Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

vlc: CVE-2008-0073 code execution via crafted rtsp stream

Related Vulnerabilities: CVE-2008-0073   CVE-2008-1489   CVE-2008-1878   CVE-2008-1686  

Source

Debian Bug report logs - #473057
vlc: CVE-2008-0073 code execution via crafted rtsp stream

version graph

Package: vlc; Maintainer for vlc is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for vlc is src:vlc (PTS, buildd, popcon).

Reported by: Nico Golde <nion@debian.org>

Date: Fri, 28 Mar 2008 01:18:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions vlc/0.8.6.e-2, vlc/0.8.6.c-6+lenny3, xine-lib/1.1.10.1-2+lenny2

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#473057; Package vlc. (full text, mbox, link).

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: vlc: CVE-2008-0073 code execution via crafted rtsp stream
Date: Fri, 28 Mar 2008 02:08:43 +0100
[Message part 1 (text/plain, inline)]
Package: vlc
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.

CVE-2008-0073CVE-2008-0073[0]:
| Array index error in the sdpplin_parse function in
| input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP
| servers to execute arbitrary code via a large streamid SDP parameter.

It turned out that vlc is also using that code in
modules/access/rtsp/real_sdpplin.c

Find a patch for the above issue on:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=12cb075fba8ea09813fc35e0c731d2a64265b637;style=raw

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073CVE-2008-0073

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#473057; Package vlc. (full text, mbox, link).

Acknowledgement sent to Christophe Mutricy <xtophe@chewa.net>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #10 received at 473057@bugs.debian.org (full text, mbox, reply):

From: Christophe Mutricy <xtophe@chewa.net>
To: Nico Golde <nion@debian.org>, 473057@bugs.debian.org
Subject: Re: Bug#473057: vlc: CVE-2008-0073 code execution via crafted rtsp stream
Date: Fri, 28 Mar 2008 17:30:13 +0100
Fixed upstream in
http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029



> the following CVE (Common Vulnerabilities & Exposures) id was
> published for vlc.
> 
> CVE-2008-0073CVE-2008-0073[0]:
> | Array index error in the sdpplin_parse function in
> | input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP
> | servers to execute arbitrary code via a large streamid SDP parameter.
> 
> It turned out that vlc is also using that code in
> modules/access/rtsp/real_sdpplin.c

-- 
Xtophe

Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#473057; Package vlc. (full text, mbox, link).

Acknowledgement sent to Loic Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. (full text, mbox, link).

Message #15 received at 473057@bugs.debian.org (full text, mbox, reply):

From: Loic Minier <lool@dooz.org>
To: control@bugs.debian.org
Cc: 473057@bugs.debian.org
Subject: setting package to vlc-plugin-jack libvlc0-dev wxvlc mozilla-plugin-vlc vlc vlc-plugin-esd libvlc0 vlc-plugin-arts vlc-plugin-ggi vlc-plugin-sdl vlc-plugin-svgalib vlc-nox vlc-plugin-alsa vlc-plugin-glide ...
Date: Sat, 29 Mar 2008 22:21:54 +0100
# Automatically generated email from bts, devscripts version 2.10.20
#
# vlc (0.8.6.e-2) unstable; urgency=high
#
#  * New patch taken from upstream to fix an arbitrary code execution.
#    CVE-2008-0073 (Closes: #473057)
#

package vlc-plugin-jack libvlc0-dev wxvlc mozilla-plugin-vlc vlc vlc-plugin-esd libvlc0 vlc-plugin-arts vlc-plugin-ggi vlc-plugin-sdl vlc-plugin-svgalib vlc-nox vlc-plugin-alsa vlc-plugin-glide
tags 473057 + pending

Tags added: pending Request was from Loic Minier <lool@dooz.org> to control@bugs.debian.org. (Sat, 29 Mar 2008 21:24:07 GMT) (full text, mbox, link).

