Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 217595 - media-libs/xine-lib <1.1.12 speex implementation insufficient boundary checks
Summary: media-libs/xine-lib <1.1.12 speex implementation insufficient boundary checks
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.xine-project.org/show_bug...
Whiteboard: A2 [upstream]
Keywords:
Depends on: 217715
Blocks:
  Show dependency tree
 
Reported: 2008-04-14 08:40 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-04-17 10:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-14 08:40:50 UTC
This bug is not public yet, please do not disclose any information.

xine-lib appears to include vulnerable speex code

see http://www.ocert.org/advisories/ocert-2008-2.html
as well as bug 216499 and bug 217373 for similar issues
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 17:01:27 UTC
ok, i fail completely.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-04-14 17:16:30 UTC
How does this affect xine-lib? By definition xine does not use internal libraries whenever possible, and I'm pretty sure we don't have libspeex internally...
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 17:42:11 UTC
Andrea from oCERT said he contacted several xine people (not including you) about it, he'll mail you.
Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-04-14 19:31:40 UTC
I think we should put a huge blinking banner on xine's site stating "Contact Flameeyes or use the Bugzilla if you have security issues to report", at this point.

Filed upstream, and almost ready for release.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 20:09:10 UTC
(In reply to comment #4)
> I think we should put a huge blinking banner on xine's site stating "Contact
> Flameeyes or use the Bugzilla if you have security issues to report", at this
> point.

Please do!
Comment 6 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-04-14 21:57:17 UTC
Handled together with Andrea, it's committed to xine-lib Hg and will be released probably in the night as 1.1.12.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-04-14 22:20:34 UTC
This does not need to be fixed if we enable the workaround in libspeex, which is bug 217715.
Comment 8 Diego Elio Pettenò (RETIRED) gentoo-dev 2008-04-14 23:25:11 UTC
I can't access it though. By the way the upstream bug got public, you can open this one too.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2008-04-15 01:00:57 UTC
(In reply to comment #8)
> I can't access it though. By the way the upstream bug got public, you can open
> this one too.

Since I commented on the content the blocker, we can't open this before it. Damn it.
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-17 09:42:23 UTC
now public via http://www.ocert.org/advisories/ocert-2008-004.html
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 10:12:27 UTC
closing, see comment #4.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-04-17 10:12:58 UTC
(comment #7)