From security@linux-mandrake.com Thu Oct 7 20:50:16 2004 From: Mandrake Linux Security Team To: bugtraq@securityfocus.com Date: 6 Oct 2004 19:40:48 -0000 Subject: MDKSA-2004:105 - Updated xine-lib packages fix multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: xine-lib Advisory ID: MDKSA-2004:105 Date: October 6th, 2004 Affected versions: 10.0 ______________________________________________________________________ Problem Description: A number of string overflows were discovered in the xine-lib program, some of which can be used for remote buffer overflow exploits that lead to the execution of arbitrary code with the permissions of the user running a xine-lib-based media application. xine-lib versions 1-rc2 through, and including, 1-rc5 are vulnerable to these problems. As well, a heap overflow was found in the DVD subpicture decoder of xine-lib; this vulnerability is also remotely exploitable. All versions of xine-lib prior to and including 0.5.2 through, and including, 1-rc5 are vulnerable to this problem. Patches from the xine-lib team have been backported and applied to the program to solve these problems. _______________________________________________________________________ References: http://xinehq.de/index.php/security/XSA-2004-4 http://xinehq.de/index.php/security/XSA-2004-5 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 10ce6885addcfa3a9ed0380805fcbce6 10.0/RPMS/libxine1-1-0.rc3.6.2.100mdk.i586.rpm 2a1341dfa762f5208673ab20ec5d9092 10.0/RPMS/libxine1-devel-1-0.rc3.6.2.100mdk.i586.rpm a654845136034c4cdb30ed89a0ca81b7 10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.i586.rpm e70b118d3bdd2a9a9dc48143601f78a4 10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.i586.rpm 1ff7a30cd60c470f4d89cebfaf33d5f8 10.0/RPMS/xine-dxr3-1-0.rc3.6.2.100mdk.i586.rpm 2be55268cb20ff387313f662d19e5112 10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.i586.rpm 8ea540e75311662ee5db57a0fa38e51a 10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.i586.rpm ba12f4c0368e6d81f6965c64e13796a0 10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.i586.rpm 253a8c8dac5200fe7afc3d5d502be1ed 10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.i586.rpm 0f65783b02ceea2ee697af41a4406d76 10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 12e4e1ef7a03cee73b025f106de3f05e amd64/10.0/RPMS/lib64xine1-1-0.rc3.6.2.100mdk.amd64.rpm b04a4aa8e15009fe67e7cbd2b5d7304f amd64/10.0/RPMS/lib64xine1-devel-1-0.rc3.6.2.100mdk.amd64.rpm dec9a4e10c6c1f3cda08a252bfa54963 amd64/10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.amd64.rpm 76890b85ba9cc2ddd84bc8f7f79e1482 amd64/10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.amd64.rpm fbf465711eda60e57198666c0c693267 amd64/10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.amd64.rpm e5921bb72c4a819a685d736301643c4d amd64/10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.amd64.rpm c79055804621f8ff95ad738a75bcc5d6 amd64/10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.amd64.rpm 72781a34d4b3f83d2e4a3e5226ed5942 amd64/10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.amd64.rpm 0f65783b02ceea2ee697af41a4406d76 amd64/10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBZEpAmqjQ0CJFipgRAlxcAJwIKy+YgZjkGEM/FS6iG0WKnXmtGQCgs5vw o1mdmtdIISSyK1vpnbFzBuo= =sYnL -----END PGP SIGNATURE-----