-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:298 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xine-lib Date : November 13, 2009 Affected: Corporate 3.0 _______________________________________________________________________ Problem Description: Vulnerabilities have been discovered and corrected in xine-lib: - xine-lib before 1.1.15 allows remote attackers to cause a denial of service (crash) via mp3 files with metadata consisting only of separators (CVE-2008-5248) - Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow (CVE-2009-1274) - Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib 1.1.16.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a 4X movie file with a large current_track value, a similar issue to CVE-2009-0385 (CVE-2009-0698) This update fixes these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698 _______________________________________________________________________ Updated Packages: Corporate 3.0: 47002044e449dde281941081839c6fa9 corporate/3.0/i586/libxine1-1-0.rc3.6.18.C30mdk.i586.rpm 0abdd642e1014e67f83445818c69d666 corporate/3.0/i586/libxine1-devel-1-0.rc3.6.18.C30mdk.i586.rpm 2190418670c91e44a8b48fe1c29afaa5 corporate/3.0/i586/xine-aa-1-0.rc3.6.18.C30mdk.i586.rpm 95a464b49a559cbc57eee48ae37224b9 corporate/3.0/i586/xine-arts-1-0.rc3.6.18.C30mdk.i586.rpm e95764e9cec627b27b416e001e7e7482 corporate/3.0/i586/xine-dxr3-1-0.rc3.6.18.C30mdk.i586.rpm 8829d42bc844675045b6153fe36021f1 corporate/3.0/i586/xine-esd-1-0.rc3.6.18.C30mdk.i586.rpm 7c5d8aea1c07df147cb4ae9b9a0c5464 corporate/3.0/i586/xine-flac-1-0.rc3.6.18.C30mdk.i586.rpm 136374c1cf768fd20bd16384a43d2677 corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.18.C30mdk.i586.rpm 0566b33424cf000e5c708fa3b4114f03 corporate/3.0/i586/xine-plugins-1-0.rc3.6.18.C30mdk.i586.rpm 2a3fd8d1416bcdb149ae0176b024894d corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.18.C30mdk.src.rpm Corporate 3.0/X86_64: 5bae0dd040512b8ca9192623241e25ff corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.18.C30mdk.x86_64.rpm 5c7e07610511ae684a31ce859c8ebcf6 corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.18.C30mdk.x86_64.rpm f7431390bbd6b04bd7e1c6d684c033e1 corporate/3.0/x86_64/xine-aa-1-0.rc3.6.18.C30mdk.x86_64.rpm 094905da7c51e1d15d9af52735a8b8e1 corporate/3.0/x86_64/xine-arts-1-0.rc3.6.18.C30mdk.x86_64.rpm 5490e9cc4ca21c0f00dbe1d097f00232 corporate/3.0/x86_64/xine-esd-1-0.rc3.6.18.C30mdk.x86_64.rpm e144fea85dcfc1749dff42824c66eb40 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.18.C30mdk.x86_64.rpm 276d7b3f1d16c3bb730124b483edcc40 corporate/3.0/x86_64/xine-gnomevfs-1-0.rc3.6.18.C30mdk.x86_64.rpm a638804b41ab4fec8bb16118da7e19fe corporate/3.0/x86_64/xine-plugins-1-0.rc3.6.18.C30mdk.x86_64.rpm 2a3fd8d1416bcdb149ae0176b024894d corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.18.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFK/cnPmqjQ0CJFipgRAkD1AJ9ijkhXTb3c8+BfefIpF5DMCkhFOwCdH+w5 m2PUfeKqIDMhR50WpumwmRY= =gQmZ -----END PGP SIGNATURE-----