http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3329 The xvid library is vulnerable to some array indexing problems when processing Avi, H.263, or MPEG files. As of 25 June there's no patch, it may be that the maintainers don't even know about this yet.
setting status.
head is patched: http://cvs.xvid.org/cvs/viewvc.cgi/xvidcore/src/bitstream/mbcoding.c
xvid-1.1.3 was released today w/this fix
*** Bug 183786 has been marked as a duplicate of this bug. ***
Bumped but temp. masked for testing. Security, don't do anything yet.. Applications in tree using xvid: media-tv/xdtv:xvid media-video/avidemux:xvid media-video/ffmpeg:xvid media-video/gpac:xvid media-video/mpeg4ip:xvid media-video/mplayer:xvid media-video/transcode:xvid Reporting back here when it's tested and unmasked.
Text relocation from bug 135326 is still present at version 1.1.3 which is now unmasked, it's NOT a regression to current stable 1.1.0-r3. I've tested mplayer and ffmpeg with multiple video files and they are fine. Proceed and let arch teams test[1] and stable it. [1] Would be nice to have input from arch testers about other applications listed in this bug.
ok moving to stable. Arches, please stabilize: media-libs/xvid-1.1.3 Sorry about the delay.
sparc stable.
Stable for HPPA.
ppc64 stable
alpha/x86 stable
amd64 stable
ia64 stable, thanks drac for fixing this :)
ppc stable
arm folks, any progress? I'm going ahead with the glsa-request on this, since we're already late.
arm is not security supported, and the glsa has already been drafted by Dercorny, you may review it, and others drafts too actually :)
xvid-1.0.2.ebuild:KEYWORDS="~mips" xvid-1.0.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" xvid-1.1.0-r1.ebuild:KEYWORDS="alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd" xvid-1.1.0-r3.ebuild:KEYWORDS="alpha amd64 arm ~hppa ia64 ~ppc ppc64 sparc x86 ~x86-fbsd" xvid-1.1.3.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd" Looks done to me except for ~mips at xvid-1.0.2
GLSA 200708-02, thanks everybody.