Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0331 -- [UNIX/Linux][Debian]
New libxine packages fix several vulnerabilities
1 April 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: xine-lib
Publisher: Debian
Operating System: Debian GNU/Linux 4.0
Debian GNU/Linux 3.1
UNIX variants (UNIX, Linux, OSX)
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1161 CVE-2008-0486 CVE-2008-0073
CVE-2007-1387 CVE-2007-1246
Ref: ESB-2008.0153
ESB-2008.0114
Original Bulletin: http://www.debian.org/security/2008/dsa-1536
Comment: This advisory references vulnerabilities in products which run on
platforms other than Debian. It is recommended that administrators
running libxine check for an updated version of the software
for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ------------------------------------------------------------------------
Debian Security Advisory DSA-1536-1 security@debian.org
http://www.debian.org/security/ Thijs Kinkhorst
March 31, 2008 http://www.debian.org/security/faq
- - ------------------------------------------------------------------------
Package : xine-lib
Vulnerability : several
Problem type : local (remote)
Debian-specific: no
CVE Id(s) : CVE-2007-1246 CVE-2007-1387 CVE-2008-0073 CVE-2008-0486
CVE-2008-1161
Debian Bug : 464696
Several local vulnerabilities have been discovered in Xine, a
media player library, allowed for a denial of service or arbitrary code
execution, which could be exploited through viewing malicious content.
The Common Vulnerabilities and Exposures project identifies the following
problems:
CVE-2007-1246 / CVE-2007-1387
The DMO_VideoDecoder_Open function does not set the biSize before use in a
memcpy, which allows user-assisted remote attackers to cause a buffer overflow
and possibly execute arbitrary code (applies to sarge only).
CVE-2008-0073
Array index error in the sdpplin_parse function allows remote RTSP servers
to execute arbitrary code via a large streamid SDP parameter.
CVE-2008-0486
Array index vulnerability in libmpdemux/demux_audio.c might allow remote
attackers to execute arbitrary code via a crafted FLAC tag, which triggers
a buffer overflow (applies to etch only).
CVE-2008-1161
Buffer overflow in the Matroska demuxer allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a Matroska
file with invalid frame sizes.
For the stable distribution (etch), these problems have been fixed in version
1.1.2+dfsg-6.
For the old stable distribution (sarge), these problems have been fixed in
version 1.0.1-1sarge7.
For the unstable distribution (sid), these problems have been fixed in
version 1.1.11-1.
We recommend that you upgrade your xine-lib package.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1-1sarge7.diff.gz
Size/MD5 checksum: 7327 f025acfa0e41de184799393ea9a54e0a
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1.orig.tar.gz
Size/MD5 checksum: 7774954 9be804b337c6c3a2e202c5a7237cb0f8
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.0.1-1sarge7.dsc
Size/MD5 checksum: 1400 e3390f1650e0a1744f1cf81ce2ac30b9
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_alpha.deb
Size/MD5 checksum: 109754 7b340023aa1b1c5bfe45b4b526a4fa6c
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_alpha.deb
Size/MD5 checksum: 4848602 31bb864f2c3dd19f0f7784ec0e2ff06d
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_amd64.deb
Size/MD5 checksum: 108232 b63b13967d16548548b69363a3a49f51
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_amd64.deb
Size/MD5 checksum: 3934420 08f952ab238388604ca889207f15cacf
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_arm.deb
Size/MD5 checksum: 3909916 82a6de1aa1262bcd80fb73438442b5e6
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_arm.deb
Size/MD5 checksum: 109454 937b3a480028d81fd21717bd330c48a4
