Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 265250 (CVE-2009-1274) - <media-libs/xine-lib-1.1.16.3: Integer overflow (CVE-2009-1274)
Summary: <media-libs/xine-lib-1.1.16.3: Integer overflow (CVE-2009-1274)
Status: RESOLVED FIXED
Alias: CVE-2009-1274
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://trapkit.de/advisories/TKADV200...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-07 06:33 UTC by Alex Legler (RETIRED)
Modified: 2010-06-01 15:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-07 06:33:59 UTC
Quoting the advisory:

Xine-lib contains an integer overflow vulnerability while parsing malformed
STTS atoms of Quicktime movie files. The vulnerability may be exploited by 
a (remote) attacker to execute arbitrary code in the context of an 
application using the xine library.

Solution: Upgrade to xine-lib >= 1.1.16.3.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-07 06:35:02 UTC
media-video, looks like .3 is already in CVS, can we go stable?
Comment 2 Alexis Ballier gentoo-dev 2009-04-07 23:56:23 UTC
(In reply to comment #1)
> media-video, looks like .3 is already in CVS, can we go stable?

yes its ok for stable; its just i've given up on following xine-lib's security status some time ago...
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-08 08:02:48 UTC
Arches, please test and mark stable:
=media-libs/xine-lib-1.1.16.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-04-08 13:16:34 UTC
ppc and pcp64 done
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-04-08 17:01:12 UTC
Stable for HPPA.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2009-04-08 17:09:22 UTC
Stable on alpha.
Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-08 19:48:18 UTC
amd64 stable
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-04-08 20:09:06 UTC
======================================================
Name: CVE-2009-1274
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274

Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
large count value in an STTS atom, which triggers a heap-based buffer
overflow.
Comment 9 Friedrich Oslage (RETIRED) gentoo-dev 2009-04-08 20:29:37 UTC
sparc stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-04-10 13:21:24 UTC
arm/ia64/x86 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-11 21:01:57 UTC
GLSA together with bug 234777.
Comment 12 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-05-30 10:35:20 UTC
GLSA filed including bug 234777, bug 249041, bug 260069, and bug 265250.
Comment 13 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-01 15:45:30 UTC
GLSA 201006-04