MDKSA-2005:228 - Updated xine-lib packages fix buffer overflow vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2005:228
http://www.mandriva.com/security/
_______________________________________________________________________
Package : xine-lib
Date : December 14, 2005
Affected: 2006.0, Corporate 3.0
_______________________________________________________________________
Problem Description:
Simon Kilvington discovered a vulnerability in FFmpeg libavcodec,
which can be exploited by malicious people to cause a DoS (Denial
of Service) and potentially to compromise a user's system.
The vulnerability is caused due to a boundary error in the
"avcodec_default_get_buffer()" function of "utils.c" in libavcodec.
This can be exploited to cause a heap-based buffer overflow when a
specially-crafted 1x1 ".png" file containing a palette is read.
Xine-lib is built with a private copy of ffmpeg containing this
same code. (Corporate Server 2.1 is not vulnerable)
The updated packages have been patched to prevent this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4048
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2006.0:
106bddc3b9cb60714c00c9ca0709f24f
2006.0/RPMS/libxine1-1.1.0-9.2.20060mdk.i586.rpm
080965d48571a7c6a21f5509b9edc6bb
2006.0/RPMS/libxine1-devel-1.1.0-9.2.20060mdk.i586.rpm
1b5cab0dea7da6a896f076f40057b04f
2006.0/RPMS/xine-aa-1.1.0-9.2.20060mdk.i586.rpm
749413958bae867d0e401cf3fb7ad2d4
2006.0/RPMS/xine-arts-1.1.0-9.2.20060mdk.i586.rpm
6dacf41d2ebea975675eeec3daaa5ed2
2006.0/RPMS/xine-dxr3-1.1.0-9.2.20060mdk.i586.rpm
1c0a5a698ffd77dac839cdd70e3a568b
2006.0/RPMS/xine-esd-1.1.0-9.2.20060mdk.i586.rpm
ce3a5ecb960a91faafd6376eb1d79bfb
2006.0/RPMS/xine-flac-1.1.0-9.2.20060mdk.i586.rpm
cff6a28e36785bb64f5cde6911d03a49
2006.0/RPMS/xine-gnomevfs-1.1.0-9.2.20060mdk.i586.rpm
8cffb6762d014113bdcb78f3b7c682f9
2006.0/RPMS/xine-image-1.1.0-9.2.20060mdk.i586.rpm
22a248a5660f5098dcbd0731a92ba7e0
2006.0/RPMS/xine-plugins-1.1.0-9.2.20060mdk.i586.rpm
4a3ce0b28a549de15f9668f0236bf50c
2006.0/RPMS/xine-polyp-1.1.0-9.2.20060mdk.i586.rpm
f5f118f2bbfb1bdd4f9a940450050e53
2006.0/RPMS/xine-smb-1.1.0-9.2.20060mdk.i586.rpm
424b1913ecb7aa0f96b19c71500f65a3
2006.0/SRPMS/xine-lib-1.1.0-9.2.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
913f831f85eb7cce65d79c46febb1973
x86_64/2006.0/RPMS/lib64xine1-1.1.0-9.2.20060mdk.x86_64.rpm
cb5cbf9e7e5e3d47818ef3fc6702b04b
x86_64/2006.0/RPMS/lib64xine1-devel-1.1.0-9.2.20060mdk.x86_64.rpm
1559fb1a68019ed74047b602f14c0cc9
x86_64/2006.0/RPMS/xine-aa-1.1.0-9.2.20060mdk.x86_64.rpm
