Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 170208
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Diego E. 'Flameeyes' Pettenò <flameeyes@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 170208 depends on: Show dependency tree
Bug 170208 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-03-10 00:39 0000 
Seems like also xine-lib is affected to the same vulnerability of mplayer.

I'm going to commit the fix on xine-lib cvs right now, and I've added an ebuild
for it on my overlay.

Suggested course of action: get xine-lib-1.1.4-r2 from my overlay
(git://flameeyes.is-a-geek.org/overlay.git), make sure that it's not masked
(the experimental XCB patch is no more experimental, it's committed to xine-lib
upstream CVS so a possible 1.1.5 release will simply ship with it), and ask it
to be stabled on x86.

Stabling it on other architectures would be an extra (as the time for that has
come already and I would have already filed a bug for that if I was still a
dev), but the vulnerability is only present on x86 system because it's part of
win32codecs code, so no reason to put them into a stabling hurry.

HTH,
Diego

------- Comment #1 From Diego E. 'Flameeyes' Pettenò 2007-03-10 00:39:52 0000 ------- 
(Sigh, I'm too used to taking care of this myself -- CCing video now).

------- Comment #2 From Diego E. 'Flameeyes' Pettenò 2007-03-19 18:05:45 0000 ------- 
Security, Joshua committed xine-lib-1.1.4-r2 from my overlay, with the patch,
and unmasked it: http://packages.gentoo.org/search/?sstring=xine-lib

You can ask x86 to mark it stable, I suppose.

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-03-19 18:56:44 0000 ------- 
Thx Diego,

x86 please test and mark xine-lib-1.1.4-r2 stable.

------- Comment #4 From Raúl Porcel 2007-03-19 19:58:47 0000 ------- 
Err...this needs media-video/ffmpeg-0.4.9_p20070129 stable too.

Is this okay?

------- Comment #5 From Matthias Langer 2007-03-21 03:33:21 0000 ------- 
on x86:

media-libs/xine-lib-1.1.4-r2  USE="X a52 aac alsa dvd fbcon flac gnome gtk ipv6
mad nls opengl sdl theora truetype vcd vorbis win32codecs xv -aalib (-altivec)
-arts -debug -directfb -dts -dxr3 -esd -imagemagick -libcaca -mmap -mng
-modplug -musepack -oss -pulseaudio -samba -speex -v4l -vidix -wavpack -xcb
-xinerama -xvmc" 

and

media-video/ffmpeg-0.4.9_p20070129  USE="a52 aac encode mmx ogg sdl theora
threads truetype vorbis xvid zlib (-altivec) -amr -debug -doc -dts -ieee1394
-imlib -network -oss -test* -v4l -x264"

seem to be fine for me with

media-video/totem-2.16.4  USE="a52 dbus dvd ffmpeg firefox flac gnome hal mad
mpeg ogg theora vorbis xine xv -debug -lirc -nsplugin -nvtv"

and

media-video/xine-ui-0.99.5_pre20060716  USE="X ncurses nls readline -aalib
-curl -debug -libcaca -lirc -vdr -xinerama"

------- Comment #6 From Christian Faulhammer 2007-03-21 09:13:53 0000 ------- 
=x11-proto/xcb-proto-1.0
dev-libs/libpthread-stubs
=x11-libs/libxcb-1.0
=media-libs/xine-lib-1.1.4-r2
=media-video/ffmpeg-0.4.9_p20070129

went stable on x86

------- Comment #7 From Olivier Crete 2007-04-14 23:18:15 0000 ------- 
amd64 done

------- Comment #8 From Markus Rothe 2007-04-15 18:59:57 0000 ------- 
ppc64 stable

------- Comment #9 From Raúl Porcel 2007-04-16 16:09:49 0000 ------- 
ia64 stable

------- Comment #10 From Raphael Marichez 2007-04-16 19:41:20 0000 ------- 
Hi drac, i really prefer you open a new bug, so that the summary, severity,
whiteboard status, CVE id, and [glsa] status, are not forgotten. Thanks

------- Comment #11 From Raphael Marichez 2007-04-16 19:42:06 0000 ------- 
So it was GLSA 200704-09, and closing now. Thanks everybody

------- Comment #12 From Samuli Suominen 2007-04-17 14:00:20 0000 ------- 
(In reply to comment #10)
> Hi drac, i really prefer you open a new bug, so that the summary, severity,
> whiteboard status, CVE id, and [glsa] status, are not forgotten. Thanks
> 

Noted! Won't happen again, I wasn't aware of security wanting to keep old bugs
around.

I've moved stabilization for rest of archteams to bug 174909.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug