Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 128838 - media-libs/xine-lib: Malformed MPEG Stream Buffer Overflow (CVE-2006-1664)
Summary: media-libs/xine-lib: Malformed MPEG Stream Buffer Overflow (CVE-2006-1664)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] Falco
: 128855 (view as bug list)
Depends on:
Reported: 2006-04-04 16:35 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-11-11 20:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-04 16:35:04 UTC
Xine-Lib Malformed MPEG Stream Buffer Overflow Vulnerability

Xine-lib is susceptible to a buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input data before copying it to an insufficiently sized memory buffer.

Successful exploits allow remote attackers to execute arbitrary machine code in the context of the affected application.

Xine-lib version 1.1.1 is reportedly affected. Other versions may also be affected, as well as all applications that use a vulnerable version of the library.

Published:  	 Apr 04 2006 12:00AM
Credit:	 Federico L. Bossi Bonin <> discovered this issue.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-04 21:31:17 UTC
*** Bug 128855 has been marked as a duplicate of this bug. ***
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-10 05:54:06 UTC

it is an A2. We should have acted now.
Sadly, AFAIK, no fix is available upstream and no other distrib has released any update yet. I'm not aware of any evolution on this issue. Has someone any information ?
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-04-10 10:02:02 UTC
FYI the target delay is counted once the bug has left upstream status, since we can't really fix it before.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-10 13:23:28 UTC
Sorry :)

Then let's wait and see !
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-04-15 05:29:17 UTC
Upstream is late
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-15 06:59:53 UTC
The 1.1.2_pre20060328 snapshot seems to be unaffected, at least the given concept stream doesn't crash xine at all (while it does on 1.1.1-r5).

Despite being a CVS snapshot, that version appears to me quite stable, I'm using it almost daily, for both Kaffeine (video playing) and amaroK (audio), and I haven't hit any kind of problem (it might be considered more working than the current 1.1.1 version in some aspects, like MKV demuxing).

At this point, I can think of removing it from package.mask and back in ~arch, to be tested for a while..
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-04-21 09:54:08 UTC
Okay I know I added -r1 just yesterday, but if this is going to be pushed stable, I'd rather see that marked stable as it _is_ finally stable. The main issue with xine (crashes when mad was disabled) is now fixed, and authenticated HTTP streams are fixed, too. I might say that this version is even more stable than the current stable :)

So if a decision for pushing this has to be made, I suppose it should be okay at this point in time.
Also, I didn't receive any "aaaargh my xine broke" kind of bugs after unmasking and going to ~arch.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-21 10:06:38 UTC
ok, here we go: arches, please test and stable 1.1.2_pre20060328-r1, thank you.
Comment 9 Thomas Cort (RETIRED) gentoo-dev 2006-04-21 13:02:01 UTC
(In reply to comment #8)
> ok, here we go: arches, please test and stable 1.1.2_pre20060328-r1, thank you.

alpha stable.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2006-04-21 13:43:35 UTC
sparc stable.
Comment 11 Mark Loeser (RETIRED) gentoo-dev 2006-04-21 17:33:08 UTC
x86 done
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2006-04-22 02:36:33 UTC
stable on ppc64
Comment 13 Thomas Cort (RETIRED) gentoo-dev 2006-04-22 09:57:26 UTC
stable on amd64
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-22 11:58:57 UTC
ppc stable
Comment 15 Guy Martin (RETIRED) gentoo-dev 2006-04-22 15:12:19 UTC
Besides a gcc-4.1 bug, it's working perfectly on hppa :)
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-23 01:12:37 UTC
Sorry for the last change.
This one is ready for GLSA.
arm & ia64 you can mark stable if you want, in order to benefit from the GLSA.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-26 10:42:04 UTC
GLSA 200604-16

arm, ia64 please don't forget to mark stable to benifit from the GLSA.