Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 260069 (CVE-2009-0698)

Summary: <media-libs/xine-lib-1.1.16.2 ACE (CVE-2009-0698)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: maekke, media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.xine-project.org/show_bug.cgi?id=205
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 257682    

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:38:34 UTC 
CVE-2009-0698 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0698):
  Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in
  xine-lib 1.1.16.1 allows remote attackers to cause a denial of
  service (crash) and possibly execute arbitrary code via a 4X movie
  file with a large current_track value, a similar issue to
  CVE-2009-0385.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:44:33 UTC 
The release notes say:
"This release contains one new security fix.
It also contains some corrections of previous security fixes."

Changes:
* Build fixes related to ImageMagick 6.4 & later.
* Fix an error in Matroska PTS calculation.
* Some front ends hang due to the hang fixes in 1.1.16. Fix
  this by removing a break statement.
* Fix broken size checks in various input plugins
  (ref. CVE-2008-5239).
* More malloc checking (ref. CVE-2008-5240).
* Fix race conditions in gapless_switch
  (ref. kde bug #180339)
* Fix a possible integer overflow in the 4XM demuxer.
  (TKADV2009-004.txt)

Arches, please test and mark stable:
=media-libs/xine-lib-1.1.16.2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Peter Alfredsen (RETIRED) gentoo-dev 2009-02-23 21:51:54 UTC 
*** Bug 258374 has been marked as a duplicate of this bug. ***
Comment 3 Alexis Ballier gentoo-dev 2009-02-23 22:48:48 UTC 
While this is good to have it stable I would have prefered seeing it handled in bug #249041 where it seems my comments got ignored and would appreciate if you could sort this mess out, thanks.
Comment 4 Markus Meier gentoo-dev 2009-02-25 20:08:28 UTC 
amd64/x86 stable
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2009-02-25 22:24:01 UTC 
Sparc stable.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-02-26 19:27:38 UTC 
ppc64 done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-02-28 10:58:45 UTC 
alpha/arm/ia64 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-03-18 19:22:47 UTC 
ppc done
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-01 17:40:15 UTC 
Stable for HPPA.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-04 15:00:23 UTC 
GLSA together with bug 234777 and bug 249041.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-30 10:35:17 UTC 
GLSA filed including bug 234777, bug 249041, bug 260069, and bug 265250.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-01 15:45:27 UTC 
GLSA 201006-04