Gentoo Archives: gentoo-announce

From: Alex Legler <a3li@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201006-04 ] xine-lib: User-assisted execution of arbitrary code
Date: Tue, 01 Jun 2010 17:01:45
Message-Id: 20100601173936.22d73e1b@mail.a3li.li
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201006-04
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: xine-lib: User-assisted execution of arbitrary code
9 Date: June 01, 2010
10 Bugs: #234777, #249041, #260069, #265250
11 ID: 201006-04
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities in xine-lib might result in the remote
19 execution of arbitrary code.
20
21 Background
22 ==========
23
24 xine-lib is the core library package for the xine media player, and
25 other players such as Amarok, Codeine/Dragon Player and Kaffeine.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 media-libs/xine-lib < 1.1.16.3 >= 1.1.16.3
34
35 Description
36 ===========
37
38 Multiple vulnerabilites have been reported in xine-lib. Please review
39 the CVE identifiers referenced below for details.
40
41 Impact
42 ======
43
44 A remote attacker could entice a user to play a specially crafted video
45 file or stream with a player using xine-lib, potentially resulting in
46 the execution of arbitrary code with the privileges of the user running
47 the application.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All xine-lib users should upgrade to an unaffected version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=media-libs/xine-lib-1.1.16.3"
61
62 NOTE: This is a legacy GLSA. Updates for all affected architectures are
63 available since April 10, 2009. It is likely that your system is
64 already no longer affected by this issue.
65
66 References
67 ==========
68
69 [ 1 ] CVE-2008-3231
70 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3231
71 [ 2 ] CVE-2008-5233
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5233
73 [ 3 ] CVE-2008-5234
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5234
75 [ 4 ] CVE-2008-5235
76 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5235
77 [ 5 ] CVE-2008-5236
78 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5236
79 [ 6 ] CVE-2008-5237
80 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5237
81 [ 7 ] CVE-2008-5238
82 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5238
83 [ 8 ] CVE-2008-5239
84 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5239
85 [ 9 ] CVE-2008-5240
86 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5240
87 [ 10 ] CVE-2008-5241
88 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5241
89 [ 11 ] CVE-2008-5242
90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5242
91 [ 12 ] CVE-2008-5243
92 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5243
93 [ 13 ] CVE-2008-5244
94 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5244
95 [ 14 ] CVE-2008-5245
96 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5245
97 [ 15 ] CVE-2008-5246
98 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5246
99 [ 16 ] CVE-2008-5247
100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5247
101 [ 17 ] CVE-2008-5248
102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5248
103 [ 18 ] CVE-2009-0698
104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698
105 [ 19 ] CVE-2009-1274
106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1274
107
108 Availability
109 ============
110
111 This GLSA and any updates to it are available for viewing at
112 the Gentoo Security Website:
113
114 http://security.gentoo.org/glsa/glsa-201006-04.xml
115
116 Concerns?
117 =========
118
119 Security is a primary focus of Gentoo Linux and ensuring the
120 confidentiality and security of our users machines is of utmost
121 importance to us. Any security concerns should be addressed to
122 security@g.o or alternatively, you may file a bug at
123 https://bugs.gentoo.org.
124
125 License
126 =======
127
128 Copyright 2010 Gentoo Foundation, Inc; referenced text
129 belongs to its owner(s).
130
131 The contents of this document are licensed under the
132 Creative Commons - Attribution / Share Alike license.
133
134 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature