Debian Bug report logs -
#517792
CVE-2009-0698: integer overflow
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Mon, 2 Mar 2009 02:30:02 UTC
Severity: grave
Tags: patch, pending, security
Found in version 1.1.14-1
Fixed in version 1.1.16.3-1
Done: Darren Salt <linux@youmustbejoking.demon.co.uk>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Reinhard Tartler <siretart@tauware.de>:
Bug#517792; Package xine-lib.
(Mon, 02 Mar 2009 02:30:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Reinhard Tartler <siretart@tauware.de>.
(Mon, 02 Mar 2009 02:30:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xine-lib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2009-0698[0]:
| Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib
| 1.1.16.1 allows remote attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a 4X movie file with a large
| current_track value, a similar issue to CVE-2009-0385.
The upstream bug is here[1]. I guess this should be fixed in stable as
well, do you concur? Also it would be nice to get a security round for
oldstable-security, as there are quite a few open xine-lib issues.
Do you concur?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698
http://security-tracker.debian.net/tracker/CVE-2009-0698
[1] http://bugs.xine-project.org/show_bug.cgi?id=205
[2] http://security-tracker.debian.net/tracker/status/release/oldstable
Reply sent
to Darren Salt <linux@youmustbejoking.demon.co.uk>:
You have taken responsibility.
(Tue, 07 Apr 2009 21:57:37 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Tue, 07 Apr 2009 21:57:38 GMT) (full text, mbox, link).
Message #10 received at 517792-close@bugs.debian.org (full text, mbox, reply):
Source: xine-lib
Source-Version: 1.1.16.3-1
We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:
libxine-dev_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine-dev_1.1.16.3-1_amd64.deb
libxine1-all-plugins_1.1.16.3-1_all.deb
to pool/main/x/xine-lib/libxine1-all-plugins_1.1.16.3-1_all.deb
libxine1-bin_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1-bin_1.1.16.3-1_amd64.deb
libxine1-console_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1-console_1.1.16.3-1_amd64.deb
libxine1-dbg_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1-dbg_1.1.16.3-1_amd64.deb
libxine1-doc_1.1.16.3-1_all.deb
to pool/main/x/xine-lib/libxine1-doc_1.1.16.3-1_all.deb
libxine1-ffmpeg_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1-ffmpeg_1.1.16.3-1_amd64.deb
libxine1-gnome_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1-gnome_1.1.16.3-1_amd64.deb
libxine1-misc-plugins_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1-misc-plugins_1.1.16.3-1_amd64.deb
libxine1-plugins_1.1.16.3-1_all.deb
to pool/main/x/xine-lib/libxine1-plugins_1.1.16.3-1_all.deb
libxine1-x_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1-x_1.1.16.3-1_amd64.deb
libxine1_1.1.16.3-1_amd64.deb
to pool/main/x/xine-lib/libxine1_1.1.16.3-1_amd64.deb
xine-lib_1.1.16.3-1.diff.gz
to pool/main/x/xine-lib/xine-lib_1.1.16.3-1.diff.gz
xine-lib_1.1.16.3-1.dsc
to pool/main/x/xine-lib/xine-lib_1.1.16.3-1.dsc
xine-lib_1.1.16.3.orig.tar.gz
to pool/main/x/xine-lib/xine-lib_1.1.16.3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 517792@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Darren Salt <linux@youmustbejoking.demon.co.uk> (supplier of updated xine-lib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 05 Apr 2009 00:14:11 +0100
Source: xine-lib
Binary: libxine1-doc libxine1 libxine1-bin libxine-dev libxine1-ffmpeg libxine1-gnome libxine1-console libxine1-x libxine1-misc-plugins libxine1-dbg libxine1-plugins libxine1-all-plugins
Architecture: source all amd64
Version: 1.1.16.3-1
Distribution: unstable
Urgency: low
Maintainer: linux@youmustbejoking.demon.co.uk
Changed-By: Darren Salt <linux@youmustbejoking.demon.co.uk>
Description:
libxine-dev - the xine video player library, development packages
libxine1 - the xine video/media player library, meta-package
libxine1-all-plugins - the xine video/media player library, meta package
libxine1-bin - the xine video/media player library, binary files
libxine1-console - libaa/libcaca/framebuffer/directfb related plugins for libxine1
libxine1-dbg - debug symbols for libxine1
libxine1-doc - the xine video player library, documentation files
libxine1-ffmpeg - MPEG-related plugins for libxine1
libxine1-gnome - GNOME-related plugins for libxine1
libxine1-misc-plugins - Input, audio output and post plugins for libxine1
libxine1-plugins - the xine video/media player library, meta package
libxine1-x - X desktop video output plugins for libxine1
Closes: 517792 521269
Changes:
xine-lib (1.1.16.3-1) unstable; urgency=low
.
