CVE Request -- amarok

[Jan Lieskovsky <jlieskov () redhat com>]

Hello Steve,

  multiple integer overflows (leading to heap-based overflows)
and unchecked allocation vulnerabilities has been reported
against Amarok multimedia player whep parsing malformed
Audible digital audio files. Upstream has fixed
these in latest 2.0.1.l release.

References:
http://www.trapkit.de/advisories/TKADV2009-002.txt
http://amarok.kde.org/en/releases/2.0.1.1   (Fix possible buffer overflows when parsing Audible .aa files.)
https://bugzilla.redhat.com/show_bug.cgi?id=479946
http://bugs.gentoo.org/show_bug.cgi?id=254896

Proposed solution: Upgrade to latest upstream version 2.0.1.1

Affected Amarok version: amarok-1.4.10-1.fc9 <= x < latest upstream 2.0.1.1 release

Attaching also diff for audibletag.cpp file between latest F10 (amarok-2.0-2.fc10)
and latest upstream 2.0.1.1 release (see attachment).

Could you please allocate a new 2009 CVE id for it?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Attachment: _bin
Description: