Debian Bug report logs -
#363370
xine-ui: printf missing-format-string bugs
Reported by: Darren Salt <linux@youmustbejoking.demon.co.uk>
Date: Tue, 18 Apr 2006 18:48:04 UTC
Severity: serious
Found in version xine-ui/0.99.3-1.3
Fixed in version xine-ui/0.99.4-1
Done: Reinhard Tartler <siretart@tauware.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>
:
Bug#363370
; Package xine-ui
.
(full text, mbox, link).
Acknowledgement sent to Darren Salt <linux@youmustbejoking.demon.co.uk>
:
New Bug report received and forwarded. Copy sent to Siggi Langauf <siggi@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: xine-ui
Version: 0.99.3-1.3
Severity: serious
Posted to xine-devel by Diego Pettenó <flameeyes@gentoo.org>:
: Seems like there's disclosure of a vulnerability in latest released xine-ui
: (0.99.4) at http://www.open-security.org/advisories/16 . The code that's
: there referred to is already fixed in current CVS since last August, I'm
: re-attaching the patch I submitted that time for who wants to fix this
: independently from a new release.
The patch (attached) is not present in 0.99.3-1.3.
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Travel less. Share transport more. PRODUCE LESS CARBON DIOXIDE.
If you think this tagline is confusing, then change one pig.
[040_all_formats.patch (text/plain, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>
:
Bug#363370
; Package xine-ui
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>
.
(full text, mbox, link).
Message #10 received at 363370@bugs.debian.org (full text, mbox, reply):
This is CVE-2006-1905. Please mention the CVE id in the changelog.
Thanks.
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>
:
Bug#363370
; Package xine-ui
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>
.
(full text, mbox, link).
Message #15 received at 363370@bugs.debian.org (full text, mbox, reply):
There are even more format string problems:
CVE-2006-2230:
Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine
0.99.4 might allow attackers to cause a denial of service via format
string specifiers in an MP3 filename specified on the command line.
NOTE: this is a different vulnerability than CVE-2006-1905. In
addition, if the only attack vectors involve a user-complicit, local
command line argument of a non-setuid program, this issue might not be
a vulnerability.
See:
http://www.securityfocus.com/archive/1/archive/1/432598/100/0/threaded
Tags added: pending
Request was from Reinhard Tartler <siretart@tauware.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Acknowledgement sent to Reinhard Tartler <siretart@tauware.de>
:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
Message #22 received at 363370-quiet@bugs.debian.org (full text, mbox, reply):
tags 363370 pending
quit
Hey Siggi,
I prepared an upload candidate for xine-ui 0.99.4. I incorporated a
security bug from ubuntu, so I think this should get into debian rather
quickly. Regarding the other bugs, I don't think they should be RC, if
they apply to 0.99.4 at all. So I'd suggest to downgrade them so that we
get an up-to-date xine in debian/etch soon!
Please review and upload these packages:
http://siretart.tauware.de/upload-queue/xine-ui_0.99.4-1.dsc
http://siretart.tauware.de/upload-queue/xine-lib_1.1.1-2.dsc
Gruesse,
Reinhard
Reply sent to Reinhard Tartler <siretart@tauware.de>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Darren Salt <linux@youmustbejoking.demon.co.uk>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #27 received at 363370-close@bugs.debian.org (full text, mbox, reply):
Source: xine-ui
Source-Version: 0.99.4-1
We believe that the bug you reported is fixed in the latest version of
xine-ui, which is due to be installed in the Debian FTP archive:
xine-ui_0.99.4-1.diff.gz
to pool/main/x/xine-ui/xine-ui_0.99.4-1.diff.gz
xine-ui_0.99.4-1.dsc
to pool/main/x/xine-ui/xine-ui_0.99.4-1.dsc
xine-ui_0.99.4-1_i386.deb
to pool/main/x/xine-ui/xine-ui_0.99.4-1_i386.deb
xine-ui_0.99.4.orig.tar.gz
to pool/main/x/xine-ui/xine-ui_0.99.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 363370@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated xine-ui package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 5 Jun 2006 18:08:45 +0200
Source: xine-ui
Binary: xine-ui
Architecture: source i386
Version: 0.99.4-1
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <siggi@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
xine-ui - the xine video player, user interface
Closes: 228633 363370
Changes:
xine-ui (0.99.4-1) unstable; urgency=high
.
[ Siggi Langauf ]
.
* fixed icon in menu entry (closes: #228633)
.
[ Reinhard Tartler ]
.
* new upstream release, featuring:
- Fixed deadlock, segfaults and mem-leaks, several other fixes and
enhancements,
can't remember details (thanks also to Marcelo Jimenez and Jakub Labath)
- Menu to reset video controls
- fixed menu shortcut strings allocation/freeing [bug #1223022]
- audio post plugin support
- use UTF-8 for Japanese locale if nl_langinfo doesn't work [bug #1096974]
- expand tabs in post-plugin help
- merge some osd menus from oxine
- aspect ratio fixed for multihead setups (especially TwinView)
[bugs #1089328, #1001702 and #989157]
- fixed parsing post plugin parameters of type double for some locales
- autoload subtitles with .txt extension too
- be more POSIX-compliant (head, tail) (build fix) [bug #1172729]
- Russian translations (thanks to Pavel Maryanov)
- forced not loading old playlist with -P option
.
* add debian/watch file for uscan.
* added myself to Uploaders
* high urgency upload because of security fix
* bumped standards version to 3.7.2, no changes needed
.
* SECURITY: Fix two format string bugs which could be possibly
remote-exploitable (Ubuntu: #41781, CVE-2006-1905). Imported from security
upload to ubuntu by Sebastian Dröge <slomo@ubuntu.com> (Closes: #363370)
Files:
99afe44039d27673b6e6ad432fc35d62 943 graphics optional xine-ui_0.99.4-1.dsc
90ea1f76747e9788a30a73e7f4a76cf6 2544984 graphics optional xine-ui_0.99.4.orig.tar.gz
b9a307d1203d8955535200d23e1cf038 20703 graphics optional xine-ui_0.99.4-1.diff.gz
3081892db40693f9366c0a9bb9fab48b 1628570 graphics optional xine-ui_0.99.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEjaNwXKRQ3lK3SH4RAsCpAJ9AuyAi1I1n2kv0TXbkVajzUjOcyACgieWH
u8WXxOXDe7ItNw27bjzhGy4=
=MGP1
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Siggi Langauf <siggi@debian.org>
:
Bug#363370
; Package xine-ui
.
(full text, mbox, link).
Acknowledgement sent to neologix@free.fr
:
Extra info received and forwarded to list. Copy sent to Siggi Langauf <siggi@debian.org>
.
(full text, mbox, link).
Message #32 received at 363370@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi.
Here is a rewriting of patch submitted, which I find better.
First, declare 'len' as size_t (strlen() returns size_t, not int, and we must be
carefull when comparing unsigned and int).
Do not use printf(), cause there is no need for formatted output, so that
fputs is faster and simpler (easier to catch with prototypes).
And another small cleanup (no need for calling printf() twice, we can join
them in the same format string).
Cheers,
[xine-ui.patch (text/plain, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 26 Jun 2007 10:25:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:06:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.