USN-230-2: ffmpeg/xine-lib vulnerability
Posted on: 12/16/2005 02:12 PM

A new ffmpeg/xine-lib vulnerability update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-230-2 December 16, 2005
xine-lib vulnerability
CVE-2005-4048
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libxine1
libxine1c2

The problem can be corrected by upgrading the affected package to
version 1-rc5-1ubuntu2.4 (for Ubuntu 4.10), 1.0-1ubuntu3.6 (for Ubuntu
5.04), or 1.0.1-1ubuntu10.2 (for Ubuntu 5.10). In general, a standard
system upgrade is sufficient to effect the necessary changes.

Details follow:

USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine
library contains a copy of the ffmpeg code, thus it is vulnerable to
the same flaw.

For reference, this is the original advisory:

Simon Kilvington discovered a buffer overflow in the
avcodec_default_get_buffer() function of the ffmpeg library. By
tricking an user into opening a malicious movie which contains
specially crafted PNG images, this could be exploited to execute
arbitrary code with the user's privileges.


Updated packages for Ubuntu 4.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.4.dsc
Size/MD5: 950 0b0865913672df5c80783279f471bf66
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1-rc5-1ubuntu2.4.diff.gz
Size/MD5: 222131 bf99e51c425cfdbac9b6c76e17504ed6

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_i386.deb
Size/MD5: 101724 195cb67c660bc24a63991c3e69ec381e
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_i386.deb
Size/MD5: 3729248 596d1f0437b94625ab38770f1086a03e

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_powerpc.deb
Size/MD5: 3886766 1635110e5c74867f1657aacf8ff0e09a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_powerpc.deb
Size/MD5: 101728 e2960b0070421b8ef2be3f9ee40f6528

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1-rc5-1ubuntu2.4_amd64.deb
Size/MD5: 3543532 82f8b13cd4cf2fc51f6d90a64ad214b4
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1-rc5-1ubuntu2.4_amd64.deb
Size/MD5: 101722 0bb5d4a49d5f04f680dd1a38c5790191

Updated packages for Ubuntu 5.04:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.6.diff.gz
Size/MD5: 4401 f6a606d82d9379f6bb6fdf4c0f9e4cb3
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0-1ubuntu3.6.dsc
Size/MD5: 1070 1fae1b7df974523161bcc5e90bb47912
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.orig.tar.gz
Size/MD5: 7384258 96e5195c366064e7778af44c3e71f43a

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.6_amd64.deb
Size/MD5: 106758 9ce395434edc4bbc07151e13cc018b93
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.6_amd64.deb
Size/MD5: 3567328 45842025ea2de6efdcb07276a78f03ed

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.6_i386.deb
Size/MD5: 106756 e3ed2f29ec5d37f37b238c5d43140bd9
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.6_i386.deb
Size/MD5: 3750250 8df1800276d5e9ba8710c726d511e331

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0-1ubuntu3.6_powerpc.deb
Size/MD5: 106780 f3310108f59d253cc7c97a2ccdafce95
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.0-1ubuntu3.6_powerpc.deb
Size/MD5: 3925408 4801437ecc43845c7096d03c0e8a110d

Updated packages for Ubuntu 5.10:

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.2.diff.gz
Size/MD5: 9220 fa3727a5c30b96fa30214b74901f9b37
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1-1ubuntu10.2.dsc
Size/MD5: 1186 b12c0731582c9ac6016af90a6758b222
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
Size/MD5: 7774954 9be804b337c6c3a2e202c5a7237cb0f8

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.2_amd64.deb
Size/MD5: 108796 fe4af1d1d64655076434bac4bd4e6121
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.2_amd64.deb
Size/MD5: 3610978 7fccf1da401ca96a9552b9ba54818919

i386 architecture (x86 compatible Intel/AMD)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.2_i386.deb
Size/MD5: 108800 c2ee1c0f1f316bc2aea565fcdf085088
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.2_i386.deb
Size/MD5: 4003584 927c4619ca803b02b344d2b0f2fa7c80

powerpc architecture (Apple Macintosh G3/G4/G5)

http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.0.1-1ubuntu10.2_powerpc.deb
Size/MD5: 108814 8fc0d0ff3d7465e88158509aea0c6a89
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1c2_1.0.1-1ubuntu10.2_powerpc.deb
Size/MD5: 3849320 edbcca0353f5da1a2e76e6d2fba85d92

--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDoramDecnbV4Fd/IRArhWAJ4kX+ormJVjvaPVeI300LWpHTUiFACePrJn
jaTH4BUc/fktuNk4zfJ4J6Y=
=lROE
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/usn_230_2_ffmpegxine_lib_vulnerability.html)