MDKSA-2005:180 - Updated xine-lib packages fixes cddb vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Update Advisory
_______________________________________________________________________
Package name: xine-lib
Advisory ID: MDKSA-2005:180
Date: October 11th, 2005
Affected versions: 10.1, 10.2, 2006.0, Corporate 3.0
______________________________________________________________________
Problem Description:
When playing an Audio CD, a xine-lib based media application contacts
a CDDB server to retrieve metadata like the title and artist's name.
During processing of this data, a response from the server, which is
located in memory on the stack, is passed to the fprintf() function
as a format string. An attacker can set up a malicious CDDB server
and trick the client into using this server instead of the pre-
configured one. Alternatively, any user and therefore the attacker can
modify entries in the official CDDB server. Using this format string
vulnerability, attacker-chosen data can be written to an attacker-chosen
memory location. This allows the attacker to alter the control flow
and to execute malicious code with the permissions of the user running
the application.
This problem was reported by Ulf Harnhammar from the Debian Security
Audit Project.
The updated packages have been patched to correct this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2967
http://xinehq.de/index.php/security/XSA-2005-1
______________________________________________________________________
Updated Packages:
Mandrivalinux 10.1:
3f07ca856ac1574af04fbe1b27ee965e
10.1/RPMS/libxine1-1-0.rc5.9.3.101mdk.i586.rpm
023408c3ee89298c373a3a6927a3061e
10.1/RPMS/libxine1-devel-1-0.rc5.9.3.101mdk.i586.rpm
f15dbebfea2af1a970b7d2efd9294553 10.1/RPMS/xine-aa-1-0.rc5.9.3.101mdk.i586.rpm
964bf0c612fdd2ad9f4d3f0189db4c5d
10.1/RPMS/xine-arts-1-0.rc5.9.3.101mdk.i586.rpm
942189b2e906e9318bb729841499714c
10.1/RPMS/xine-dxr3-1-0.rc5.9.3.101mdk.i586.rpm
d87d3f48cf4378de0cd66a763df69a22
10.1/RPMS/xine-esd-1-0.rc5.9.3.101mdk.i586.rpm
f015327c624aa069668a8faddc7989da
10.1/RPMS/xine-flac-1-0.rc5.9.3.101mdk.i586.rpm
fe16081d5be8ae716f139e7cc7971738
10.1/RPMS/xine-gnomevfs-1-0.rc5.9.3.101mdk.i586.rpm
b595c492e3d38c394a05bef235a8b50e
10.1/RPMS/xine-plugins-1-0.rc5.9.3.101mdk.i586.rpm
ae824a8ad57afa4af74d14ac36aec48f
10.1/SRPMS/xine-lib-1-0.rc5.9.3.101mdk.src.rpm
Mandrivalinux 10.1/X86_64:
c56c742c25b4e7ef55363bc433ada6b6
x86_64/10.1/RPMS/lib64xine1-1-0.rc5.9.3.101mdk.x86_64.rpm
8174e6c20c36883482a8c92ac7a32dd4
x86_64/10.1/RPMS/lib64xine1-devel-1-0.rc5.9.3.101mdk.x86_64.rpm
3f07ca856ac1574af04fbe1b27ee965e
x86_64/10.1/RPMS/libxine1-1-0.rc5.9.3.101mdk.i586.rpm
c4b594b75216ec745901c2bc910aa854
x86_64/10.1/RPMS/xine-aa-1-0.rc5.9.3.101mdk.x86_64.rpm
0aa452c0c36a9a7eae6bc8276c585133
x86_64/10.1/RPMS/xine-arts-1-0.rc5.9.3.101mdk.x86_64.rpm
bf3e6970c3b37d80eee58be3804aaef1
x86_64/10.1/RPMS/xine-dxr3-1-0.rc5.9.3.101mdk.x86_64.rpm