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_hppa.deb
Size/MD5 checksum: 3617652 0ab0c31bceb15b693eeab8a1be842d81
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_hppa.deb
Size/MD5 checksum: 109682 140b39b4f188c7b5d5762482a1487e91
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_i386.deb
Size/MD5 checksum: 107842 36c35bdbcdafb36c96052c67915d3e83
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_i386.deb
Size/MD5 checksum: 4206034 2f670ca7711c7621e92ce6ff47f89128
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_ia64.deb
Size/MD5 checksum: 108224 f5894b6e2a742713e305f0ae448f46b8
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_ia64.deb
Size/MD5 checksum: 5622238 e956948854e8333957a45679e3f1ca75
m68k architecture (Motorola Mc680x0)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_m68k.deb
Size/MD5 checksum: 108336 60e727a36d3f5bb0c961240ebfc7504e
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_m68k.deb
Size/MD5 checksum: 3176142 feccde602d192b462c146f5731a13a0f
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_mips.deb
Size/MD5 checksum: 4091032 9f999ef7a57a9b0a860e06b146c5bf1a
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_mips.deb
Size/MD5 checksum: 110384 3fc17b89430ed3c84a3f144ed22b9fb0
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_mipsel.deb
Size/MD5 checksum: 4126650 bbeecc6ce5709f5e7d21ee198cae076e
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_mipsel.deb
Size/MD5 checksum: 108234 cddeda4e920f778b2549de5fdaf40c07
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_powerpc.deb
Size/MD5 checksum: 108250 3370e7a1e7efc80ef348cc265c5c35f3
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_powerpc.deb
Size/MD5 checksum: 4306536 f62ca73d63fccd4b49d3ac2fb23345ca
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_s390.deb
Size/MD5 checksum: 3881906 6fed320fac7a9d73ca2a6b8191967ec9
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_s390.deb
Size/MD5 checksum: 108210 eb7f718923695c69594fa768af371815
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.0.1-1sarge7_sparc.deb
Size/MD5 checksum: 108244 5f8edb59c5625822e314a65e1f606b34
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.0.1-1sarge7_sparc.deb
Size/MD5 checksum: 4361586 7e4fe726b38796ac92e72dccf3de263c
Debian GNU/Linux 4.0 alias etch
- - -------------------------------
Source archives:
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-6.dsc
Size/MD5 checksum: 1877 318b9a5c7e265ceecd379c1bf78cc59d
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg.orig.tar.gz
Size/MD5 checksum: 6716994 ae6525a76280a6e1979c3f4f89fd00f3
http://security.debian.org/pool/updates/main/x/xine-lib/xine-lib_1.1.2+dfsg-6.diff.gz
Size/MD5 checksum: 23720 41569cc160815132939b2700db086b97
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_alpha.deb
Size/MD5 checksum: 3671136 121d4c4f366ead1efe2e51f442a01925
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_alpha.deb
Size/MD5 checksum: 3415068 c4c828f603c98ae9c196d62ae55fc067
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_alpha.deb
Size/MD5 checksum: 118364 fd21e7568f52042d7b5fa90bedb86175
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_amd64.deb
Size/MD5 checksum: 117242 ba9ab3b1f580ee330b4648a6e19189bc
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_amd64.deb
Size/MD5 checksum: 3659052 c4d7e60c377627b0ab13e9d6a3a104c7
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_amd64.deb
Size/MD5 checksum: 3048320 7f2b4fc1c76ff16a0b2ec9c568c56dd0
arm architecture (ARM)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_arm.deb
Size/MD5 checksum: 2668018 7cf2fd0b431bdf32d3daed3b02144cdf
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_arm.deb
Size/MD5 checksum: 118582 87e83a8ed3872efca0f6c3c95ba0050b
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_arm.deb
