Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260069 (CVE-2009-0698) - <media-libs/xine-lib-1.1.16.2 ACE (CVE-2009-0698)
Summary: <media-libs/xine-lib-1.1.16.2 ACE (CVE-2009-0698)
Status: RESOLVED FIXED
Alias: CVE-2009-0698
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugs.xine-project.org/show_bug...
Whiteboard: B2 [glsa]
Keywords:
: 258374 (view as bug list)
Depends on:
Blocks: 257682
  Show dependency tree
 
Reported: 2009-02-23 21:38 UTC by Stefan Behte (RETIRED)
Modified: 2010-06-01 15:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:38:34 UTC
CVE-2009-0698 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0698):
  Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in
  xine-lib 1.1.16.1 allows remote attackers to cause a denial of
  service (crash) and possibly execute arbitrary code via a 4X movie
  file with a large current_track value, a similar issue to
  CVE-2009-0385.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:44:33 UTC
The release notes say:
"This release contains one new security fix.
It also contains some corrections of previous security fixes."

Changes:
* Build fixes related to ImageMagick 6.4 & later.
* Fix an error in Matroska PTS calculation.
* Some front ends hang due to the hang fixes in 1.1.16. Fix
  this by removing a break statement.
* Fix broken size checks in various input plugins
  (ref. CVE-2008-5239).
* More malloc checking (ref. CVE-2008-5240).
* Fix race conditions in gapless_switch
  (ref. kde bug #180339)
* Fix a possible integer overflow in the 4XM demuxer.
  (TKADV2009-004.txt)

Arches, please test and mark stable:
=media-libs/xine-lib-1.1.16.2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Peter Alfredsen (RETIRED) gentoo-dev 2009-02-23 21:51:54 UTC
*** Bug 258374 has been marked as a duplicate of this bug. ***
Comment 3 Alexis Ballier gentoo-dev 2009-02-23 22:48:48 UTC
While this is good to have it stable I would have prefered seeing it handled in bug #249041 where it seems my comments got ignored and would appreciate if you could sort this mess out, thanks.
Comment 4 Markus Meier gentoo-dev 2009-02-25 20:08:28 UTC
amd64/x86 stable
Comment 5 Ferris McCormick (RETIRED) gentoo-dev 2009-02-25 22:24:01 UTC
Sparc stable.
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-02-26 19:27:38 UTC
ppc64 done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-02-28 10:58:45 UTC
alpha/arm/ia64 stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-03-18 19:22:47 UTC
ppc done
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-01 17:40:15 UTC
Stable for HPPA.
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-04 15:00:23 UTC
GLSA together with bug 234777 and bug 249041.
Comment 11 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-30 10:35:17 UTC
GLSA filed including bug 234777, bug 249041, bug 260069, and bug 265250.
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-01 15:45:27 UTC
GLSA 201006-04