419d4acc74bd3368f4ad7e841b71583f
x86_64/10.1/RPMS/xine-esd-1-0.rc5.9.3.101mdk.x86_64.rpm
a934d38fc6bc894afcd51fc443c5387a
x86_64/10.1/RPMS/xine-flac-1-0.rc5.9.3.101mdk.x86_64.rpm
c71f58dd79bbd7a67ade68f9f0c47537
x86_64/10.1/RPMS/xine-gnomevfs-1-0.rc5.9.3.101mdk.x86_64.rpm
9d2dbdaf3887b90af8f6f275956fba25
x86_64/10.1/RPMS/xine-plugins-1-0.rc5.9.3.101mdk.x86_64.rpm
ae824a8ad57afa4af74d14ac36aec48f
x86_64/10.1/SRPMS/xine-lib-1-0.rc5.9.3.101mdk.src.rpm
Mandrivalinux 10.2:
b59bd74be8211752b1f8b14eaaeb4caf 10.2/RPMS/libxine1-1.0-8.2.102mdk.i586.rpm
7df88b45784d86b120232238e80c2ae9
10.2/RPMS/libxine1-devel-1.0-8.2.102mdk.i586.rpm
22f9a1ef543d6e6b8b409e995c05f549 10.2/RPMS/xine-aa-1.0-8.2.102mdk.i586.rpm
6b288c5aec71967bb93031d1d6781f18 10.2/RPMS/xine-arts-1.0-8.2.102mdk.i586.rpm
e94fbd981fa69cdf4205f73620d65d58 10.2/RPMS/xine-dxr3-1.0-8.2.102mdk.i586.rpm
4ac7f54e7442efeac8a8f27ea94cce31 10.2/RPMS/xine-esd-1.0-8.2.102mdk.i586.rpm
93fb8780846b76c53743f74113c5d789 10.2/RPMS/xine-flac-1.0-8.2.102mdk.i586.rpm
79cf02e9f22be6638927dec066926b5d
10.2/RPMS/xine-gnomevfs-1.0-8.2.102mdk.i586.rpm
fb9103583e2eb19ad301d6a3042fad86
10.2/RPMS/xine-plugins-1.0-8.2.102mdk.i586.rpm
bd90a1fe71bd91383caf9ea5d87e2abc 10.2/RPMS/xine-polyp-1.0-8.2.102mdk.i586.rpm
4067888181bc7c025901b054ec7c8fd6 10.2/RPMS/xine-smb-1.0-8.2.102mdk.i586.rpm
3d1f4d92c41f977edf895388f4784337 10.2/SRPMS/xine-lib-1.0-8.2.102mdk.src.rpm
Mandrivalinux 10.2/X86_64:
772e4a1a0aac6006474768a0601545a3
x86_64/10.2/RPMS/lib64xine1-1.0-8.2.102mdk.x86_64.rpm
c72a8b14fbe656c62f8368fbc9449931
x86_64/10.2/RPMS/lib64xine1-devel-1.0-8.2.102mdk.x86_64.rpm
f6123a88fc6b3c7edd68dccbc75efc8d
x86_64/10.2/RPMS/xine-aa-1.0-8.2.102mdk.x86_64.rpm
9768022de3f23e61649671a76de6d4a3
x86_64/10.2/RPMS/xine-arts-1.0-8.2.102mdk.x86_64.rpm
6636acc15686f32d827c367ae0e0af83
x86_64/10.2/RPMS/xine-dxr3-1.0-8.2.102mdk.x86_64.rpm
bd80ab843edcb769edbe95bee307848e
x86_64/10.2/RPMS/xine-esd-1.0-8.2.102mdk.x86_64.rpm
70c16130252aca43d5cac5d30d258dbc
x86_64/10.2/RPMS/xine-flac-1.0-8.2.102mdk.x86_64.rpm
19546fbd231735cdb52488c78bb3138c
x86_64/10.2/RPMS/xine-gnomevfs-1.0-8.2.102mdk.x86_64.rpm
e14f01a64d3080fc35ee3f7280ae9336
x86_64/10.2/RPMS/xine-plugins-1.0-8.2.102mdk.x86_64.rpm
8281c290d3e926279706b049dd4247da
x86_64/10.2/RPMS/xine-polyp-1.0-8.2.102mdk.x86_64.rpm
46f8be45f38977aa67731c5da830c43b
x86_64/10.2/RPMS/xine-smb-1.0-8.2.102mdk.x86_64.rpm
3d1f4d92c41f977edf895388f4784337
x86_64/10.2/SRPMS/xine-lib-1.0-8.2.102mdk.src.rpm
Mandrivalinux 2006.0:
ad0dd01a46c84cb5ce8a28ce5710da28
2006.0/RPMS/libxine1-1.1.0-8.1.20060mdk.i586.rpm
b63c878314d9d393a43082f1940fd063
2006.0/RPMS/libxine1-devel-1.1.0-8.1.20060mdk.i586.rpm
77404b4ea4908b51843f26b4face7a21
2006.0/RPMS/xine-aa-1.1.0-8.1.20060mdk.i586.rpm
efec9d133963c8c8d1d052ea8d1a811d
2006.0/RPMS/xine-arts-1.1.0-8.1.20060mdk.i586.rpm
bb1f5e764c4cc933659ebe7ba2c61d88
2006.0/RPMS/xine-dxr3-1.1.0-8.1.20060mdk.i586.rpm
b74cffa6e5683afb50ed015555b2afe8
