Ulf Harnhammar reports :
When you use xine or gxine to play a CD, the programs will connect
to a CDDB server to retrieve the record's artist/band and title as
well as the song titles. The programs write this information to
a cache file, and the code in xine-lib that performs this action
suffers from a format string security bug, allowing remote execution
of arbitrary code.
It is worth noting that CDDB servers allow any user to add or modify
information about records. [...]
This bug could be used for automated attacks against anyone who
listens to particular CD's in xine or gxine.
Created attachment 69695 [details, diff]
Patch from Ulf Harnhammar
Diego, could you prepare and attach on this bug new ebuild(s) for xine-lib
fixing this ? Please do not commit them to Portage before the release date
(currently set to October 8th), we'll have arch testers test them from here.
Created attachment 69847 [details]
This is going stable for sparc, alpha, ppc64 and ia64 (and amd64 would be great
too, as this should fix problems with current stable).
Created attachment 69848 [details]
This is the will-be stable for everything else (but mips probably).
Created attachment 69849 [details]
And this last one is for mips, that still has this last one as stable (and I'm
still moving this along also if it's basically broken for everyone else).
Created attachment 69850 [details]
At the end this is a non-stable version, based off 1.1.0-r4, with external
ffmpeg, so that ~arch users won't get a regression with ffmpeg.
Calling arch security contacts.
Please test and report back which of those can be committed directly to stable
for your arch.
flameeyes is member of the amd64 team, so i'll let it up to him
Giving ppc over to JoseJX, as xine is seriously broken on my machine
(segmentation fault on startup).
sparc looks good on 1.1.0-r5 with the exception that the patch should be named
xine-lib-formatstring.patch (or changed in the ebuild) ;)
xine-lib-1.1.0-r5 can go stable on ppc64, too. I can confirm that you have to
rename the patch.
The patch works fine on PPC, the segfault hansmi was reporting appears to be due
to mismatched alsa-libs/in kernel driver as in bug #64818.
which version do you want to see tested on x86 ?
1.0.1-r4 I think. 1.1.0 fixes some crashes, but seems having problem with
1.1.0-r5 looks good on alpha.
Then we only need ia64 and they are not essential for GLSA purposes.
1.1.0-r5 looks good on ia64 as well.
Diego: ok so this can be committed to Portage with the appropriate stable
keywords on October 8 (tomorrow) 1400 UTC.
Let us know if you can't make it anytime that day.
That should be ok, just remember me a bit before, just to be safe :)
Please delay the commit till this night... we're having a bit of a trouble as
mips recently keyworded xine-lib-1.1.0 (but not -r3 or -r4). I won't commit
anything until this is sorted out.
Diego please commit the fixed ebuilds. mips do not block GLSA sending so
please go ahead.
Thx Diego. This one is ready for GLSA release.
mips don't forget to mark stable.