Mandriva 1273 Published by

Updated xine-lib packages are available for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: xine-lib
Advisory ID: MDKSA-2004:105
Date: October 6th, 2004

Affected versions: 10.0
______________________________________________________________________

Problem Description:

A number of string overflows were discovered in the xine-lib program, some of which can be used for remote buffer overflow exploits that lead to the execution of arbitrary code with the permissions of the user running a xine-lib-based media application. xine-lib versions 1-rc2 through, and including, 1-rc5 are vulnerable to these problems.

As well, a heap overflow was found in the DVD subpicture decoder of xine-lib; this vulnerability is also remotely exploitable. All versions of xine-lib prior to and including 0.5.2 through, and including, 1-rc5 are vulnerable to this problem.

Patches from the xine-lib team have been backported and applied to the program to solve these problems.



_______________________________________________________________________

References:

http://xinehq.de/index.php/security/XSA-2004-4
http://xinehq.de/index.php/security/XSA-2004-5
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
10ce6885addcfa3a9ed0380805fcbce6 10.0/RPMS/libxine1-1-0.rc3.6.2.100mdk.i586.rpm
2a1341dfa762f5208673ab20ec5d9092 10.0/RPMS/libxine1-devel-1-0.rc3.6.2.100mdk.i586.rpm
a654845136034c4cdb30ed89a0ca81b7 10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.i586.rpm
e70b118d3bdd2a9a9dc48143601f78a4 10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.i586.rpm
1ff7a30cd60c470f4d89cebfaf33d5f8 10.0/RPMS/xine-dxr3-1-0.rc3.6.2.100mdk.i586.rpm
2be55268cb20ff387313f662d19e5112 10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.i586.rpm
8ea540e75311662ee5db57a0fa38e51a 10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.i586.rpm
ba12f4c0368e6d81f6965c64e13796a0 10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.i586.rpm
253a8c8dac5200fe7afc3d5d502be1ed 10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.i586.rpm
0f65783b02ceea2ee697af41a4406d76 10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
12e4e1ef7a03cee73b025f106de3f05e amd64/10.0/RPMS/lib64xine1-1-0.rc3.6.2.100mdk.amd64.rpm
b04a4aa8e15009fe67e7cbd2b5d7304f amd64/10.0/RPMS/lib64xine1-devel-1-0.rc3.6.2.100mdk.amd64.rpm
dec9a4e10c6c1f3cda08a252bfa54963 amd64/10.0/RPMS/xine-aa-1-0.rc3.6.2.100mdk.amd64.rpm
76890b85ba9cc2ddd84bc8f7f79e1482 amd64/10.0/RPMS/xine-arts-1-0.rc3.6.2.100mdk.amd64.rpm
fbf465711eda60e57198666c0c693267 amd64/10.0/RPMS/xine-esd-1-0.rc3.6.2.100mdk.amd64.rpm
e5921bb72c4a819a685d736301643c4d amd64/10.0/RPMS/xine-flac-1-0.rc3.6.2.100mdk.amd64.rpm
c79055804621f8ff95ad738a75bcc5d6 amd64/10.0/RPMS/xine-gnomevfs-1-0.rc3.6.2.100mdk.amd64.rpm
72781a34d4b3f83d2e4a3e5226ed5942 amd64/10.0/RPMS/xine-plugins-1-0.rc3.6.2.100mdk.amd64.rpm
0f65783b02ceea2ee697af41a4406d76 amd64/10.0/SRPMS/xine-lib-1-0.rc3.6.2.100mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com