Debian Bug report logs - #464696
libxine1: CVE-2008-0486 buffer overflow via crafted flac file

version graph

Package: libxine1; Maintainer for libxine1 is Darren Salt <devspam@moreofthesa.me.uk>; Source for libxine1 is src:xine-lib.

Reported by: Nico Golde <nion@debian.org>

Date: Fri, 8 Feb 2008 13:06:01 UTC

Severity: grave

Tags: patch, security

Found in version xine-lib/1.1.10-1

Fixed in versions xine-lib/1.1.10.1-1, xine-lib-1.2/1.1.90hg+20080214+db71e67bee03-1

Done: Darren Salt <linux@youmustbejoking.demon.co.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Reinhard Tartler <siretart@tauware.de>:
Bug#464696; Package libxine1. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Reinhard Tartler <siretart@tauware.de>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: libxine1: CVE-2008-0486 buffer overflow via crafted flac file
Date: Fri, 8 Feb 2008 14:03:12 +0100
[Message part 1 (text/plain, inline)]
Package: libxine1
Version: 1.1.10-1
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libxine1.

CVE-2008-0486[0]:
| Array index vulnerability in libmpdemux/demux_audio.c in MPlayer
| 1.0rc2 and SVN before r25917, and possibly earlier versions, as used
| in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary
| code via a crafted FLAC tag, which triggers a buffer overflow.

I attached a patch ported from the mplayer fix to xine-lib.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0486

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[demux_flac.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Darren Salt <linux@youmustbejoking.demon.co.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 464696-close@bugs.debian.org (full text, mbox):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>
To: 464696-close@bugs.debian.org
Subject: Bug#464696: fixed in xine-lib 1.1.10.1-1
Date: Sat, 09 Feb 2008 00:32:03 +0000
Source: xine-lib
Source-Version: 1.1.10.1-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine-dev_1.1.10.1-1_amd64.deb
libxine1-all-plugins_1.1.10.1-1_all.deb
  to pool/main/x/xine-lib/libxine1-all-plugins_1.1.10.1-1_all.deb
libxine1-bin_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-bin_1.1.10.1-1_amd64.deb
libxine1-console_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-console_1.1.10.1-1_amd64.deb
libxine1-dbg_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-dbg_1.1.10.1-1_amd64.deb
libxine1-doc_1.1.10.1-1_all.deb
  to pool/main/x/xine-lib/libxine1-doc_1.1.10.1-1_all.deb
libxine1-ffmpeg_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.10.1-1_amd64.deb
libxine1-gnome_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-gnome_1.1.10.1-1_amd64.deb
libxine1-misc-plugins_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.10.1-1_amd64.deb
libxine1-plugins_1.1.10.1-1_all.deb
  to pool/main/x/xine-lib/libxine1-plugins_1.1.10.1-1_all.deb
libxine1-x_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1-x_1.1.10.1-1_amd64.deb
libxine1_1.1.10.1-1_amd64.deb
  to pool/main/x/xine-lib/libxine1_1.1.10.1-1_amd64.deb
xine-lib_1.1.10.1-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-1.diff.gz
xine-lib_1.1.10.1-1.dsc
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-1.dsc
