Full Disclosure mailing list archives
[ GLSA 200604-16 ] xine-lib: Buffer overflow vulnerability
From: Sune Kloppenborg Jeppesen <jaervosz () gentoo org>
Date: Wed, 26 Apr 2006 19:01:51 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200604-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: xine-lib: Buffer overflow vulnerability Date: April 26, 2006 Bugs: #128838 ID: 200604-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== xine-lib contains a buffer overflow vulnerability which may lead to the execution of arbitrary code. Background ========== xine-lib is the xine core engine. xine is a free multimedia player. It plays CDs, DVDs, and VCDs, and can also decode other common multimedia formats. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 xine-lib < 1.1.2_pre20060328-r1 >= 1.1.2_pre20060328-r1 Description =========== Federico L. Bossi Bonin discovered that when handling MPEG streams xine-lib fails to make a proper boundary check of the input data supplied by the user before copying it to an insufficiently sized memory buffer. Impact ====== A remote attacker could entice a user to play a specially-crafted MPEG file, resulting in the execution of arbitrary code with the permissions of the user running the application. Workaround ========== There is no known workaround at this time. Resolution ========== All xine-lib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.2_pre20060328-r1" References ========== [ 1 ] CVE-2006-1664 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1664 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200604-16.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 200604-16 ] xine-lib: Buffer overflow vulnerability Sune Kloppenborg Jeppesen (Apr 26)