Reply sent to Christophe Mutricy <xtophe@videolan.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #22 received at 473057-close@bugs.debian.org (full text, mbox, reply):

From: Christophe Mutricy <xtophe@videolan.org>
To: 473057-close@bugs.debian.org
Subject: Bug#473057: fixed in vlc 0.8.6.e-2
Date: Sat, 29 Mar 2008 21:32:20 +0000
Source: vlc
Source-Version: 0.8.6.e-2

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2_i386.deb
libvlc0_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/libvlc0_0.8.6.e-2_i386.deb
mozilla-plugin-vlc_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2_i386.deb
vlc-nox_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.e-2_i386.deb
vlc-plugin-alsa_0.8.6.e-2_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2_all.deb
vlc-plugin-arts_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2_i386.deb
vlc-plugin-esd_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2_i386.deb
vlc-plugin-ggi_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2_i386.deb
vlc-plugin-glide_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-plugin-glide_0.8.6.e-2_i386.deb
vlc-plugin-jack_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2_i386.deb
vlc-plugin-sdl_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2_i386.deb
vlc-plugin-svgalib_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2_i386.deb
vlc_0.8.6.e-2.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.e-2.diff.gz
vlc_0.8.6.e-2.dsc
  to pool/main/v/vlc/vlc_0.8.6.e-2.dsc
vlc_0.8.6.e-2_i386.deb
  to pool/main/v/vlc/vlc_0.8.6.e-2_i386.deb
wxvlc_0.8.6.e-2_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.e-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christophe Mutricy <xtophe@videolan.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Mar 2008 15:04:28 +0000
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all i386
Version: 0.8.6.e-2
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Christophe Mutricy <xtophe@videolan.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 473057
Changes: 
 vlc (0.8.6.e-2) unstable; urgency=high
 .
   [ Christophe Mutricy ]
   * Acknowledge NMU by Nico Golde. Thanks
   * New patch taken from upstream to fix an arbitrary code execution.
     CVE-2008-0073 (Closes: #473057)
   * New patch to fix FTBS in MKV module
 .
   [ Loic Minier ]
   * Mention CVE id in 0.8.6.e-1.1.
Files: 
 c7f8e971229405a217a91396bf69fafb 2699 graphics optional vlc_0.8.6.e-2.dsc
 99d80d7630c63dd293ad446c7a09a6b4 37233 graphics optional vlc_0.8.6.e-2.diff.gz
 591f2459b06b246ce29608ee1c07c415 798 graphics optional vlc-plugin-alsa_0.8.6.e-2_all.deb
 cb7bc86c62160366e2de629333906743 790 graphics optional wxvlc_0.8.6.e-2_all.deb
 eeebd280f645547cafa1c9bb8d72f594 1147426 graphics optional vlc_0.8.6.e-2_i386.deb
 c23ce639df7718898181ed655c35bd5d 4829972 net optional vlc-nox_0.8.6.e-2_i386.deb
 c1f05b91dd30f4b1207d0da14e20514a 480114 libs optional libvlc0_0.8.6.e-2_i386.deb
 8194cff84ee49932a75ea021d8f155fc 510914 libdevel optional libvlc0-dev_0.8.6.e-2_i386.deb
 970146b684c7adcb76d77ffb55995596 4796 graphics optional vlc-plugin-esd_0.8.6.e-2_i386.deb
 e98556a025e5552334e6174cb633a2bb 10882 graphics optional vlc-plugin-sdl_0.8.6.e-2_i386.deb
 fbdbcfe1dde5a08d20e7bda5260e2132 5922 graphics optional vlc-plugin-ggi_0.8.6.e-2_i386.deb
 fa477fd9fb231f35aaf514f16177a723 4180 graphics optional vlc-plugin-glide_0.8.6.e-2_i386.deb
 504ff9686c66af56c4eaaa3fae6463a7 4010 graphics optional vlc-plugin-arts_0.8.6.e-2_i386.deb
 06245b1089c504954e99895cd7a5ce31 37830 graphics optional mozilla-plugin-vlc_0.8.6.e-2_i386.deb
 76ec1f97832fd1cac67cea1929208100 4526 graphics optional vlc-plugin-svgalib_0.8.6.e-2_i386.deb
 1e0f4f648b49b5bcfc4df78de8a9ae24 4786 graphics optional vlc-plugin-jack_0.8.6.e-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH7rGT4VUX8isJIMARAqW9AKCpeASAiMOvhLAA7lqytNTOGbxsTwCfVuxp
wINCSC0a6xLQLjzCvlo1pnA=
=YTN3
-----END PGP SIGNATURE-----