2006.0/RPMS/xine-esd-1.1.0-8.1.20060mdk.i586.rpm
f8c48d2fc87e8f562754ce36dcf7f74a
2006.0/RPMS/xine-flac-1.1.0-8.1.20060mdk.i586.rpm
b8f365ce839aa783637edd4687f89a64
2006.0/RPMS/xine-gnomevfs-1.1.0-8.1.20060mdk.i586.rpm
2fed4fcf4867293705de055f0b2095d3
2006.0/RPMS/xine-image-1.1.0-8.1.20060mdk.i586.rpm
7ee9724ef73423691f4c2622824d50e3
2006.0/RPMS/xine-plugins-1.1.0-8.1.20060mdk.i586.rpm
732ac66a4b4a8356c8afbfc6770ac6ac
2006.0/RPMS/xine-polyp-1.1.0-8.1.20060mdk.i586.rpm
f4afb35e994c48af37529481df73df9c
2006.0/RPMS/xine-smb-1.1.0-8.1.20060mdk.i586.rpm
f8551a36e839b1c284f157d042395477
2006.0/SRPMS/xine-lib-1.1.0-8.1.20060mdk.src.rpm
Mandrivalinux 2006.0/X86_64:
c9e6b7176514f797a6b4d444d630783e
x86_64/2006.0/RPMS/lib64xine1-1.1.0-8.1.20060mdk.x86_64.rpm
9997e0b3a7712a94c98964d2a387d010
x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-8.1.20060mdk.x86_64.rpm
8c32b4302fe882f057cc307ef546356e
x86_64/2006.0/RPMS/xine-aa-1.1.0-8.1.20060mdk.x86_64.rpm
a18e2771a126b49d93d588d7ff57f22d
x86_64/2006.0/RPMS/xine-arts-1.1.0-8.1.20060mdk.x86_64.rpm
188e16a6da35e64d77ef1007f770959e
x86_64/2006.0/RPMS/xine-dxr3-1.1.0-8.1.20060mdk.x86_64.rpm
cd4045af591254a68d48dbceb5885bc5
x86_64/2006.0/RPMS/xine-esd-1.1.0-8.1.20060mdk.x86_64.rpm
40c947de3d1df3e33a0f4c26f096b0c8
x86_64/2006.0/RPMS/xine-flac-1.1.0-8.1.20060mdk.x86_64.rpm
cdd6293c4edc8751989f605eb4bb3f45
x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-8.1.20060mdk.x86_64.rpm
249af817e4dac7f580ef1d9614ec66da
x86_64/2006.0/RPMS/xine-image-1.1.0-8.1.20060mdk.x86_64.rpm
4161debdffeaf757be1d97a28e9d7c02
x86_64/2006.0/RPMS/xine-plugins-1.1.0-8.1.20060mdk.x86_64.rpm
6c5c31192529ddca8794de618f4ce0f4
x86_64/2006.0/RPMS/xine-polyp-1.1.0-8.1.20060mdk.x86_64.rpm
eb1a6c7e8297098dff9d2896f83f2f2f
x86_64/2006.0/RPMS/xine-smb-1.1.0-8.1.20060mdk.x86_64.rpm
f8551a36e839b1c284f157d042395477
x86_64/2006.0/SRPMS/xine-lib-1.1.0-8.1.20060mdk.src.rpm
Corporate 3.0:
e93f0caab04c2752c07faaff0f97922f
corporate/3.0/RPMS/libxine1-1-0.rc3.6.5.C30mdk.i586.rpm
b7cc7339b05df194eac9ef7a17878271
corporate/3.0/RPMS/xine-arts-1-0.rc3.6.5.C30mdk.i586.rpm
0e2cfe89dd82835669dcff0780923982
corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.5.C30mdk.i586.rpm
8658f0c1e16ef59142cbe2c685043b26
corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.5.C30mdk.src.rpm
Corporate 3.0/X86_64:
f43b406288771a962829e7b9686c2eba
x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.5.C30mdk.x86_64.rpm
aa294b88759a08022052f0bdff44ad6a
x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.5.C30mdk.x86_64.rpm
27247dc4bb05cef5bfbe97631b12de2e
x86_64/corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.5.C30mdk.x86_64.rpm
8658f0c1e16ef59142cbe2c685043b26
x86_64/corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.5.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDTKgRmqjQ0CJFipgRAjRcAKDV7Nalb4u00rWeG25Tfm/0Plc0HQCfYKUA
2LWSLF4Xu7XaLivCNsmzOvA=
=8Q5N
-----END PGP SIGNATURE-----