Ulf Harnhammar reports : When you use xine or gxine to play a CD, the programs will connect to a CDDB server to retrieve the record's artist/band and title as well as the song titles. The programs write this information to a cache file, and the code in xine-lib that performs this action suffers from a format string security bug, allowing remote execution of arbitrary code. It is worth noting that CDDB servers allow any user to add or modify information about records. [...] This bug could be used for automated attacks against anyone who listens to particular CD's in xine or gxine.
Created attachment 69695 [details, diff] xine-lib.formatstring.patch Patch from Ulf Harnhammar
Diego, could you prepare and attach on this bug new ebuild(s) for xine-lib fixing this ? Please do not commit them to Portage before the release date (currently set to October 8th), we'll have arch testers test them from here.
Created attachment 69847 [details] xine-lib-1.1.0-r5.ebuild This is going stable for sparc, alpha, ppc64 and ia64 (and amd64 would be great too, as this should fix problems with current stable).
Created attachment 69848 [details] xine-lib-1.0.1-r4.ebuild This is the will-be stable for everything else (but mips probably).
Created attachment 69849 [details] xine-lib-1_rc8-r2.ebuild And this last one is for mips, that still has this last one as stable (and I'm still moving this along also if it's basically broken for everyone else).
Created attachment 69850 [details] xine-lib-1.1.0-r6.ebuild At the end this is a non-stable version, based off 1.1.0-r4, with external ffmpeg, so that ~arch users won't get a regression with ffmpeg.
Calling arch security contacts. Please test and report back which of those can be committed directly to stable for your arch.
flameeyes is member of the amd64 team, so i'll let it up to him
Giving ppc over to JoseJX, as xine is seriously broken on my machine (segmentation fault on startup).
sparc looks good on 1.1.0-r5 with the exception that the patch should be named xine-lib-formatstring.patch (or changed in the ebuild) ;)
xine-lib-1.1.0-r5 can go stable on ppc64, too. I can confirm that you have to rename the patch.
The patch works fine on PPC, the segfault hansmi was reporting appears to be due to mismatched alsa-libs/in kernel driver as in bug #64818.
which version do you want to see tested on x86 ?
1.0.1-r4 I think. 1.1.0 fixes some crashes, but seems having problem with flac.
1.1.0-r5 looks good on alpha.
Then we only need ia64 and they are not essential for GLSA purposes.
1.1.0-r5 looks good on ia64 as well.
Diego: ok so this can be committed to Portage with the appropriate stable keywords on October 8 (tomorrow) 1400 UTC. Let us know if you can't make it anytime that day.
That should be ok, just remember me a bit before, just to be safe :)
Please delay the commit till this night... we're having a bit of a trouble as mips recently keyworded xine-lib-1.1.0 (but not -r3 or -r4). I won't commit anything until this is sorted out.
Diego please commit the fixed ebuilds. mips do not block GLSA sending so please go ahead.
Committed
Thx Diego. This one is ready for GLSA release.
Thx everyone. GLSA 200510-08 mips don't forget to mark stable.
