-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: xine-lib Advisory ID: MDKSA-2005:011 Date: January 19th, 2005 Affected versions: 10.0, 10.1 ______________________________________________________________________ Problem Description: iDefense discovered that the PNA_TAG handling code in pnm_get_chunk() does not check if the input size is larger than the buffer size (CAN-2004-1187). As well, they discovered that in this same function, a negative value could be given to an unsigned variable that specifies the read length of input data (CAN-2004-1188). Ariel Berkman discovered that xine-lib reads specific input data into an array without checking the input size making it vulnerable to a buffer overflow problem (CAN-2004-1300). The updated packages have been patched to prevent these problems. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1187 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1188 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1300 http://xinehq.de/index.php/security/XSA-2004-6 http://xinehq.de/index.php/security/XSA-2004-7 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 04cf16b28902e4591e11ae72fd87d662 10.0/RPMS/libxine1-1-0.rc3.6.3.100mdk.i586.rpm b4229121fb5e1c2e8e3150fb770d20b1 10.0/RPMS/libxine1-devel-1-0.rc3.6.3.100mdk.i586.rpm dedf902f1106a5d2962169e0d384484b 10.0/RPMS/xine-aa-1-0.rc3.6.3.100mdk.i586.rpm 0e794be9dcbe0d7df7ac7023f90b9ce7 10.0/RPMS/xine-arts-1-0.rc3.6.3.100mdk.i586.rpm e2129af73ff087513cf3e206b6243a22 10.0/RPMS/xine-dxr3-1-0.rc3.6.3.100mdk.i586.rpm 465023e0d347cc68e50cd18e7e035d7f 10.0/RPMS/xine-esd-1-0.rc3.6.3.100mdk.i586.rpm 3aba7156985636b52cf388ee65efa61a 10.0/RPMS/xine-flac-1-0.rc3.6.3.100mdk.i586.rpm 442d828c5c5c477fb4056eec27ac99ac 10.0/RPMS/xine-gnomevfs-1-0.rc3.6.3.100mdk.i586.rpm 73e2c9d0af08f7af594897963ad2acee 10.0/RPMS/xine-plugins-1-0.rc3.6.3.100mdk.i586.rpm 987634217ee50058b309ce153c0d71cd 10.0/SRPMS/xine-lib-1-0.rc3.6.3.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 66d763149801966fb38c9a07666eced3 amd64/10.0/RPMS/lib64xine1-1-0.rc3.6.3.100mdk.amd64.rpm 486eaa41ea24dc895ab68a7221efa641 amd64/10.0/RPMS/lib64xine1-devel-1-0.rc3.6.3.100mdk.amd64.rpm 5b454fdc3cc84ce2bd9aa8d4495971af amd64/10.0/RPMS/xine-aa-1-0.rc3.6.3.100mdk.amd64.rpm f8a5ce8ccdb495f23c879a58dc4a005b amd64/10.0/RPMS/xine-arts-1-0.rc3.6.3.100mdk.amd64.rpm aa3a3a29c478a444bbcb4fe7f48d217c amd64/10.0/RPMS/xine-esd-1-0.rc3.6.3.100mdk.amd64.rpm 051f953d91864f0609d55d9f5d13c545 amd64/10.0/RPMS/xine-flac-1-0.rc3.6.3.100mdk.amd64.rpm 7288d9764ff125053834cc3cbc56618b amd64/10.0/RPMS/xine-gnomevfs-1-0.rc3.6.3.100mdk.amd64.rpm 8c11dd4c0453b8236494df5e177985b0 amd64/10.0/RPMS/xine-plugins-1-0.rc3.6.3.100mdk.amd64.rpm 987634217ee50058b309ce153c0d71cd amd64/10.0/SRPMS/xine-lib-1-0.rc3.6.3.100mdk.src.rpm Mandrakelinux 10.1: dc10ced310a94ac2b1cdaa26d5065309 10.1/RPMS/libxine1-1-0.rc5.9.1.101mdk.i586.rpm 2ff06644e8ba40de686faea2870be099 10.1/RPMS/libxine1-devel-1-0.rc5.9.1.101mdk.i586.rpm dab77c7bb2d958fb34fd07dd525b7026 10.1/RPMS/xine-aa-1-0.rc5.9.1.101mdk.i586.rpm c0daf0f0835a0831251e725edb491d98 10.1/RPMS/xine-arts-1-0.rc5.9.1.101mdk.i586.rpm a9d901fa51bd439c5e6b54fb799afcde 10.1/RPMS/xine-dxr3-1-0.rc5.9.1.101mdk.i586.rpm 6e2e9ac54916eb1409347968bddc0903 10.1/RPMS/xine-esd-1-0.rc5.9.1.101mdk.i586.rpm 954f717131a3079ea5dff56ab3a20a8e 10.1/RPMS/xine-flac-1-0.rc5.9.1.101mdk.i586.rpm 72a82036a27f6bed29412b81417603eb 10.1/RPMS/xine-gnomevfs-1-0.rc5.9.1.101mdk.i586.rpm a76f9f553c97aa55fe4849225d7921a2 10.1/RPMS/xine-plugins-1-0.rc5.9.1.101mdk.i586.rpm dab247b679d8cb6f7bdf06b71d5e54b8 10.1/SRPMS/xine-lib-1-0.rc5.9.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: 5cfbd8787d4c8e0207437f048d5994a4 x86_64/10.1/RPMS/lib64xine1-1-0.rc5.9.1.101mdk.x86_64.rpm 8a4b9b26b8b58fd29477a6b260bd79c6 x86_64/10.1/RPMS/lib64xine1-devel-1-0.rc5.9.1.101mdk.x86_64.rpm c2bc72cfbfe95f18a6ae0b18b98807c8 x86_64/10.1/RPMS/xine-aa-1-0.rc5.9.1.101mdk.x86_64.rpm 7f059dfbc7e445a255510c9a5a7338b7 x86_64/10.1/RPMS/xine-arts-1-0.rc5.9.1.101mdk.x86_64.rpm 53b293f453695e7104a1ae593f79608a x86_64/10.1/RPMS/xine-dxr3-1-0.rc5.9.1.101mdk.x86_64.rpm 6efb0ca6be7650e60961e13f479b117a x86_64/10.1/RPMS/xine-esd-1-0.rc5.9.1.101mdk.x86_64.rpm 4caa5c113d95773e4ca462b69bb17e76 x86_64/10.1/RPMS/xine-flac-1-0.rc5.9.1.101mdk.x86_64.rpm ba0f5f739785622cac85034055fa7304 x86_64/10.1/RPMS/xine-gnomevfs-1-0.rc5.9.1.101mdk.x86_64.rpm d3c1a9cca1ae3800d72f82486b26f0e1 x86_64/10.1/RPMS/xine-plugins-1-0.rc5.9.1.101mdk.x86_64.rpm dab247b679d8cb6f7bdf06b71d5e54b8 x86_64/10.1/SRPMS/xine-lib-1-0.rc5.9.1.101mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFB7tremqjQ0CJFipgRAr0HAJ97WOzp9JCz/lQhgCvOi2yyRojHcACeOw+A 7Tq28VFsghjETZ2Mu2DVTLM= =awHr -----END PGP SIGNATURE-----