Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Debian: New xine-lib packages fix several vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Integer overflow vulnerabilities exist in xine's FLV, QuickTime, RealMedia, MVE and CAK demuxers, as well as the EBML parser used by the Matroska demuxer. These weaknesses allow an attacker to overflow heap buffers and potentially execute arbitrary code by supplying a maliciously crafted file of those types.
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1586-1                                   Devin Carraway
May 22, 2008                
- ------------------------------------------------------------------------

Package        : xine-lib
Vulnerability  : multiple
Problem type   : local (remote)
Debian-specific: no
CVE Id(s)      : CVE-2008-1482 CVE-2008-1686 CVE-2008-1878

Multiple vulnerabilities have been discovered in xine-lib, a library
which supplies most of the application functionality of the xine
multimedia player.  The Common Vulnerabilities and Exposures project
identifies the following three problems:


    Integer overflow vulnerabilities exist in xine's FLV, QuickTime,
    RealMedia, MVE and CAK demuxers, as well as the EBML parser used
    by the Matroska demuxer.  These weaknesses allow an attacker to
    overflow heap buffers and potentially execute arbitrary code by
    supplying a maliciously crafted file of those types.


    Insufficient input validation in the Speex implementation used
    by this version of xine enables an invalid array access and the
    execution of arbitrary code by supplying a maliciously crafted
    Speex file.


    Inadequate bounds checking in the NES Sound Format (NSF) demuxer
    enables a stack buffer overflow and the execution of arbitrary
    code through a maliciously crafted NSF file.

For the stable distribution (etch), these problems have been fixed in
version 1.1.2+dfsg-7.

For the unstable distribution (sid), these problems have been fixed in
version 1.1.12-2.

We recommend that you upgrade your xine-lib packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:
    Size/MD5 checksum:  6716994 ae6525a76280a6e1979c3f4f89fd00f3
    Size/MD5 checksum:    32397 9ef42da73934e6a981151549e97fd396
    Size/MD5 checksum:     1585 b0949db5082a590b1afa4f477005f79f

alpha architecture (DEC Alpha)
    Size/MD5 checksum:  3410964 35526481cc816fad2d5692b33f4a3577
    Size/MD5 checksum:   118604 cfc8a8c900bd1182b3faddfeb09eba84
    Size/MD5 checksum:  3665492 49adcd016edc53b96bbc028bc3e428ae

amd64 architecture (AMD x86_64 (AMD64))
    Size/MD5 checksum:   117506 f8305c6e72d9fd2a25cb7b144e0d696d
    Size/MD5 checksum:  3050404 b94199ba7a4a578db7eb0eefa42b725c
    Size/MD5 checksum:  3660324 635669edb747900be1b17a17dba1f564

arm architecture (ARM)
    Size/MD5 checksum:   118774 052c7ceae25865180a966f6e9e4eb573
    Size/MD5 checksum:  2959500 bb1f326f6451a5681c592a56734b30da
    Size/MD5 checksum:  2668528 19d061e0cc24b1bf935607207bc8c638

hppa architecture (HP PA RISC)
    Size/MD5 checksum:  3225530 ac2abcd37fe278b730a7a52db4690e2c
    Size/MD5 checksum:   119646 5190a9fd4691a7523f1ae2734d81691f
    Size/MD5 checksum:  2697042 ea3479f6dc14ed23f90fbb653ea714aa

i386 architecture (Intel ia32)
    Size/MD5 checksum:   117466 6bd9177c7a51abe868c0c4f4dfb1b6d7
    Size/MD5 checksum:  3967634 5a85d97914a5bcb3033e8d3eaec4af4b
    Size/MD5 checksum:  3350218 88382dafa93891b720985435619e1bee

ia64 architecture (Intel ia64)
    Size/MD5 checksum:  3765616 e38586e9ef6c7b1997679198cc263b9f
    Size/MD5 checksum:  2685148 2bbd6abfaa59b6d5d238916e1fe588c1
    Size/MD5 checksum:   117500 c6038901ade50caa3a84254f51b43081

mips architecture (MIPS (Big Endian))
    Size/MD5 checksum:  3036512 2e2b54ad4b4b45715528981791ce85c6
    Size/MD5 checksum:  2844538 03835764ba28aa277cf33b994ac2c515
    Size/MD5 checksum:   119386 292683637eeb0e0922516c27069b0a4a

mipsel architecture (MIPS (Little Endian))
    Size/MD5 checksum:  3017710 0fd6b63681e496817a5a741b942b3642
    Size/MD5 checksum:  2788988 e9bc0450d264dfc9f3522bc38f27fa61
    Size/MD5 checksum:   117528 656913c22767f942ea3ef2f8ad0edc80

powerpc architecture (PowerPC)
    Size/MD5 checksum:  3719568 4bf9a41390aa91305a7de075d8d2c52a
    Size/MD5 checksum:  3209842 ee37b66a198c890770fcda734e30fab8
    Size/MD5 checksum:   117512 e952851e820d0634de013e598c61c432

s390 architecture (IBM S/390)
    Size/MD5 checksum:  3173064 c1210b83707d76a4256c42393ef1e2d4
    Size/MD5 checksum:  2719306 125a96fd91fc8cf88c69280500230e0e
    Size/MD5 checksum:   117502 babe974673968538886456d4f5345cce

sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum:  3025332 591637b97267686c199c074ce3e92aba
    Size/MD5 checksum:   117520 f3b076031d34e283445c27fcb9031e63
    Size/MD5 checksum:  3369250 d8e3d16b7c014187398029cf2e75f0da

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.