This bug is not public yet, please do not disclose any information. xine-lib appears to include vulnerable speex code see http://www.ocert.org/advisories/ocert-2008-2.html as well as bug 216499 and bug 217373 for similar issues
ok, i fail completely.
How does this affect xine-lib? By definition xine does not use internal libraries whenever possible, and I'm pretty sure we don't have libspeex internally...
Andrea from oCERT said he contacted several xine people (not including you) about it, he'll mail you.
I think we should put a huge blinking banner on xine's site stating "Contact Flameeyes or use the Bugzilla if you have security issues to report", at this point. Filed upstream, and almost ready for release.
(In reply to comment #4) > I think we should put a huge blinking banner on xine's site stating "Contact > Flameeyes or use the Bugzilla if you have security issues to report", at this > point. Please do!
Handled together with Andrea, it's committed to xine-lib Hg and will be released probably in the night as 1.1.12.
This does not need to be fixed if we enable the workaround in libspeex, which is bug 217715.
I can't access it though. By the way the upstream bug got public, you can open this one too.
(In reply to comment #8) > I can't access it though. By the way the upstream bug got public, you can open > this one too. Since I commented on the content the blocker, we can't open this before it. Damn it.
now public via http://www.ocert.org/advisories/ocert-2008-004.html
closing, see comment #4.
(comment #7)