Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 209106 - media-libs/xine-lib <1.1.10.1 execution of arbitrary code (CVE-2008-0486)
Summary: media-libs/xine-lib <1.1.10.1 execution of arbitrary code (CVE-2008-0486)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-06 09:34 UTC by Lars Hartmann
Modified: 2020-04-04 12:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Hartmann 2008-02-06 09:34:48 UTC 
Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow.
Comment 1 Lars Hartmann 2008-02-06 09:35:12 UTC 
maintainers - please advise
Comment 2 Alexis Ballier gentoo-dev 2008-02-09 10:48:42 UTC 
xine-lib-1.1.10.1 in the tree should fix this:
Changes:
* Security fixes:
  - Array index vulnerability which may allow remote attackers to execute
    arbitrary code via a crafted FLAC tag, causing a stack buffer overflow.
    (CVE-2008-0486)
* Fix a RealPlayer codec detection bug.
* Improve detection of MP3 streams with ID3v2 tags. Don't trust the tag
  size.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 14:59:58 UTC 
Is 1.1.10.1 ready for stable marking?
Comment 4 Alexis Ballier gentoo-dev 2008-02-10 15:07:20 UTC 
(In reply to comment #3)
> Is 1.1.10.1 ready for stable marking?
> 

should be, its 1.1.10 plus the three bugfixes I cited
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 15:16:02 UTC 
Thx Alexis.

Arches please test and mark stable. Target keywords are:

xine-lib-1.1.10.1.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 6 Markus Meier gentoo-dev 2008-02-10 16:14:54 UTC 
x86 stable
Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev 2008-02-10 18:20:19 UTC 
ppc stable
Comment 8 Olivier Crete (RETIRED) gentoo-dev 2008-02-10 21:33:48 UTC 
amd64 done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2008-02-11 03:11:42 UTC 
ppc64 stable; thanks
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2008-02-12 22:40:00 UTC 
Stable for HPPA.
Comment 11 Ferris McCormick (RETIRED) gentoo-dev 2008-02-19 14:11:37 UTC 
Sparc stable.
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-02-19 16:49:26 UTC 
alpha/ia64 stable, thanks Tobias
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-02-23 17:32:03 UTC 
Fixed in release snapshot.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 22:56:12 UTC 
GLSA 200802-12, thanks everyone.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-03-15 13:41:47 UTC 
Please note that this update also fixed CVE-2008-1161.