Any info you need please email as I'd love to help out!
You reacted to the Mplayer issue quickly, I think you deal with security issues on par with free/openbsd guys, certainly better than most Linux suppliers I've used. BTW I dont currently use Gentoo, I think I shall have a play.
Steps to Reproduce:
1. compile and run code
2. launch xine against it, using any demuxor name ($ ./xine http://box/a.mp3,mpg,mpeg,avi,pls)
3. watch Xine window - attached POC for non-hardened stacks
execve("/bin/sh -c """) on remote client
used system calls correctly - complained and returned in a clean manner
The "severity" section below is relative I guess, I will let you guys define
this for your particular OS.
Xine seem uninterested to inform their community about this bug. I gave them 30
days, they ignored me then after tracking them down on irc, they stated they had
another 800 to fix.
Great, you'll love how fast this goes then :P.
Already marked stable, already drafted the announcement, might even
release it today.
*** This bug has been marked as a duplicate of 59948 ***