Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234777 (CVE-2008-3231) - media-libs/xine-lib <1.1.15-r1 Multiple issues (CVE-2008-3231)
Summary: media-libs/xine-lib <1.1.15-r1 Multiple issues (CVE-2008-3231)
Status: RESOLVED FIXED
Alias: CVE-2008-3231
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/project/showno...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 234926
Blocks:
  Show dependency tree
 
Reported: 2008-08-14 23:56 UTC by Hanno Böck
Modified: 2010-06-01 15:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix for use=-vis on sparc (xine-lib-vis.patch,1.35 KB, patch)
2008-08-15 19:34 UTC, Friedrich Oslage (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2008-08-14 23:56:24 UTC
From xine webpage:

A new xine-lib version is now available. This release contains some security fixes, notably a DoS via corrupted Ogg files (CVE-2008-3231), some related fixes, and fixes for a few possible buffer overflows.
The other changes include recognition of AMR audio and Snow video.
Comment 1 Alexis Ballier gentoo-dev 2008-08-15 06:52:27 UTC
bumped
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 08:18:03 UTC
Arches, please test and mark stable:
=media-libs/xine-lib-1.1.15
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-08-15 10:48:20 UTC
CVE-2008-3231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3231):
  xine allows user-assisted attackers to cause a denial of service (application
  crash) via a crafted OGG file, as demonstrated by lol-ffplay.ogg.
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-08-15 14:52:52 UTC
ia64/x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-15 16:02:17 UTC
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2008-08-15 19:06:02 UTC
amd64 stable
Comment 7 Friedrich Oslage (RETIRED) gentoo-dev 2008-08-15 19:34:03 UTC
Created attachment 162994 [details, diff]
fix for use=-vis on sparc

On sparc it failes to compiled with USE="-vis":
/tmp/portage/media-libs/xine-lib-1.1.15/work/xine-lib-1.1.15/src/libmpeg2/motion_comp.c:76: undefined reference to `mpeg2_mc_vis'

because src/libmpeg2/motion_comp_vis.c has
#if defined(ARCH_SPARC) && defined(ENABLE_VIS)
and src/libmpeg2/motion_comp.c has
#ifdef ARCH_SPARC

can you apply this patch to fix it, please?
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2008-08-15 20:20:34 UTC
Stable on alpha.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2008-08-16 07:46:37 UTC
ppc64 stable
Comment 10 Alexis Ballier gentoo-dev 2008-08-16 11:38:10 UTC
(In reply to comment #7)

> can you apply this patch to fix it, please?


Applied thanks (you could aswell have done it yourself as that's sparc specific code)

Please don't forget to send it upstream so that it's fixed for good.
Comment 11 Friedrich Oslage (RETIRED) gentoo-dev 2008-08-16 12:14:24 UTC
Thanks, sparc stable

(In reply to comment #10)
> Please don't forget to send it upstream so that it's fixed for good.

done

Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-19 21:09:17 UTC
ppc stable
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-08-19 22:34:53 UTC
request filed
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-08-27 15:02:05 UTC
1.1.15 has caused a regression with KDE players, see blocked bug.

Arches, please test and mark stable:
=media-libs/xine-lib-1.1.15-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2008-08-28 03:57:04 UTC
Stable for HPPA.
Comment 16 Friedrich Oslage (RETIRED) gentoo-dev 2008-08-28 17:08:27 UTC
sparc stable
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2008-08-29 07:18:13 UTC
ppc64 stable
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2008-08-29 15:15:44 UTC
ia64/x86 stable
Comment 19 Dawid Węgliński (RETIRED) gentoo-dev 2008-08-29 15:46:09 UTC
amd64 stable as well
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-30 11:31:43 UTC
ppc stable
Comment 21 Tobias Klausmann (RETIRED) gentoo-dev 2008-08-31 15:53:37 UTC
Stable on alpha, sorry for taking so long.
Comment 22 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-03 18:16:11 UTC
GLSA request filed.
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-22 20:29:46 UTC
What about http://www.ocert.org/advisories/ocert-2008-008.html ? It says not all vulns are fixed in 1.1.15 :/
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2008-09-28 15:12:56 UTC
arm stable
Comment 25 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-30 10:35:10 UTC
GLSA filed including bug 234777, bug 249041, bug 260069, and bug 265250.
Comment 26 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-01 15:45:21 UTC
GLSA 201006-04