Your message dated Sat, 26 Jan 2008 23:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#460551: fixed in xine-lib 1.1.10-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: xine-lib
Version: 1.0.1-1sarge5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2008-0225[0]:
| Heap-based buffer overflow in the rmff_dump_cont function in
| input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote
| attackers to execute arbitrary code via the SDP Abstract attribute,
| related to the rmff_dump_header function and related to disregarding
| the max field. NOTE: some of these details are obtained from third
| party information.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0225
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgphQ2GuVYv5G.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: xine-lib
Source-Version: 1.1.10-1
We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:
libxine-dev_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine-dev_1.1.10-1_amd64.deb
libxine1-all-plugins_1.1.10-1_all.deb
to pool/main/x/xine-lib/libxine1-all-plugins_1.1.10-1_all.deb
libxine1-bin_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1-bin_1.1.10-1_amd64.deb
libxine1-console_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1-console_1.1.10-1_amd64.deb
libxine1-dbg_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1-dbg_1.1.10-1_amd64.deb
libxine1-doc_1.1.10-1_all.deb
to pool/main/x/xine-lib/libxine1-doc_1.1.10-1_all.deb
libxine1-ffmpeg_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.10-1_amd64.deb
libxine1-gnome_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1-gnome_1.1.10-1_amd64.deb
libxine1-misc-plugins_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.10-1_amd64.deb
libxine1-plugins_1.1.10-1_all.deb
to pool/main/x/xine-lib/libxine1-plugins_1.1.10-1_all.deb
libxine1-x_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1-x_1.1.10-1_amd64.deb
libxine1_1.1.10-1_amd64.deb
to pool/main/x/xine-lib/libxine1_1.1.10-1_amd64.deb
xine-lib_1.1.10-1.diff.gz
to pool/main/x/xine-lib/xine-lib_1.1.10-1.diff.gz
xine-lib_1.1.10-1.dsc
to pool/main/x/xine-lib/xine-lib_1.1.10-1.dsc
xine-lib_1.1.10.orig.tar.gz
to pool/main/x/xine-lib/xine-lib_1.1.10.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Darren Salt <[EMAIL PROTECTED]> (supplier of updated xine-lib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 26 Jan 2008 22:16:28 +0000
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg
libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg
libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.10-1
Distribution: unstable
Urgency: high
Maintainer: [EMAIL PROTECTED]
Changed-By: Darren Salt <[EMAIL PROTECTED]>
Description:
libxine-dev - the xine video player library, development packages
libxine1 - the xine video/media player library, meta-package
libxine1-all-plugins - the xine video/media player library, meta package
libxine1-bin - the xine video/media player library, binary files
libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for
libxine1
libxine1-dbg - debug symbols for libxine1
libxine1-doc - the xine video player library, documentation files
libxine1-ffmpeg - MPEG-related plugins for libxine1
libxine1-gnome - GNOME-related plugins for libxine1
libxine1-misc-plugins - Input, audio output and post plugins for libxine1
libxine1-plugins - the xine video/media player library, meta package
libxine1-x - X desktop video output plugins for libxine1
Closes: 458103 458865 459836 460551 461970
Changes:
xine-lib (1.1.10-1) unstable; urgency=high
.
* New upstream release (Closes: #459836)...
* ... fixing some security bugs:
- CVE-2008-0225: Heap-based buffer overflow in rmff_dump_cont function
which allows remote attacker to execute arbitrary code via a crafted
SDP Abstract attribute (Closes: #460551).
This also acks 1.1.8-3+lenny1 (NMU by the security team).
- Related to CVE-2006-1664: Buffer overflow which allows a remote
attacker to execute arbitrary code or crash the client program via a
crafted ASF header.
* ... and fixing some other bugs, including:
- Disappearing audio. (Closes: #461970)
.
[ Darren Salt ]
* Build-depend on gs-gpl | gs. Avoids FTBFS where recommended packages
aren't automatically installed.
* Put libxine1-doc in section libdevel.
* Move libxine1-doc | libxine-doc to Suggests: in libxine1. (Closes: #458103)
* Add postinst scripts to ensure that the documentation symlinks are
properly created. (This is really dpkg bugginess.) (Closes: #458865)
* Standards version 3.7.3; no changes needed.
.
[ Reinhard Tartler ]
* Actually install xineplug_decode_w32dll.so and xineplug_decode_qt.so
on i386. debian/rules accidentally used $< where it should have been
$^. Thanks to Gert Kulyk for reporting! LP: #182400
* Fix XS-Hg-VCS headers in debian/control LP: #183886
Files:
9d798e232a2a55add870bbbf3179aa7e 1784 libs optional xine-lib_1.1.10-1.dsc
2cb782973021c57fb21c288c51c4334d 9055638 libs optional
xine-lib_1.1.10.orig.tar.gz
ca9e2da7fa9ba0ae4d1cea82281caefd 25468 libs optional xine-lib_1.1.10-1.diff.gz
fb40d901571bbdbddf42973ffbb7b1ef 141132 libdevel optional
libxine1-doc_1.1.10-1_all.deb
8e58353489b35610214ff8d86328b2d5 49748 libs extra
libxine1-plugins_1.1.10-1_all.deb
1e91aa33d599f092b276ce7383986306 49754 libs extra
libxine1-all-plugins_1.1.10-1_all.deb
27981b3e8ce2326513a73057cc05dc19 1272 libs optional libxine1_1.1.10-1_amd64.deb
232f561f499c7b7ff3008fd6d267a99e 1573090 libs optional
libxine1-bin_1.1.10-1_amd64.deb
f726c43bb059653636bf37fbc1f990f8 329546 libdevel optional
libxine-dev_1.1.10-1_amd64.deb
099f91c899d652ba79a9658642829581 385128 libs optional
libxine1-ffmpeg_1.1.10-1_amd64.deb
2c91050d371d9e9f48999c756a2948a5 15240 libs optional
libxine1-gnome_1.1.10-1_amd64.deb
1f7079c4f6eccea015f10aced0f19308 58094 libs extra
libxine1-console_1.1.10-1_amd64.deb
e5ef560668bcf65a9d5be32dea1e35b9 213750 libs optional
libxine1-x_1.1.10-1_amd64.deb
c5db99898132a753aeb935d9213fdb3a 961464 libs optional
libxine1-misc-plugins_1.1.10-1_amd64.deb
5e818183c1616fe067fb57359e26e2d7 3933604 libs extra
libxine1-dbg_1.1.10-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHm7mDsBKtjPGfWZ8RAgMEAKC655FTTaLzNlA/4UNtjud2hFAFMQCeOiPy
WAg2AG0Hr7w+5HQAqTju364=
=A5p5
-----END PGP SIGNATURE-----
--- End Message ---