Size/MD5 checksum: 2958562 b16adcf345bd2dbc0f8c3ac21b7d6e3b
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_hppa.deb
Size/MD5 checksum: 2693766 0cfdb3fa5d216045eedde26f1412b3a6
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_hppa.deb
Size/MD5 checksum: 3219780 d38636b531e0e0396452f45a14e554c2
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_hppa.deb
Size/MD5 checksum: 119608 2b8a9ebea2a5037a666f8f2e086dbf17
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_i386.deb
Size/MD5 checksum: 3966468 68d095257a9674e8a27fc6a148cc6d5d
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_i386.deb
Size/MD5 checksum: 3349368 2381a282eb893d3e76eef69cc84479eb
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_i386.deb
Size/MD5 checksum: 117232 66690a0765f0093dff0526b85faf0322
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_ia64.deb
Size/MD5 checksum: 3764630 d132f9ef4697f2c1a79054ced0309a7f
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_ia64.deb
Size/MD5 checksum: 117166 852e09242638daad38bbbc3ae239c9a8
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_ia64.deb
Size/MD5 checksum: 2684364 35d53a480f2d70eb171009873fbc490e
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_mips.deb
Size/MD5 checksum: 119198 54129191862d2b613901399fedad7ade
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_mips.deb
Size/MD5 checksum: 3035424 2c7d9278440527980b2c8b4e07b4c961
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_mips.deb
Size/MD5 checksum: 2844004 430a6d794aee0cce2f807329166f8a9a
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_mipsel.deb
Size/MD5 checksum: 117194 af4c9978178f97bafd92b66d48ab4427
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_mipsel.deb
Size/MD5 checksum: 3016652 5c2d3287ca0b782d5f14fa38fe9fea6f
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_mipsel.deb
Size/MD5 checksum: 2788460 032171f0e18822b961d4f8b8350c82f9
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_powerpc.deb
Size/MD5 checksum: 3209288 c144f257184eab9fb24326bd2216a87e
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_powerpc.deb
Size/MD5 checksum: 117204 0f6c2509636f5b94f9e0859a9d588dc2
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_powerpc.deb
Size/MD5 checksum: 3719086 4cec9416f1f449abfdf874bcc9e9ef57
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_s390.deb
Size/MD5 checksum: 2718672 dcfb54adcaf89425c83c3a32799d06dd
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_s390.deb
Size/MD5 checksum: 117170 405f873efab3ae50acd27eb3802c6fa8
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_s390.deb
Size/MD5 checksum: 3171836 486dfcf6a50e8562cc36163ae9a6ae7d
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1-dbg_1.1.2+dfsg-6_sparc.deb
Size/MD5 checksum: 3368898 e7a09bb2b060da52f9d5a51479186748
http://security.debian.org/pool/updates/main/x/xine-lib/libxine1_1.1.2+dfsg-6_sparc.deb
Size/MD5 checksum: 3024748 be3f7a4b8fa8da203c4b72bfb0830e22
http://security.debian.org/pool/updates/main/x/xine-lib/libxine-dev_1.1.2+dfsg-6_sparc.deb
Size/MD5 checksum: 117202 fb2c1a027f3cb3eeaf76cd0a6cfb74e6
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR/FOPGz0hbPcukPfAQK/lgf+JxF7qakE5AyWuqYnuZPFh20jS9Gy6GHf
x3KOpQOU/be86fkfaPqD7qvc4MFg7X4kHu3WzADW82Vc2etJZHCdva+NJbKWMr13
6kW40+Zqe16JAdXdJAqnkuWD6zWbC/8L2iBXtl6ERfMLH9B/tesD8wmuJ/L5HwZo
vqb4LmMGZxDIuzsx70pgRFjlPhsGrISkF8xNeLmXGFXVjMu53cKWoG/44cf5gI8F
wCHXLDOa418hNww7oLrzKcmGFh7iIbj9uAWs4t94kEcCZ+003QfziwSxfd1sqRwk
SNQ9iTkNW8z94406CycLStNzRzb2pOZQoARa3yqz174ym9nn+iBeCw==
=u9pL
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR/F86yh9+71yA2DNAQIEggP+OsmaURkyr+rbSLF3h6TsynMMBZ15NOa/
9kyZbdRmyMK1kTE9ZdF8VM4y/xy+eI68fdB0d8S2nJifROlpG4TWQ59WvKWwhCfv
9prnlYIGv4kxeWgmKA2/+bkYzuHJpPGvY8bkZwzcw/9VzZvyZF7+PN1L8hjQZVFD
hghZep2Zo30=
=P0GL
-----END PGP SIGNATURE-----