* New upstream release.
- Fix another possible int overflow in the 4XM demuxer.
(ref. TKADV2009-004, CVE-2009-0698) (Closes: #517792)
- Fix an integer overflow in the Quicktime demuxer.
- Fix audio/video desynchronisation issues. (Closes: #521269)
.
* Post-release patches from upstream:
- Correct invalid MIME info in the MOD demuxer.
- Fix a resource leak in libdvdnav.
.
* Update the home page link in debian/control.
xinehq.de is missing presumed 410, and we now have www.xine-project.org.
* Update debian/copyright.
The authors list is probably not complete, and is certainly not wrt
AUTHORS, but the removed entries are relevant only to front ends.
* Update copyright information somewhat.
[WIP.]
* Sync Section information with the archive – mostly. libxine1-console
belongs in section "libs" since, like libxine1-x, it's required by some
front ends; and libxine1-bin belongs there too, as it's required by other
libxine1* packages.
* Add dh_xine, for use when building front ends.
Checksums-Sha1:
06d07d3259bb5fb26edd5aa43cb3b43e8eea3e13 2238 xine-lib_1.1.16.3-1.dsc
29f52364bda823e6e69f99427abdb87b8218d068 9166524 xine-lib_1.1.16.3.orig.tar.gz
ce301378d420201a13949c96fca9cf4b587b66cb 35936 xine-lib_1.1.16.3-1.diff.gz
ab920028ee5986e84995b3413041942fac5665d9 147904 libxine1-doc_1.1.16.3-1_all.deb
774f82f6c925508370aaa2d0cad44b4c59815c8a 60500 libxine1-plugins_1.1.16.3-1_all.deb
1569575296d2bca5e9d17beb146272e69cb59f62 60492 libxine1-all-plugins_1.1.16.3-1_all.deb
5d67431fd61d3a84f349320b3d0767356556bb56 1308 libxine1_1.1.16.3-1_amd64.deb
7fc631e10258742f875940e13e6411ff92f00a77 1551552 libxine1-bin_1.1.16.3-1_amd64.deb
770e9be8d32856f05a3d2b1131e41d222cdfcd30 324376 libxine-dev_1.1.16.3-1_amd64.deb
5ff3fd51a10344acd840fa8da452be69dd21b6ed 236526 libxine1-ffmpeg_1.1.16.3-1_amd64.deb
d4b2c11743f1debbfd5f6454fcc96ac21e3a2838 14954 libxine1-gnome_1.1.16.3-1_amd64.deb
8ffe120ccb1840d77391099ae18efe491877f6dd 44666 libxine1-console_1.1.16.3-1_amd64.deb
954dd098d7ad1e36e24257bc21981a36f0fbec8e 154104 libxine1-x_1.1.16.3-1_amd64.deb
1c1156ce70fbfea6c2d37cc4a17e5c19ecac5792 853670 libxine1-misc-plugins_1.1.16.3-1_amd64.deb
0ea551388f524f668806adf5b643274e1c1ff802 3302696 libxine1-dbg_1.1.16.3-1_amd64.deb
Checksums-Sha256:
35810a6cee6d6cdc4c4161858bf8eba7d5885e007aa600f274bcea30b7fcf597 2238 xine-lib_1.1.16.3-1.dsc
45292d47564de680fff93bd86d8efbbb9c790d178fb862da2694435502bf21de 9166524 xine-lib_1.1.16.3.orig.tar.gz
8a8a9c9197f73969ed214ce3bfd05093ff1fbeb33cd8c899c27377c5a6109ac3 35936 xine-lib_1.1.16.3-1.diff.gz
54a14a3dd4cc6197cb5533ca37f39874f43e5c1632aa36f94f263385dc3fc040 147904 libxine1-doc_1.1.16.3-1_all.deb
62d41569c9c2aeb86cd6580bc02a617056b56e7351b559142c2c98ce9be127d8 60500 libxine1-plugins_1.1.16.3-1_all.deb
9ae8b5cad70388b49c7b2180d9546e69be7143f32af571b839d5f51e5efe6d9f 60492 libxine1-all-plugins_1.1.16.3-1_all.deb
4908d9c03b31868bad9e9a6999a0eaab5cf2064508cc9f8dc3b1768c3175befb 1308 libxine1_1.1.16.3-1_amd64.deb
c99134d3cb08dba1195445935cb277c9061c844693bbc81da210380c31a80586 1551552 libxine1-bin_1.1.16.3-1_amd64.deb
453df3f553c808cf0a83ad6fa0d13a2e1286d3f54dd06ea60726d37eccddc3de 324376 libxine-dev_1.1.16.3-1_amd64.deb
a14a853c8e838290c5f959c0db43010ca4b5c306cf876a2fe086f571896fce19 236526 libxine1-ffmpeg_1.1.16.3-1_amd64.deb
d684047b42e22b978a6c4f4c725ed5b2f7c2655615e14e6c12b39b71e8eb4abe 14954 libxine1-gnome_1.1.16.3-1_amd64.deb