931aec226e6266e10963d68e12cc3546
x86_64/2006.0/RPMS/xine-arts-1.1.0-9.2.20060mdk.x86_64.rpm
966f1ef51f097657718d45e7611c64d8
x86_64/2006.0/RPMS/xine-dxr3-1.1.0-9.2.20060mdk.x86_64.rpm
62bce4ff948e301e81ff228925dc96af
x86_64/2006.0/RPMS/xine-esd-1.1.0-9.2.20060mdk.x86_64.rpm
c9b162cfd51ab3877711245d14af4e1c
x86_64/2006.0/RPMS/xine-flac-1.1.0-9.2.20060mdk.x86_64.rpm
ffacd2cef4e3c181b12f663b19e7bda7
x86_64/2006.0/RPMS/xine-gnomevfs-1.1.0-9.2.20060mdk.x86_64.rpm
199ca828d6e3314b67330c32d45cc4a3
x86_64/2006.0/RPMS/xine-image-1.1.0-9.2.20060mdk.x86_64.rpm
81cb882870abf57921c96a66edf5185e
x86_64/2006.0/RPMS/xine-plugins-1.1.0-9.2.20060mdk.x86_64.rpm
74a37edf5d9b2cb28a2ce758904b113b
x86_64/2006.0/RPMS/xine-polyp-1.1.0-9.2.20060mdk.x86_64.rpm
f930bcfa573f7c250f54c48564e943e1
x86_64/2006.0/RPMS/xine-smb-1.1.0-9.2.20060mdk.x86_64.rpm
424b1913ecb7aa0f96b19c71500f65a3
x86_64/2006.0/SRPMS/xine-lib-1.1.0-9.2.20060mdk.src.rpm
Corporate 3.0:
eb66ad363e7225f165cdbd67f6e26065
corporate/3.0/RPMS/libxine1-1-0.rc3.6.7.C30mdk.i586.rpm
6c89df1070e6b26f35d75a48cb7405ad
corporate/3.0/RPMS/libxine1-devel-1-0.rc3.6.7.C30mdk.i586.rpm
6e583c278819c349670a5a305fff766c
corporate/3.0/RPMS/xine-aa-1-0.rc3.6.7.C30mdk.i586.rpm
e77f19f13166e42fd3df09fd9b9eba15
corporate/3.0/RPMS/xine-arts-1-0.rc3.6.7.C30mdk.i586.rpm
89d7298da642be02345cdf98d33daf00
corporate/3.0/RPMS/xine-dxr3-1-0.rc3.6.7.C30mdk.i586.rpm
1947fd6e09255382a3c797b81ba41200
corporate/3.0/RPMS/xine-esd-1-0.rc3.6.7.C30mdk.i586.rpm
c39de7583826f7987a96f392daaad4ea
corporate/3.0/RPMS/xine-flac-1-0.rc3.6.7.C30mdk.i586.rpm
9eb882a4d1925a5e75de338294d5fee3
corporate/3.0/RPMS/xine-gnomevfs-1-0.rc3.6.7.C30mdk.i586.rpm
be189966eee8bb042e3066c9d96f0b4f
corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.7.C30mdk.i586.rpm
cf0248a3252c55af1e15b01efae50298
corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.7.C30mdk.src.rpm
Corporate 3.0/X86_64:
833c0e0f8468d4df40e300c0a72ac1cb
x86_64/corporate/3.0/RPMS/lib64xine1-1-0.rc3.6.7.C30mdk.x86_64.rpm
7a802e66ab344aa9b151679d669b0620
x86_64/corporate/3.0/RPMS/lib64xine1-devel-1-0.rc3.6.7.C30mdk.x86_64.rpm
18132113599b1330359a045d11410d5d
x86_64/corporate/3.0/RPMS/xine-arts-1-0.rc3.6.7.C30mdk.x86_64.rpm
94beaa6edc2fd1be6badef18d818dc0c
x86_64/corporate/3.0/RPMS/xine-plugins-1-0.rc3.6.7.C30mdk.x86_64.rpm
cf0248a3252c55af1e15b01efae50298
x86_64/corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.7.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDoIkfmqjQ0CJFipgRAsJPAJ90bC8k3OUmZ0/Ov+j4ART8b4W+9wCg6kdf
HQwPF/7Y6E3vpgrdYViCUEk=
=MIpp
-----END PGP SIGNATURE-----