xine-lib_1.1.10.1.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1.1.10.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464696@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Darren Salt <linux@youmustbejoking.demon.co.uk> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 08 Feb 2008 17:25:21 +0000
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.10.1-1
Distribution: unstable
Urgency: high
Maintainer: linux@youmustbejoking.demon.co.uk
Changed-By: Darren Salt <linux@youmustbejoking.demon.co.uk>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, meta-package
 libxine1-all-plugins - the xine video/media player library, meta package
 libxine1-bin - the xine video/media player library, binary files
 libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for libxine1
 libxine1-dbg - debug symbols for libxine1
 libxine1-doc - the xine video player library, documentation files
 libxine1-ffmpeg - MPEG-related plugins for libxine1
 libxine1-gnome - GNOME-related plugins for libxine1
 libxine1-misc-plugins - Input, audio output and post plugins for libxine1
 libxine1-plugins - the xine video/media player library, meta package
 libxine1-x - X desktop video output plugins for libxine1
Closes: 462710 462964 464178 464321 464696
Changes: 
 xine-lib (1.1.10.1-1) unstable; urgency=high
 .
   * New upstream release.
     - CVE-2008-0486: Array index vulnerability which may allow remote
       attackers to execute arbitrary code via a crafted FLAC tag, which
       triggers a buffer overflow. (Closes: #464696)
     - Real codec detection was looking in the wrong places. (Closes: #462964)
 .
   [Darren Salt]
   * Add pkg-config dependency to libxine-dev, fixing xine-plugin FTBFS.
     (Closes: #464178, #464321)
   * Put libxine1-doc back into section doc until somewhere better is created
     for it. (Closes: #462710)
   * No longer build-conflict with libxine-dev from xine-lib-1.2. This is no
     longer needed due to link order changes.
Files: 
 c02992d339016ddbb2ec49e9c7c899e6 1749 libs optional xine-lib_1.1.10.1-1.dsc
 bfb55b256e286a0c42e5bc8e3f6a81eb 9133868 libs optional xine-lib_1.1.10.1.orig.tar.gz
 0abd8871f8a3a845b940f6327b6cbffa 25676 libs optional xine-lib_1.1.10.1-1.diff.gz
 2df6942091ba282028459f0b8c32f17b 141498 doc optional libxine1-doc_1.1.10.1-1_all.deb
 69a96a7e04145d55dd1382c59b037a05 50068 libs extra libxine1-plugins_1.1.10.1-1_all.deb
 5f9a0553cc0af7581910729d52b250d6 50078 libs extra libxine1-all-plugins_1.1.10.1-1_all.deb
 99ef9bd1202b75680aa5b1567ea243a1 1262 libs optional libxine1_1.1.10.1-1_amd64.deb
 76944f0eb19f6c63d8b17654b59419d5 1605980 libs optional libxine1-bin_1.1.10.1-1_amd64.deb
 9c5cdef0f15a2b6b9192dbc546899fdd 329840 libdevel optional libxine-dev_1.1.10.1-1_amd64.deb
 ef4ee1ba334cba0d5b5a5895c47636e5 385124 libs optional libxine1-ffmpeg_1.1.10.1-1_amd64.deb
 810e5d8466968fdeddcff6071022b1bd 15240 libs optional libxine1-gnome_1.1.10.1-1_amd64.deb
 cfcc74fd003f433cd0515c89da52ac4d 58100 libs extra libxine1-console_1.1.10.1-1_amd64.deb
 7573128e18e3b668a24aab0fe431d974 213756 libs optional libxine1-x_1.1.10.1-1_amd64.deb
 a6b80731cf9a51329e45551fcd2a494b 961674 libs optional libxine1-misc-plugins_1.1.10.1-1_amd64.deb
 9e014ff021e46789cb69fda45c244181 3932274 libs extra libxine1-dbg_1.1.10.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHrORssBKtjPGfWZ8RAhqJAKC77CDJNAqXybQf05s1tIm+Vye/bwCfVJTK
Ff5HsJLb6Pn4GisVFexKcK4=
=/vXL
-----END PGP SIGNATURE-----