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #27 received at 473057-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 473057-close@bugs.debian.org
Subject: Bug#473057: fixed in vlc 0.8.6.c-6+lenny3
Date: Mon, 31 Mar 2008 09:03:25 +0000
Source: vlc
Source-Version: 0.8.6.c-6+lenny3

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
libvlc0_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny3_amd64.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
vlc-nox_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
vlc_0.8.6.c-6+lenny3.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.diff.gz
vlc_0.8.6.c-6+lenny3.dsc
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.dsc
vlc_0.8.6.c-6+lenny3_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3_amd64.deb
wxvlc_0.8.6.c-6+lenny3_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 28 Mar 2008 13:51:48 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.c-6+lenny3
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 472635 473057
Changes: 
 vlc (0.8.6.c-6+lenny3) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issues:
     - CVE-2008-1489: an integer overflow in the MP4_ReadBox_rdrf function that
       can be triggered via crafted atom size values could possibly lead to
       arbitrary code execution (Closes: #472635).
     - CVE-2008-0073: possible code execution via a crafted rtsp stream with
       a large streamid SDP parameter (Closes: #473057).
Files: 
 a154adf5e340c056d48f690aea8d2aac 2713 graphics optional vlc_0.8.6.c-6+lenny3.dsc
 80193f533ef47d30463d3dfb2f79d491 39426 graphics optional vlc_0.8.6.c-6+lenny3.diff.gz
 68f059b691db7422cd3b0aef65594b9d 804 graphics optional vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb
 237c2429244caeff612ed430d9977ba3 798 graphics optional wxvlc_0.8.6.c-6+lenny3_all.deb
 31aa2f01b3d7702476b432a5c33775bf 1159496 graphics optional vlc_0.8.6.c-6+lenny3_amd64.deb
 01b7c4316e0c923e4ff0c0764efa0e48 4719008 net optional vlc-nox_0.8.6.c-6+lenny3_amd64.deb
 b633eb8ee19a3aefb4b7efa577de87ed 473634 libs optional libvlc0_0.8.6.c-6+lenny3_amd64.deb
 c7555dec2c1d9f32789a11622a367a8e 539922 libdevel optional libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb
 8e5eca4e237d7489976784d791c8edc5 4544 graphics optional vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb
 8c68f3ad13e185f37d6a5fafbadac038 11656 graphics optional vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb
 9f2cc3af1b9a375bbaa615ead68b568d 6222 graphics optional vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb
 a10c33e116f82037b4b9a4d577fdac51 4192 graphics optional vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb
 81a6fe49b87cf4934e84d4365813bb70 38152 graphics optional mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb
 5d9f64f2d20bee2eadb9f492e34c2469 4812 graphics optional vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb
 60926a4e3dc3c4b0878396df1923bfa2 4882 graphics optional vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH74mSHYflSXNkfP8RAiYqAJ9aluODB9pwQ+jsGpMit2a6javNQgCgtioc
YB4CoZ1NOadL79cYo79d+oY=
=HB2M
-----END PGP SIGNATURE-----

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).

Message #32 received at 473057-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 473057-close@bugs.debian.org
Subject: Bug#473057: fixed in xine-lib 1.1.10.1-2+lenny2
Date: Tue, 06 May 2008 21:02:09 +0000
Source: xine-lib
Source-Version: 1.1.10.1-2+lenny2

