-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:027 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xine-ui Date : January 26, 2007 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors. (CVE-2007-0254) XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017. (CVE-2007-0255) The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0255 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 5a00fa676e755f473ed3894fdbed6fae 2007.0/i586/xine-ui-0.99.4-7.1mdv2007.0.i586.rpm 22ee97e6cab9a53cfbb623911acbff08 2007.0/i586/xine-ui-aa-0.99.4-7.1mdv2007.0.i586.rpm 323d3e53cff4659c12fa4c9c64b8cf80 2007.0/i586/xine-ui-fb-0.99.4-7.1mdv2007.0.i586.rpm 3df57e9d2ba0e239fb0efaac6aae80b9 2007.0/SRPMS/xine-ui-0.99.4-7.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 6936d70577dac7200be466ddc5776ad8 2007.0/x86_64/xine-ui-0.99.4-7.1mdv2007.0.x86_64.rpm 47692d8f90bb60344b780a93b1465784 2007.0/x86_64/xine-ui-aa-0.99.4-7.1mdv2007.0.x86_64.rpm afb78af3b93eb9ae77f5d26fa78a480e 2007.0/x86_64/xine-ui-fb-0.99.4-7.1mdv2007.0.x86_64.rpm 3df57e9d2ba0e239fb0efaac6aae80b9 2007.0/SRPMS/xine-ui-0.99.4-7.1mdv2007.0.src.rpm Corporate 3.0: 47b308a588d752dd44a813a05a5aa20a corporate/3.0/i586/xine-ui-0.9.23-3.4.C30mdk.i586.rpm 41a13fc734f6d97f9b9c49763247df45 corporate/3.0/i586/xine-ui-aa-0.9.23-3.4.C30mdk.i586.rpm 488ece09c2e10ffe0403ccb38f259f61 corporate/3.0/i586/xine-ui-fb-0.9.23-3.4.C30mdk.i586.rpm c37c03e48156837ed8081f53f79006d8 corporate/3.0/SRPMS/xine-ui-0.9.23-3.4.C30mdk.src.rpm Corporate 3.0/X86_64: eec4092fa0e0ca22af09e1e6f291f6e0 corporate/3.0/x86_64/xine-ui-0.9.23-3.4.C30mdk.x86_64.rpm 6763e423a13d3a9dffadf6c642085003 corporate/3.0/x86_64/xine-ui-aa-0.9.23-3.4.C30mdk.x86_64.rpm 57863e4da81d1e698e23d6b0889b33cb corporate/3.0/x86_64/xine-ui-fb-0.9.23-3.4.C30mdk.x86_64.rpm c37c03e48156837ed8081f53f79006d8 corporate/3.0/SRPMS/xine-ui-0.9.23-3.4.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFueK2mqjQ0CJFipgRAiGeAJkBuTUHsp7RoAc8oYs74A1DtXfIBwCgrjQz +rFssCLGFfA8BMg4ho+0vis= =tWz9 -----END PGP SIGNATURE-----