Reply sent to Darren Salt <linux@youmustbejoking.demon.co.uk>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 464696-close@bugs.debian.org (full text, mbox):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>
To: 464696-close@bugs.debian.org
Subject: Bug#464696: fixed in xine-lib-1.2 1.1.90hg+20080214+db71e67bee03-1
Date: Fri, 15 Feb 2008 14:02:05 +0000
Source: xine-lib-1.2
Source-Version: 1.1.90hg+20080214+db71e67bee03-1

We believe that the bug you reported is fixed in the latest version of
xine-lib-1.2, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine-dev_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-all-plugins_1.1.90hg+20080214+db71e67bee03-1_all.deb
  to pool/main/x/xine-lib-1.2/libxine2-all-plugins_1.1.90hg+20080214+db71e67bee03-1_all.deb
libxine2-bin_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-bin_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-console_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-console_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-dbg_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-dbg_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-doc_1.1.90hg+20080214+db71e67bee03-1_all.deb
  to pool/main/x/xine-lib-1.2/libxine2-doc_1.1.90hg+20080214+db71e67bee03-1_all.deb
libxine2-ffmpeg_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-ffmpeg_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-gnome_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-gnome_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-misc-plugins_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-misc-plugins_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-plugins_1.1.90hg+20080214+db71e67bee03-1_all.deb
  to pool/main/x/xine-lib-1.2/libxine2-plugins_1.1.90hg+20080214+db71e67bee03-1_all.deb
libxine2-vdr_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-vdr_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2-x_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2-x_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
libxine2_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
  to pool/main/x/xine-lib-1.2/libxine2_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
xine-lib-1.2_1.1.90hg+20080214+db71e67bee03-1.diff.gz
  to pool/main/x/xine-lib-1.2/xine-lib-1.2_1.1.90hg+20080214+db71e67bee03-1.diff.gz
xine-lib-1.2_1.1.90hg+20080214+db71e67bee03-1.dsc
  to pool/main/x/xine-lib-1.2/xine-lib-1.2_1.1.90hg+20080214+db71e67bee03-1.dsc
xine-lib-1.2_1.1.90hg+20080214+db71e67bee03.orig.tar.gz
  to pool/main/x/xine-lib-1.2/xine-lib-1.2_1.1.90hg+20080214+db71e67bee03.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464696@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Darren Salt <linux@youmustbejoking.demon.co.uk> (supplier of updated xine-lib-1.2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 14 Feb 2008 22:17:50 +0000
Source: xine-lib-1.2
Binary: libxine2-doc libxine2 libxine2-bin libxine-dev libxine2-ffmpeg libxine2-gnome libxine2-console libxine2-vdr libxine2-x libxine2-misc-plugins libxine2-dbg libxine2-plugins libxine2-all-plugins
Architecture: source all amd64
Version: 1.1.90hg+20080214+db71e67bee03-1
Distribution: experimental
Urgency: low
Maintainer: linux@youmustbejoking.demon.co.uk
Changed-By: Darren Salt <linux@youmustbejoking.demon.co.uk>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine2   - the xine media player library, meta-package (development branch)
 libxine2-all-plugins - the xine video/media player library, meta package
 libxine2-bin - the xine video/media player library, binary files
 libxine2-console - libaa/libcaca/framebuffer/directfb related plugins for libxine2
 libxine2-dbg - debug symbols for libxine2
 libxine2-doc - the xine video player library, documentation files
 libxine2-ffmpeg - MPEG-related plugins for libxine2
 libxine2-gnome - GNOME-related plugins for libxine2
 libxine2-misc-plugins - Input, audio output and post plugins for libxine2
 libxine2-plugins - the xine video/media player library, meta package
 libxine2-vdr - VDR-related plugins for libxine2
 libxine2-x - X desktop video output plugins for libxine2
Closes: 464696
Changes: 
 xine-lib-1.2 (1.1.90hg+20080214+db71e67bee03-1) experimental; urgency=low
 .
   * 1.2.x development branch snapshot.
     (cset db71e67bee037142234750a216597c7811cc7df5)
     - CVE-2008-0486: Array index vulnerability which may allow remote
       attackers to execute arbitrary code via a crafted FLAC tag, which
       triggers a buffer overflow. (Closes: #464696)
Files: 
 244698d2d24b3286cc579632467f39e5 1877 libs optional xine-lib-1.2_1.1.90hg+20080214+db71e67bee03-1.dsc
 254023804c9daa906ab2720907f7c4a7 9995967 libs optional xine-lib-1.2_1.1.90hg+20080214+db71e67bee03.orig.tar.gz
 56c21f9a26f11a77db9e491c338f01ba 25995 libs optional xine-lib-1.2_1.1.90hg+20080214+db71e67bee03-1.diff.gz
 b9c1ed288f8a263ce4b676146c5f7387 136384 doc optional libxine2-doc_1.1.90hg+20080214+db71e67bee03-1_all.deb
 119594ad57a19ad42fb5463bfb0728ba 1080 libs extra libxine2-plugins_1.1.90hg+20080214+db71e67bee03-1_all.deb
 c958f1d483cffd11637030d8e6dd6f61 1092 libs extra libxine2-all-plugins_1.1.90hg+20080214+db71e67bee03-1_all.deb
 85bf40304548af58e64964225753c610 1272 libs optional libxine2_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 2a50644faa51aa2e983b0754e4ef1118 1589378 libs optional libxine2-bin_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 cef458966550333a62723090c949acc2 535026 libdevel optional libxine-dev_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 eacb5c48d0a3c825cab9883a1df04923 471200 libs optional libxine2-ffmpeg_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 48be169939fcc147ed6dfd6bccb315b3 14988 libs optional libxine2-gnome_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 8130e4fe5b0ab0a41c680a935134f12f 59110 libs extra libxine2-console_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 22f92ab1eaf09cbf748df041b410139f 21414 libs extra libxine2-vdr_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 4cf625f72936abbb0328415cee6c28f7 200896 libs optional libxine2-x_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 6fc804914366f81851a3cb2b14aba025 848002 libs optional libxine2-misc-plugins_1.1.90hg+20080214+db71e67bee03-1_amd64.deb
 e834f874db1ca938c7c0ab00240fafce 3854316 libs extra libxine2-dbg_1.1.90hg+20080214+db71e67bee03-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHtNctsBKtjPGfWZ8RAv8QAKCqcoXGKMNV/eEVlN20XLB2WUJBQwCgpeDK
r7Jqp3DqrRU1Oqinlf0buEY=
=w/cm
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 15 Mar 2008 07:31:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:08:23 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.