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine-dev_1.1.10.1-2+lenny2_amd64.deb
libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
  to pool/main/x/xine-lib/libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
libxine1-console_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-console_1.1.10.1-2+lenny2_amd64.deb
libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
libxine1-doc_1.1.10.1-2+lenny2_all.deb
  to pool/main/x/xine-lib/libxine1-doc_1.1.10.1-2+lenny2_all.deb
libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
libxine1-plugins_1.1.10.1-2+lenny2_all.deb
  to pool/main/x/xine-lib/libxine1-plugins_1.1.10.1-2+lenny2_all.deb
libxine1-x_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1-x_1.1.10.1-2+lenny2_amd64.deb
libxine1_1.1.10.1-2+lenny2_amd64.deb
  to pool/main/x/xine-lib/libxine1_1.1.10.1-2+lenny2_amd64.deb
xine-lib_1.1.10.1-2+lenny2.diff.gz
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-2+lenny2.diff.gz
xine-lib_1.1.10.1-2+lenny2.dsc
  to pool/main/x/xine-lib/xine-lib_1.1.10.1-2+lenny2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473057@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 04 May 2008 13:20:43 +0200
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.10.1-2+lenny2
Distribution: testing-security
Urgency: high
Maintainer: Reinhard Tartler <siretart@tauware.de>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, meta-package
 libxine1-all-plugins - the xine video/media player library, meta package
 libxine1-bin - the xine video/media player library, binary files
 libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for libxine1
 libxine1-dbg - debug symbols for libxine1
 libxine1-doc - the xine video player library, documentation files
 libxine1-ffmpeg - MPEG-related plugins for libxine1
 libxine1-gnome - GNOME-related plugins for libxine1
 libxine1-misc-plugins - Input, audio output and post plugins for libxine1
 libxine1-plugins - the xine video/media player library, meta package
 libxine1-x - X desktop video output plugins for libxine1
Closes: 473057 475152 476990
Changes: 
 xine-lib (1.1.10.1-2+lenny2) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issues:
     - CVE-2008-1878: stack-based buffer overflow in nsf demuxer that
       allows execution of arbitrary code via a crafted title (Closes: #476990)
     - CVE-2008-1686: insufficient boundary checking on a header structure that
       is read from user input could lead to arbitrary code to arbitrary
       code execution via negative values (Closes: #475152).
     - CVE-2008-0073: stack-based buffer overflow in subtitle parsing could
       lead to arbitrary code execution via a crafted subtitle
       file (Closes: #473057).
Checksums-Sha1: 
 31c25d033898d041270d0f16a953fb5febf31d0d 2211 xine-lib_1.1.10.1-2+lenny2.dsc
 a88dc84e01f89c885bef69703b2006caf8cdfc90 34458 xine-lib_1.1.10.1-2+lenny2.diff.gz
 c2358de7db8a561a41c32868213384d8a92a36d8 142966 libxine1-doc_1.1.10.1-2+lenny2_all.deb
 276857c90eb87142ad51754d2225c0be732dea91 50544 libxine1-plugins_1.1.10.1-2+lenny2_all.deb
 fa32a31fbdc57f8d6f82be44513368c66b1e9034 50556 libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
 cb7a9d7e8f661f339323bf6d5d3845df727523b1 1268 libxine1_1.1.10.1-2+lenny2_amd64.deb
 2d14e9e7ce99ff75ae896b3b9e84f4899db1dd61 1604388 libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
 d240c01bd1fcbd80a0fca105b55d58d518b2ed28 328448 libxine-dev_1.1.10.1-2+lenny2_amd64.deb
 5bc46fddd655c6388cc957f8c2ff1254b99ca318 380268 libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
 30af87760462b4f4ee0c026acbe1608fdda1f32b 15220 libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
