Summary: | media-libs/xine-lib <1.1.12 speex implementation insufficient boundary checks | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | aballier, flameeyes |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://bugs.xine-project.org/show_bug.cgi?id=83 | ||
Whiteboard: | A2 [upstream] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 217715 | ||
Bug Blocks: |
Description
Matthias Geerdsen (RETIRED)
2008-04-14 08:40:50 UTC
ok, i fail completely. How does this affect xine-lib? By definition xine does not use internal libraries whenever possible, and I'm pretty sure we don't have libspeex internally... Andrea from oCERT said he contacted several xine people (not including you) about it, he'll mail you. I think we should put a huge blinking banner on xine's site stating "Contact Flameeyes or use the Bugzilla if you have security issues to report", at this point. Filed upstream, and almost ready for release. (In reply to comment #4) > I think we should put a huge blinking banner on xine's site stating "Contact > Flameeyes or use the Bugzilla if you have security issues to report", at this > point. Please do! Handled together with Andrea, it's committed to xine-lib Hg and will be released probably in the night as 1.1.12. This does not need to be fixed if we enable the workaround in libspeex, which is bug 217715. I can't access it though. By the way the upstream bug got public, you can open this one too. (In reply to comment #8) > I can't access it though. By the way the upstream bug got public, you can open > this one too. Since I commented on the content the blocker, we can't open this before it. Damn it. now public via http://www.ocert.org/advisories/ocert-2008-004.html closing, see comment #4. |