xine-ui: printf missing-format-string bugs

Debian Bug report logs - #363370
xine-ui: printf missing-format-string bugs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Darren Salt <linux@youmustbejoking.demon.co.uk>

To: submit@bugs.debian.org

Subject: xine-ui: printf missing-format-string bugs

Date: Tue, 18 Apr 2006 19:33:44 +0100

[Message part 1 (text/plain, inline)]

Package: xine-ui
Version: 0.99.3-1.3
Severity: serious

Posted to xine-devel by Diego Pettenó <flameeyes@gentoo.org>:

: Seems like there's disclosure of a vulnerability in latest released xine-ui
: (0.99.4) at http://www.open-security.org/advisories/16 . The code that's
: there referred to is already fixed in current CVS since last August, I'm
: re-attaching the patch I submitted that time for who wants to fix this
: independently from a new release.

The patch (attached) is not present in 0.99.3-1.3.

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Travel less. Share transport more.           PRODUCE LESS CARBON DIOXIDE.

If you think this tagline is confusing, then change one pig.

[040_all_formats.patch (text/plain, attachment)]

Message #10 received at 363370@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 363370@bugs.debian.org

Subject: xine-ui: printf missing-format-string bugs

Date: Sun, 30 Apr 2006 21:00:17 +0200

This is CVE-2006-1905. Please mention the CVE id in the changelog.

Thanks.

Message #15 received at 363370@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 363370@bugs.debian.org

Subject: xine-ui: printf missing-format-string bugs

Date: Fri, 12 May 2006 12:54:24 +0200

There are even more format string problems:

CVE-2006-2230:
Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine
0.99.4 might allow attackers to cause a denial of service via format
string specifiers in an MP3 filename specified on the command line.
NOTE: this is a different vulnerability than CVE-2006-1905.  In
addition, if the only attack vectors involve a user-complicit, local
command line argument of a non-setuid program, this issue might not be
a vulnerability.

See:
http://www.securityfocus.com/archive/1/archive/1/432598/100/0/threaded

Message #22 received at 363370-quiet@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: siggi@debian.org

Cc: 363370-quiet@bugs.debian.org, control@bugs.debian.org

Subject: upload candidate for xine-ui_0.99.4-1

Date: Mon, 5 Jun 2006 18:21:36 +0200

tags 363370 pending
quit

Hey Siggi,

I prepared an upload candidate for xine-ui 0.99.4. I incorporated a
security bug from ubuntu, so I think this should get into debian rather
quickly. Regarding the other bugs, I don't think they should be RC, if
they apply to 0.99.4 at all. So I'd suggest to downgrade them so that we
get an up-to-date xine in debian/etch soon!

Please review and upload these packages:

http://siretart.tauware.de/upload-queue/xine-ui_0.99.4-1.dsc
http://siretart.tauware.de/upload-queue/xine-lib_1.1.1-2.dsc

Gruesse,
	Reinhard

Message #27 received at 363370-close@bugs.debian.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@tauware.de>

To: 363370-close@bugs.debian.org

Subject: Bug#363370: fixed in xine-ui 0.99.4-1

Date: Mon, 12 Jun 2006 10:33:01 -0700

Source: xine-ui
Source-Version: 0.99.4-1

We believe that the bug you reported is fixed in the latest version of
xine-ui, which is due to be installed in the Debian FTP archive:

xine-ui_0.99.4-1.diff.gz
  to pool/main/x/xine-ui/xine-ui_0.99.4-1.diff.gz
xine-ui_0.99.4-1.dsc
  to pool/main/x/xine-ui/xine-ui_0.99.4-1.dsc
xine-ui_0.99.4-1_i386.deb
  to pool/main/x/xine-ui/xine-ui_0.99.4-1_i386.deb
xine-ui_0.99.4.orig.tar.gz
  to pool/main/x/xine-ui/xine-ui_0.99.4.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 363370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated xine-ui package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  5 Jun 2006 18:08:45 +0200
Source: xine-ui
Binary: xine-ui
Architecture: source i386
Version: 0.99.4-1
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <siggi@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description: 
 xine-ui    - the xine video player, user interface
Closes: 228633 363370
Changes: 
 xine-ui (0.99.4-1) unstable; urgency=high
 .
   [ Siggi Langauf ]
 .
   * fixed icon in menu entry (closes: #228633)
 .
   [ Reinhard Tartler ]
 .
   * new upstream release, featuring:
     - Fixed deadlock, segfaults and mem-leaks, several other fixes and
       enhancements,
       can't remember details (thanks also to Marcelo Jimenez and Jakub Labath)
     - Menu to reset video controls
     - fixed menu shortcut strings allocation/freeing [bug #1223022]
     - audio post plugin support
     - use UTF-8 for Japanese locale if nl_langinfo doesn't work [bug #1096974]
     - expand tabs in post-plugin help
     - merge some osd menus from oxine
     - aspect ratio fixed for multihead setups (especially TwinView)
       [bugs #1089328, #1001702 and #989157]
     - fixed parsing post plugin parameters of type double for some locales
     - autoload subtitles with .txt extension too
     - be more POSIX-compliant (head, tail) (build fix) [bug #1172729]
     - Russian translations (thanks to Pavel Maryanov)
     - forced not loading old playlist with -P option
 .
   * add debian/watch file for uscan.
   * added myself to Uploaders
   * high urgency upload because of security fix
   * bumped standards version to 3.7.2, no changes needed
 .
   * SECURITY: Fix two format string bugs which could be possibly
     remote-exploitable (Ubuntu: #41781, CVE-2006-1905). Imported from security
     upload to ubuntu by Sebastian Dröge <slomo@ubuntu.com> (Closes: #363370)
Files: 
 99afe44039d27673b6e6ad432fc35d62 943 graphics optional xine-ui_0.99.4-1.dsc
 90ea1f76747e9788a30a73e7f4a76cf6 2544984 graphics optional xine-ui_0.99.4.orig.tar.gz
 b9a307d1203d8955535200d23e1cf038 20703 graphics optional xine-ui_0.99.4-1.diff.gz
 3081892db40693f9366c0a9bb9fab48b 1628570 graphics optional xine-ui_0.99.4-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEjaNwXKRQ3lK3SH4RAsCpAJ9AuyAi1I1n2kv0TXbkVajzUjOcyACgieWH
u8WXxOXDe7ItNw27bjzhGy4=
=MGP1
-----END PGP SIGNATURE-----

Message #32 received at 363370@bugs.debian.org (full text, mbox, reply):

From: neologix@free.fr

To: 363370@bugs.debian.org

Subject: small rewriting of format strings patch

Date: Wed, 21 Jun 2006 10:38:11 +0200

[Message part 1 (text/plain, inline)]

Hi.
Here is a rewriting of patch submitted, which I find better.
First, declare 'len' as size_t (strlen() returns size_t, not int, and we must be
carefull when comparing unsigned and int).
Do not use printf(), cause there is no need for formatted output, so that
fputs is faster and simpler (easier to catch with prototypes).

And another small cleanup (no need for calling printf() twice, we can join
them in the same format string).


Cheers,

[xine-ui.patch (text/plain, attachment)]

Send a report that this bug log contains spam.