USN-196-1: Xine library vulnerability
Posted on: 10/10/2005 04:52 AM

A new Xine library vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-196-1 October 10, 2005
xine-lib vulnerability
CAN-2005-2337
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libxine1

The problem can be corrected by upgrading the affected package to
version 1-rc5-1ubuntu2.3 (for Ubuntu 4.10), or 1.0-1ubuntu3.1.1 (for
Ubuntu 5.04). In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Ulf Harnhammar discovered a format string vulnerability in the CDDB
module's cache file handling in the Xine library, which is
used by packages such as xine-ui, totem-xine, and gxine.

By tricking an user into playing a particular audio CD which has a
specially-crafted CDDB entry, a remote attacker could exploit this
vulnerability to execute arbitrary code with the privileges of the
user running the application. Since CDDB servers usually allow anybody
to add and modify information, this exploit does not even require a
particular CDDB server to be selected.

Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.3.dsc
Size/MD5: 950 e8b459976c246115ffdf0a7c70d33afd
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.3.diff.gz
Size/MD5: 220802 9a09fc5be2e6ffe4ad25d7409d539dad

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.3_i386.deb
Size/MD5: 101504 0e2537474f53e72cf03635aee9640188
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.3_i386.deb
Size/MD5: 3728856 d3777d7d0f85dd619659621af0687a9a

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.3_powerpc.deb
Size/MD5: 3886682 16ab4ff1d009bf1129095711e6d6fbb4
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.3_powerpc.deb
Size/MD5: 101518 5f4f1c57df84f66601bf7274a807389e

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.3_amd64.deb
Size/MD5: 3543224 9193b24e44f9526e9e89fa9269882866
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.3_amd64.deb
Size/MD5: 101510 4eeab16d35e134dc15c7b67900ecf656

Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.1.1.diff.gz
Size/MD5: 2908 194be64a79278caf503b65ddd1fc7968
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.1.1.dsc
Size/MD5: 1074 a0c124cb02ca58cd36776afb07d724b1

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.1.1_i386.deb
Size/MD5: 3749742 8bb6e5a242160ac1c71d2c7a7e68d5f2
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.1.1_i386.deb
Size/MD5: 106424 56a85d1ee4c7f60b0d8c372de2d02a6f

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.1.1_powerpc.deb
Size/MD5: 106432 e5b89ac536f1ed4650cf792a6d38fc01
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.1.1_powerpc.deb
Size/MD5: 3924858 aca067a3b3c66af4f7b88cd1e29474dc

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.1.1_amd64.deb
Size/MD5: 3566960 f950cef43d0afead3e545cd3fd7df20b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.1.1_amd64.deb
Size/MD5: 106428 852bc6677a089f66677441749cf02b88


--hQiwHBbRI9kgIhsi
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSi0VDecnbV4Fd/IRAl55AKDsJD2YHu4eMV9atKlTrnx9QAhkSQCg4F0P
dJvpDig8ADLFY/dEIGBJVTo=
=oUhG
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_196_1_xine_library_vulnerability.html)