Articles / Debian: New xine-lib packag…

Debian: New xine-lib packages fix several vulnerabilities

Multiple vulnerabilities have been discovered in xine-lib, a library which supplies most of the application functionality of the xine multimedia player. Integer overflow vulnerabilities exist in xine's FLV, QuickTime, RealMedia, MVE and CAK demuxers, as well as the EBML parser used by the Matroska demuxer. These weaknesses allow an attacker to overflow heap buffers and potentially execute arbitrary code by supplying a maliciously crafted file of those types. Insufficient input validation in the Speex implementation used by this version of xine enables an invalid array access and the execution of arbitrary code by supplying a maliciously crafted Speex file. Inadequate bounds checking in the NES Sound Format (NSF) demuxer enables a stack buffer overflow and the execution of arbitrary code through a maliciously crafted NSF file. Fixed packages are available from security.debian.org.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1586-1                  security@debian.org
http://www.debian.org/security/                           Devin Carraway
May 22, 2008                          http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : xine-lib
Vulnerability  : multiple
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-1482 CVE-2008-1686 CVE-2008-1878

Multiple vulnerabilities have been discovered in xine-lib, a library
which supplies most of the application functionality of the xine
multimedia player.  The Common Vulnerabilities and Exposures project
identifies the following three problems:

CVE-2008-1482

   Integer overflow vulnerabilities exist in xine's FLV, QuickTime,
   RealMedia, MVE and CAK demuxers, as well as the EBML parser used
   by the Matroska demuxer.  These weaknesses allow an attacker to
   overflow heap buffers and potentially execute arbitrary code by
   supplying a maliciously crafted file of those types.

CVE-2008-1686

   Insufficient input validation in the Speex implementation used
   by this version of xine enables an invalid array access and the
   execution of arbitrary code by supplying a maliciously crafted
   Speex file.

CVE-2008-1878

   Inadequate bounds checking in the NES Sound Format (NSF) demuxer
   enables a stack buffer overflow and the execution of arbitrary
   code through a maliciously crafted NSF file.

For the stable distribution (etch), these problems have been fixed in
version 1.1.2+dfsg-7.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.12-2.

We recommend that you upgrade your xine-lib packages.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

 http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg.orig.tar.gz
   Size/MD5 checksum:  6716994 ae6525a76280a6e1979c3f4f89fd00f3
 http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.diff.gz
   Size/MD5 checksum:    32397 9ef42da73934e6a981151549e97fd396
 http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-7.dsc
   Size/MD5 checksum:     1585 b0949db5082a590b1afa4f477005f79f

alpha architecture (DEC Alpha)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_alpha.deb
   Size/MD5 checksum:  3410964 35526481cc816fad2d5692b33f4a3577
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_alpha.deb
   Size/MD5 checksum:   118604 cfc8a8c900bd1182b3faddfeb09eba84
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_alpha.deb
   Size/MD5 checksum:  3665492 49adcd016edc53b96bbc028bc3e428ae

amd64 architecture (AMD x86_64 (AMD64))

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_amd64.deb
   Size/MD5 checksum:   117506 f8305c6e72d9fd2a25cb7b144e0d696d
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_amd64.deb
   Size/MD5 checksum:  3050404 b94199ba7a4a578db7eb0eefa42b725c
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_amd64.deb
   Size/MD5 checksum:  3660324 635669edb747900be1b17a17dba1f564

arm architecture (ARM)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_arm.deb
   Size/MD5 checksum:   118774 052c7ceae25865180a966f6e9e4eb573
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_arm.deb
   Size/MD5 checksum:  2959500 bb1f326f6451a5681c592a56734b30da
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_arm.deb
   Size/MD5 checksum:  2668528 19d061e0cc24b1bf935607207bc8c638

