Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC

Bug 156645

Summary: media-libs/xine-lib: probable buffer overrun in Real Media Input plugin (CVE-2006-6172)
Product: Gentoo Security Reporter: Diego Elio Pettenò (RETIRED) <flameeyes>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2? [glsa] DerCorny
Package list:
Runtime testing required: ---

Description Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-29 11:37:16 UTC
On xine's tracker was reported an issue with the Real Media Input plugin.
This problem affects all versions since 1.1.1 at least.

The patch is submitted here:
and it's now committed to xine's CVS.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-29 15:19:29 UTC
arches, please test and stable xine-lib 1.1.2-r3

Comment 2 Markus Meier gentoo-dev 2006-11-30 10:25:55 UTC
media-libs/xine-lib-1.1.2-r3  USE="X a52 aac alsa asf dts dvd flac gnome ipv6 mp3 nls opengl oss samba sdl theora vcd vorbis win32codecs xv -aalib (-altivec) -arts -debug -directfb -dxr3 -esd -fbcon -imagemagick -libcaca -mng -modplug -speex -v4l -vidix -xinerama -xvmc" VIDEO_CARDS="i810 -nvidia -via"
1. emerges on x86
2. passes collision test
3. xine-ui and totem still emerge and work

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, i686)
System uname: i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Thu, 30 Nov 2006 15:01:02 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
LINGUAS="en de en_GB de_CH"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-30 10:31:32 UTC
sparc stable.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-30 11:01:17 UTC
x86 is safe for those pr0n lovers.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-30 11:36:11 UTC
ppc stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2006-11-30 12:52:12 UTC
ppc64 stable
Comment 7 Jeroen Roovers gentoo-dev 2006-11-30 18:28:04 UTC
Stable for HPPA.
Comment 8 Chris Gianelloni (RETIRED) gentoo-dev 2006-12-01 11:52:41 UTC
amd64 done
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-02 08:29:45 UTC
Stable on Alpha + ia64.
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-03 06:58:48 UTC
ready for glsa
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-09 13:38:31 UTC
GLSA 200612-02