 5fc2a8cae8ec606029b46e79be729910563004de 57688 libxine1-console_1.1.10.1-2+lenny2_amd64.deb
 21ecc3529cc6b989678fb94ff3a4da13abd181d9 209504 libxine1-x_1.1.10.1-2+lenny2_amd64.deb
 f49c66690bb70e496e8ee2199387d5b1f4443e73 797726 libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
 4a5ee081b26626ceb1fae94d7e53ebeb8786958b 3701936 libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
Checksums-Sha256: 
 73f4bf457b910ddf4af8788644f3fb95dff5fa3f66df374b73ad2deaa3a7b04a 2211 xine-lib_1.1.10.1-2+lenny2.dsc
 a039361198faffb6f46acbc85be9086032db0950ddc21c05223ff1cce92abadc 34458 xine-lib_1.1.10.1-2+lenny2.diff.gz
 9a5c6b29a8919a32c3ebce608a4794db2a92413710282634558dd075ee689179 142966 libxine1-doc_1.1.10.1-2+lenny2_all.deb
 c5617251ff116d2dc81090815050be7539cd61f55a3d27c297fc3c993c2137e9 50544 libxine1-plugins_1.1.10.1-2+lenny2_all.deb
 3de6e5a8104043824463033b6e6e8cd645a9b00f13263abb1a67a1fb12ca0459 50556 libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
 7cf7428f25d7c7e3fa363b0c557e972976533377ac6750442d6dabfc36bf0b3e 1268 libxine1_1.1.10.1-2+lenny2_amd64.deb
 444f5046adc2ddb4e5661ccb1ff28da965e699e0bc8e27b9f5fc5a514b6a3ea4 1604388 libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
 53a3c3560e6c0338996ee3d324e7c8c135c06035ce85a3aa18d60b0f16920c0b 328448 libxine-dev_1.1.10.1-2+lenny2_amd64.deb
 817b7f766141637b8c6a360aa3e832457356976951adab3883a519f310d0641f 380268 libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
 8ffde8e421714442925d1014d1bd58c16bfa7e440d786b9c3e0ba70696c959bb 15220 libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
 9c9ec36551ade7b81df7475376edbd15725cc7ce27dd1d050b035204c5f65666 57688 libxine1-console_1.1.10.1-2+lenny2_amd64.deb
 472cce69ac804ec9c064b03602f362ce323a7c37f84c217547d1f1205804d0d7 209504 libxine1-x_1.1.10.1-2+lenny2_amd64.deb
 59a4111326b66162b813a454cb30534f7e3b8938e64f680ccc28840583d2c1d9 797726 libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
 6edc04c31d1c16fa9471b02d334524806fd35da2701ecb17216f29605ac14439 3701936 libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb
Files: 
 c7749574df280130dd6d19bfd04ff014 2211 libs optional xine-lib_1.1.10.1-2+lenny2.dsc
 3ecf6cf76b8c22a33c78af1658bf1711 34458 libs optional xine-lib_1.1.10.1-2+lenny2.diff.gz
 a87d8d93d0b0b8d95f7721790e165319 142966 doc optional libxine1-doc_1.1.10.1-2+lenny2_all.deb
 ec5a4e8d5f2c892d87267d62f31aaba6 50544 libs extra libxine1-plugins_1.1.10.1-2+lenny2_all.deb
 b5f50475db6743ff21b2afd634e60278 50556 libs extra libxine1-all-plugins_1.1.10.1-2+lenny2_all.deb
 649fe6a291271bd0e92cf4ca87d08679 1268 libs optional libxine1_1.1.10.1-2+lenny2_amd64.deb
 c98dcf0ad1e31901563da86b8b4f5db0 1604388 libs optional libxine1-bin_1.1.10.1-2+lenny2_amd64.deb
 d8eb40ef504fe4ff34e83c22e0cbba96 328448 libdevel optional libxine-dev_1.1.10.1-2+lenny2_amd64.deb
 89fe1bd8c31269760658c0de70e1c7e0 380268 libs optional libxine1-ffmpeg_1.1.10.1-2+lenny2_amd64.deb
 a0a04f8aee0a952969cbbf7ad7d87775 15220 libs optional libxine1-gnome_1.1.10.1-2+lenny2_amd64.deb
 23d7096e4976cf8fdf009484610d3977 57688 libs extra libxine1-console_1.1.10.1-2+lenny2_amd64.deb
 a58a93d8fb2cddd36afbfd63bf0c8fa5 209504 libs optional libxine1-x_1.1.10.1-2+lenny2_amd64.deb
 f620e31f218b741b78d82f81546f0e2d 797726 libs optional libxine1-misc-plugins_1.1.10.1-2+lenny2_amd64.deb
 e17a7735fa7bb11f4719e20e6c29fdde 3701936 libs extra libxine1-dbg_1.1.10.1-2+lenny2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIHy9MHYflSXNkfP8RAuTSAJ9FH6spes5TmonfTOl0gOJhC3yBsACcDSuT
pUFRqyH915uFIt4x/2Glu0k=
=Uc8W
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 20 Jun 2008 07:35:25 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:14:58 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started