64a377247d55b2d50f1694a8b31d02981157a0b426c3326642aa69cd7fb9af4f 44666 libxine1-console_1.1.16.3-1_amd64.deb
20c8a07847518cd4face3693b10822adb5987e0e31b07d182efc5a844c1fe7b8 154104 libxine1-x_1.1.16.3-1_amd64.deb
da22101626e8cc8368dc0845237522cc943f5f7edfc9ee2ae42a24182339d792 853670 libxine1-misc-plugins_1.1.16.3-1_amd64.deb
528863a55f4cffe0a4e2c03344802506f1aba30ea882a036a9f22ea54fc02649 3302696 libxine1-dbg_1.1.16.3-1_amd64.deb
Files:
275781ff8062979971fb1bb6cd4f9420 2238 libs optional xine-lib_1.1.16.3-1.dsc
654776b2f9fab002fb632aa22f8645cb 9166524 libs optional xine-lib_1.1.16.3.orig.tar.gz
f9f496043b69c7297eebe78697b92228 35936 libs optional xine-lib_1.1.16.3-1.diff.gz
a1584556820bed5d08134dbb150adcad 147904 doc optional libxine1-doc_1.1.16.3-1_all.deb
9ea08c24533ba53dbf342449fc7e2aa3 60500 libs extra libxine1-plugins_1.1.16.3-1_all.deb
a6c7ec0599020ca3930a3701056da5c9 60492 video extra libxine1-all-plugins_1.1.16.3-1_all.deb
5c8e77faf776d8cbe5cd086f6d775a1e 1308 libs optional libxine1_1.1.16.3-1_amd64.deb
60de4d22b134b189cca0de8e946ff57b 1551552 libs optional libxine1-bin_1.1.16.3-1_amd64.deb
4a4a7454209ad704873eeaa38c5953f9 324376 libdevel optional libxine-dev_1.1.16.3-1_amd64.deb
ecf53c60e81bd64d96de9039614b535c 236526 video optional libxine1-ffmpeg_1.1.16.3-1_amd64.deb
56153d6c4675b3f6c2ff425733db9ce1 14954 video optional libxine1-gnome_1.1.16.3-1_amd64.deb
c682f2343927ec436331cea43b7525f9 44666 libs extra libxine1-console_1.1.16.3-1_amd64.deb
a6cca7956186ce6c990a8e66ae3a54a3 154104 libs optional libxine1-x_1.1.16.3-1_amd64.deb
f5737f88dfd30ff27f40da177b3ce581 853670 video optional libxine1-misc-plugins_1.1.16.3-1_amd64.deb
45f3898f98b5f03dd952b8489a41fec3 3302696 debug extra libxine1-dbg_1.1.16.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJ28BksBKtjPGfWZ8RAjSZAJ4rEwVUxjWdci8JP7F6uiys7jLoGACfQRox
qmwymlcYyltWQ9tgj3pFpak=
=AtGl
-----END PGP SIGNATURE-----
Bug marked as found in version 1.1.14-1.
Request was from Darren Salt <linux@youmustbejoking.demon.co.uk>
to control@bugs.debian.org.
(Fri, 10 Apr 2009 19:33:06 GMT) (full text, mbox, link).
Tags added: pending
Request was from Darren Salt <linux@youmustbejoking.demon.co.uk>
to control@bugs.debian.org.
(Thu, 09 Jul 2009 19:21:02 GMT) (full text, mbox, link).
Bug Marked as fixed in versions 1.1.14-6.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org.
(Mon, 08 Mar 2010 16:21:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Darren Salt <linux@youmustbejoking.demon.co.uk>:
Bug#517792; Package xine-lib.
(Mon, 08 Mar 2010 16:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Touko Korpela <tkorpela@phnet.fi>:
Extra info received and forwarded to list. Copy sent to Darren Salt <linux@youmustbejoking.demon.co.uk>.
(Mon, 08 Mar 2010 16:45:05 GMT) (full text, mbox, link).
Message #21 received at 517792@bugs.debian.org (full text, mbox, reply):
Is #523475 and #517792 same bug? And is it still in 1.1.14-6 (lenny)?
Also #522811 seems unfixed too.
Bug No longer marked as fixed in versions 1.1.14-6.
Request was from Touko Korpela <tkorpela@phnet.fi>
to control@bugs.debian.org.
(Mon, 08 Mar 2010 16:54:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Mar 2011 10:21:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:15 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon