Seems like also xine-lib is affected to the same vulnerability of mplayer. I'm going to commit the fix on xine-lib cvs right now, and I've added an ebuild for it on my overlay. Suggested course of action: get xine-lib-1.1.4-r2 from my overlay (git://flameeyes.is-a-geek.org/overlay.git), make sure that it's not masked (the experimental XCB patch is no more experimental, it's committed to xine-lib upstream CVS so a possible 1.1.5 release will simply ship with it), and ask it to be stabled on x86. Stabling it on other architectures would be an extra (as the time for that has come already and I would have already filed a bug for that if I was still a dev), but the vulnerability is only present on x86 system because it's part of win32codecs code, so no reason to put them into a stabling hurry. HTH, Diego
(Sigh, I'm too used to taking care of this myself -- CCing video now).
Security, Joshua committed xine-lib-1.1.4-r2 from my overlay, with the patch, and unmasked it: http://packages.gentoo.org/search/?sstring=xine-lib You can ask x86 to mark it stable, I suppose.
Thx Diego, x86 please test and mark xine-lib-1.1.4-r2 stable.
Err...this needs media-video/ffmpeg-0.4.9_p20070129 stable too. Is this okay?
on x86: media-libs/xine-lib-1.1.4-r2 USE="X a52 aac alsa dvd fbcon flac gnome gtk ipv6 mad nls opengl sdl theora truetype vcd vorbis win32codecs xv -aalib (-altivec) -arts -debug -directfb -dts -dxr3 -esd -imagemagick -libcaca -mmap -mng -modplug -musepack -oss -pulseaudio -samba -speex -v4l -vidix -wavpack -xcb -xinerama -xvmc" and media-video/ffmpeg-0.4.9_p20070129 USE="a52 aac encode mmx ogg sdl theora threads truetype vorbis xvid zlib (-altivec) -amr -debug -doc -dts -ieee1394 -imlib -network -oss -test* -v4l -x264" seem to be fine for me with media-video/totem-2.16.4 USE="a52 dbus dvd ffmpeg firefox flac gnome hal mad mpeg ogg theora vorbis xine xv -debug -lirc -nsplugin -nvtv" and media-video/xine-ui-0.99.5_pre20060716 USE="X ncurses nls readline -aalib -curl -debug -libcaca -lirc -vdr -xinerama"
=x11-proto/xcb-proto-1.0 dev-libs/libpthread-stubs =x11-libs/libxcb-1.0 =media-libs/xine-lib-1.1.4-r2 =media-video/ffmpeg-0.4.9_p20070129 went stable on x86
amd64 done
ppc64 stable
ia64 stable
Hi drac, i really prefer you open a new bug, so that the summary, severity, whiteboard status, CVE id, and [glsa] status, are not forgotten. Thanks
So it was GLSA 200704-09, and closing now. Thanks everybody
(In reply to comment #10) > Hi drac, i really prefer you open a new bug, so that the summary, severity, > whiteboard status, CVE id, and [glsa] status, are not forgotten. Thanks > Noted! Won't happen again, I wasn't aware of security wanting to keep old bugs around. I've moved stabilization for rest of archteams to bug 174909.