hppa architecture (HP PA RISC)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_hppa.deb
   Size/MD5 checksum:  3225530 ac2abcd37fe278b730a7a52db4690e2c
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_hppa.deb
   Size/MD5 checksum:   119646 5190a9fd4691a7523f1ae2734d81691f
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_hppa.deb
   Size/MD5 checksum:  2697042 ea3479f6dc14ed23f90fbb653ea714aa

i386 architecture (Intel ia32)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_i386.deb
   Size/MD5 checksum:   117466 6bd9177c7a51abe868c0c4f4dfb1b6d7
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_i386.deb
   Size/MD5 checksum:  3967634 5a85d97914a5bcb3033e8d3eaec4af4b
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_i386.deb
   Size/MD5 checksum:  3350218 88382dafa93891b720985435619e1bee

ia64 architecture (Intel ia64)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_ia64.deb
   Size/MD5 checksum:  3765616 e38586e9ef6c7b1997679198cc263b9f
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_ia64.deb
   Size/MD5 checksum:  2685148 2bbd6abfaa59b6d5d238916e1fe588c1
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_ia64.deb
   Size/MD5 checksum:   117500 c6038901ade50caa3a84254f51b43081

mips architecture (MIPS (Big Endian))

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mips.deb
   Size/MD5 checksum:  3036512 2e2b54ad4b4b45715528981791ce85c6
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mips.deb
   Size/MD5 checksum:  2844538 03835764ba28aa277cf33b994ac2c515
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mips.deb
   Size/MD5 checksum:   119386 292683637eeb0e0922516c27069b0a4a

mipsel architecture (MIPS (Little Endian))

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_mipsel.deb
   Size/MD5 checksum:  3017710 0fd6b63681e496817a5a741b942b3642
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_mipsel.deb
   Size/MD5 checksum:  2788988 e9bc0450d264dfc9f3522bc38f27fa61
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_mipsel.deb
   Size/MD5 checksum:   117528 656913c22767f942ea3ef2f8ad0edc80

powerpc architecture (PowerPC)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_powerpc.deb
   Size/MD5 checksum:  3719568 4bf9a41390aa91305a7de075d8d2c52a
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_powerpc.deb
   Size/MD5 checksum:  3209842 ee37b66a198c890770fcda734e30fab8
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_powerpc.deb
   Size/MD5 checksum:   117512 e952851e820d0634de013e598c61c432

s390 architecture (IBM S/390)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_s390.deb
   Size/MD5 checksum:  3173064 c1210b83707d76a4256c42393ef1e2d4
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_s390.deb
   Size/MD5 checksum:  2719306 125a96fd91fc8cf88c69280500230e0e
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_s390.deb
   Size/MD5 checksum:   117502 babe974673968538886456d4f5345cce

sparc architecture (Sun SPARC/UltraSPARC)

 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-7_sparc.deb
   Size/MD5 checksum:  3025332 591637b97267686c199c074ce3e92aba
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-7_sparc.deb
   Size/MD5 checksum:   117520 f3b076031d34e283445c27fcb9031e63
 http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-7_sparc.deb
   Size/MD5 checksum:  3369250 d8e3d16b7c014187398029cf2e75f0da


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBSDWqbmz0hbPcukPfAQIS9Af/XsCrcKNgL1sjQtys3dLMh3Fj2D1ZV/Hr
+M+ChkHv1UTshdsbqcuJU8nXF1s6y0PgfydMviV7vfoQk2tW/tO2CDbYEfwPvtga
UMy9ll/0iskJYSOKWQi/nCR5tQy4A0SoaaLexDRfmk1hnA3YZ5AWsWAKyhXXwunQ
/dwNwWJnuIQGpwJAbOYoiyvTR3LHpk//lM6w1MZ5s5fXJ+coB4lr0i/VJpKMzB3O
23h37NdrJVjBNmA5p2XYdfDO4u9cF+tHMo69NMZ5Swg3n4GPbaCKMt4qUu3GbKcJ
pUve/XPqlt2yPYIw3LlFRiOTkGdX+gmH6Tm9fT7gdAEbNwX2PX/rKQ==
=Jr5C
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.