LinuxSecurity.com 		Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: February 6th, 2012
Linux Advisory Watch: February 3rd, 2012
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: Subject: [Security Announce] [ MDVSA-2008:178 ] xine-lib Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Alin Rad Pop found an array index vulnerability in the SDP parser of xine-lib. If a user or automated system were tricked into opening a malicious RTSP stream, a remote attacker could possibly execute arbitrary code with the privileges of the user using the program (CVE-2008-0073). 
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:178
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : xine-lib
 Date    : August 20, 2008
 Affected: 2008.0
 _______________________________________________________________________

 Problem Description:

 Alin Rad Pop found an array index vulnerability in the SDP parser
 of xine-lib.  If a user or automated system were tricked into opening
 a malicious RTSP stream, a remote attacker could possibly execute
 arbitrary code with the privileges of the user using the program
 (CVE-2008-0073).
 
 The ASF demuxer in xine-lib did not properly check the length of
 ASF headers.  If a user was tricked into opening a crafted ASF file,
 a remote attacker could possibly cause a denial of service or execute
 arbitrary code with the privileges of the user using the program
 (CVE-2008-1110).
 
 The Matroska demuxer in xine-lib did not properly verify frame sizes,
 which could possibly lead to the execution of arbitrary code if a
 user opened a crafted ASF file (CVE-2008-1161).
 
 Luigi Auriemma found multiple integer overflows in xine-lib.  If a
 user was tricked into opening a crafted FLV, MOV, RM, MVE, MKV, or
 CAK file, a remote attacker could possibly execute arbitrary code
 with the privileges of the user using the program (CVE-2008-1482).
 
 Guido Landi found A stack-based buffer overflow in xine-lib
 that could allow a remote attacker to cause a denial of service
 (crash) and potentially execute arbitrary code via a long NSF title
 (CVE-2008-1878).
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1110
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1161
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1878
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 6aa7eae08e4878a56216c21d2895d38a  2008.0/i586/libxine1-1.1.8-4.7mdv2008.0.i586.rpm
 e7f1553bf63778f25d9fbf730d5b120c  2008.0/i586/libxine-devel-1.1.8-4.7mdv2008.0.i586.rpm
 75e68e91207e014f287b93cdd664a073  2008.0/i586/xine-aa-1.1.8-4.7mdv2008.0.i586.rpm
 accb9c34f5046451b66142bdd6a21706  2008.0/i586/xine-caca-1.1.8-4.7mdv2008.0.i586.rpm
 0e4198ff66564f160945bd8a73932482  2008.0/i586/xine-dxr3-1.1.8-4.7mdv2008.0.i586.rpm
 44853bc05ede93786675969cdfd2b009  2008.0/i586/xine-esd-1.1.8-4.7mdv2008.0.i586.rpm
 833f7be8ad722fde7dcae24633914556  2008.0/i586/xine-flac-1.1.8-4.7mdv2008.0.i586.rpm
 ee032b270eb9bd4a639ed9f011be8965  2008.0/i586/xine-gnomevfs-1.1.8-4.7mdv2008.0.i586.rpm
 cc9adb7d0af33e3b8bcc067c6c62d57d  2008.0/i586/xine-image-1.1.8-4.7mdv2008.0.i586.rpm
 020e8b3d47d6e1d29fa0ec4d48d6c6fd  2008.0/i586/xine-jack-1.1.8-4.7mdv2008.0.i586.rpm
 e927b440649d60abc0ab86dbba263af9  2008.0/i586/xine-plugins-1.1.8-4.7mdv2008.0.i586.rpm
 613c9490440b26a3734a447b73bddf67  2008.0/i586/xine-pulse-1.1.8-4.7mdv2008.0.i586.rpm
 ca31b8372982abf3ca3736116e91435f  2008.0/i586/xine-sdl-1.1.8-4.7mdv2008.0.i586.rpm
 3d7cdb0be5abf9432dcfa6b69decec9c  2008.0/i586/xine-smb-1.1.8-4.7mdv2008.0.i586.rpm 
 36aea6a4873e1f868ddf08c4d7eefe02  2008.0/SRPMS/xine-lib-1.1.8-4.7mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 1f58d28dfaa98b7eccf058752e41631c  2008.0/x86_64/lib64xine1-1.1.8-4.7mdv2008.0.x86_64.rpm
 150013536fe38899fcdad61c704cab5c  2008.0/x86_64/lib64xine-devel-1.1.8-4.7mdv2008.0.x86_64.rpm
 67471aea2b6f46ae6850199b85f1bba0  2008.0/x86_64/xine-aa-1.1.8-4.7mdv2008.0.x86_64.rpm
 b2178ce163ff3351685f7b94bef06069  2008.0/x86_64/xine-caca-1.1.8-4.7mdv2008.0.x86_64.rpm
 fdda01f542e4ecdfd51d2fc695eae8ca  2008.0/x86_64/xine-dxr3-1.1.8-4.7mdv2008.0.x86_64.rpm
 03faa97b40b0eb24c5934b1764378324  2008.0/x86_64/xine-esd-1.1.8-4.7mdv2008.0.x86_64.rpm
 4af8a886dbbb412b3c3820d354f889f2  2008.0/x86_64/xine-flac-1.1.8-4.7mdv2008.0.x86_64.rpm
 ce33c99a46cba4ac745af5d5b4bb399d  2008.0/x86_64/xine-gnomevfs-1.1.8-4.7mdv2008.0.x86_64.rpm
 512b93a5a0c602358c911f07dffcdae1  2008.0/x86_64/xine-image-1.1.8-4.7mdv2008.0.x86_64.rpm
 6c8233325169f39d9d753abd604a4bcf  2008.0/x86_64/xine-jack-1.1.8-4.7mdv2008.0.x86_64.rpm
 5a0afda6905461d13a21ac7fd8b27eee  2008.0/x86_64/xine-plugins-1.1.8-4.7mdv2008.0.x86_64.rpm
 66cf6873a4013533e7bb2ef664ae9830  2008.0/x86_64/xine-pulse-1.1.8-4.7mdv2008.0.x86_64.rpm
 8166bc1bc60957cabfc2038adf10f4df  2008.0/x86_64/xine-sdl-1.1.8-4.7mdv2008.0.x86_64.rpm
 6f5708f3d355a95b307158996d28bfea  2008.0/x86_64/xine-smb-1.1.8-4.7mdv2008.0.x86_64.rpm 
 36aea6a4873e1f868ddf08c4d7eefe02  2008.0/SRPMS/xine-lib-1.1.8-4.7mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
 
< Prev   Next >
    
Partner

 
Latest Features
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Using the sec-wall Security Proxy
sec-wall: Open Source Security Proxy
Yesterday's Edition
Hackers Hit Apple Supplier Foxconn, Leak Usernames And Passwords
Hackers Mug Google's Wallet App on Rooted Android Devices
Google Chrome will no longer check for revoked SSL certificates online
Have Your Users' Passwords Already Been Hacked?
DDoS Tools Flourish, Give Attackers Many Options
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2012 Guardian Digital, Inc. All rights reserved.