate/3.0/i586/xine-arts-1-0.rc3.6.16.C30mdk.i586.rpm
5d5f45b371f09af58865680294a40fc9 corporate/3.0/i586/xine-dxr3-1-0.rc3.6.16.C30mdk.i586.rpm
4d5eca9779ad48d3ed68945be314dce6 corporate/3.0/i586/xine-esd-1-0.rc3.6.16.C30mdk.i586.rpm
6728f1b5ced272279f07c3ea8b6c215a corporate/3.0/i586/xine-flac-1-0.rc3.6.16.C30mdk.i586.rpm
7a6c818e2680ade52c9c50544bed3dd1 corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.16.C30mdk.i586.rpm
21f1bf5aaa2e9679a29b35729ba14994 corporate/3.0/i586/xine-plugins-1-0.rc3.6.16.C30mdk.i586.rpm
ad7e6fa7087adbc1bb8a0e4c94d99495 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.16.C30mdk.src.rpm

Corporate 3.0/X86_64:
b56f4b45e516467ae600f645c2e00340 corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.16.C30mdk.x86_64.rpm
00fc8ab54f83353bd21879e9dcfaf1fa corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.16.C30mdk.x86_64.rpm
728e4aae0df591bd2789c20bcc41113c corporate/3.0/x86_64/xine-aa-1-0.rc3.6.16.C30mdk.x86_64.rpm
e74ffa53f1bc4136871dbffa279c486a corporate/3.0/x86_64/xine-arts-1-0.rc3.6.16.C30mdk.x86_64.rpm
1d52f3fe25c0067a3d16736f226db8aa corporate/3.0/x86_64/xine-esd-1-0.rc3.6.16.C30mdk.x86_64.rpm
8520f81cd8d5ebea949b67246752d178 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.16.C30mdk.x86_64.rpm
be45d6b15d5ee8d5073b804b3683b937 corporate/3.0/x86_64/xine-gnomevfs-1-0.rc3.6.16.C30mdk.x86_64.rpm
00a911f2290f4a9b15854629eca0a8ae corporate/3.0/x86_64/xine-plugins-1-0.rc3.6.16.C30mdk.x86_64.rpm
ad7e6fa7087adbc1bb8a0e4c94d99495 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.16.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFF9sPlmqjQ0CJFipgRApa2AJ9mq7Ww1DcQk94HAC/BMp9e/9z20QCguPWi
xmVYmhf2DRAepzBWBkNUVVQ=
=A+Ds
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007062__updated_xine_lib_packages_to_address_buffer_overflow_vulnerability.html)