http://open-security.org/advisories/6 Any info you need please email as I'd love to help out! You reacted to the Mplayer issue quickly, I think you deal with security issues on par with free/openbsd guys, certainly better than most Linux suppliers I've used. BTW I dont currently use Gentoo, I think I shall have a play. cheers, c0ntex Reproducible: Always Steps to Reproduce: 1. compile and run code 2. launch xine against it, using any demuxor name ($ ./xine http://box/a.mp3,mpg,mpeg,avi,pls) 3. watch Xine window - attached POC for non-hardened stacks Actual Results: execve("/bin/sh -c """) on remote client Expected Results: used system calls correctly - complained and returned in a clean manner The "severity" section below is relative I guess, I will let you guys define this for your particular OS. Xine seem uninterested to inform their community about this bug. I gave them 30 days, they ignored me then after tracking them down on irc, they stated they had another 800 to fix. cheers
Great, you'll love how fast this goes then :P. Already marked stable, already drafted the announcement, might even release it today. *** This bug has been marked as a duplicate of 59948 ***