mystified Posted October 16, 2004 Report Share Posted October 16, 2004 Mandrakesoft Security Advisories Package name xine-lib Date October 6th, 2004 Advisory ID MDKSA-2004:105 Affected versions 10.0 Synopsis Updated xine-lib packages fix multiple vulnerabilities Problem Description A number of string overflows were discovered in the xine-lib program, some of which can be used for remote buffer overflow exploits that lead to the execution of arbitrary code with the permissions of the user running a xine-lib-based media application. xine-lib versions 1-rc2 through, and including, 1-rc5 are vulnerable to these problems. As well, a heap overflow was found in the DVD subpicture decoder of xine-lib; this vulnerability is also remotely exploitable. All versions of xine-lib prior to and including 0.5.2 through, and including, 1-rc5 are vulnerable to this problem. Patches from the xine-lib team have been backported and applied to the program to solve these problems. Updated Packages Mandrakelinux 10.0 10ce6885addcfa3a9ed0380805fcbce6 10.0/RPMS/libxine1-1-0.rc3.6.2.100mdk.i586.rpm 2a1341dfa762f5208673ab20ec5d9092 10.0/RPMS/libxine1-devel-1-0.rc3.6.2.100mdk.i586.rpm a654845136034c4cdb30ed89a0ca81b7 10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.i586.rpm e70b118d3bdd2a9a9dc48143601f78a4 10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.i586.rpm 1ff7a30cd60c470f4d89cebfaf33d5f8 10.0/RPMS/xine-dxr3-1-0.rc3.6.2.100mdk.i586.rpm 2be55268cb20ff387313f662d19e5112 10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.i586.rpm 8ea540e75311662ee5db57a0fa38e51a 10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.i586.rpm ba12f4c0368e6d81f6965c64e13796a0 10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.i586.rpm 253a8c8dac5200fe7afc3d5d502be1ed 10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.i586.rpm 0f65783b02ceea2ee697af41a4406d76 10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64 12e4e1ef7a03cee73b025f106de3f05e amd64/10.0/RPMS/lib64xine1-1-0.rc3.6.2.100mdk.amd64.rpm b04a4aa8e15009fe67e7cbd2b5d7304f amd64/10.0/RPMS/lib64xine1-devel-1-0.rc3.6.2.100mdk.amd64.rpm dec9a4e10c6c1f3cda08a252bfa54963 amd64/10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.amd64.rpm 76890b85ba9cc2ddd84bc8f7f79e1482 amd64/10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.amd64.rpm fbf465711eda60e57198666c0c693267 amd64/10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.amd64.rpm e5921bb72c4a819a685d736301643c4d amd64/10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.amd64.rpm c79055804621f8ff95ad738a75bcc5d6 amd64/10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.amd64.rpm 72781a34d4b3f83d2e4a3e5226ed5942 amd64/10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.amd64.rpm 0f65783b02ceea2ee697af41a4406d76 amd64/10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm References http://xinehq.de/index.php/security/XSA-2004-4 http://xinehq.de/index.php/security/XSA-2004-5 Upgrade To upgrade automatically, use MandrakeUpdate. Verification Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig package.rpm You can get the GPG public key of the Mandrakelinux Security Team to verify the GPG signature of each RPM. If you use MandrakeUpdate, the verification of md5 checksum and GPG signature is performed automatically for you. Link to comment Share on other sites More sharing options...
Recommended Posts