Quoting the advisory:
Xine-lib contains an integer overflow vulnerability while parsing malformed
STTS atoms of Quicktime movie files. The vulnerability may be exploited by
a (remote) attacker to execute arbitrary code in the context of an
application using the xine library.
Solution: Upgrade to xine-lib >= 18.104.22.168.
media-video, looks like .3 is already in CVS, can we go stable?
(In reply to comment #1)
> media-video, looks like .3 is already in CVS, can we go stable?
yes its ok for stable; its just i've given up on following xine-lib's security status some time ago...
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
ppc and pcp64 done
Stable for HPPA.
Stable on alpha.
Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 22.214.171.124 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
large count value in an STTS atom, which triggers a heap-based buffer
GLSA together with bug 234777.
GLSA filed including bug 234777, bug 249041, bug 260069, and bug 265250.