Bug 231734

Summary: CVE-2007-1246, CVE-2007-1387: xine-lib buffer overflows
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: xine-libAssignee: Aurelien Bompard <gauret>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: fedora-security-list, ville.skytta
Target Milestone: ---Keywords: Patch, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.1.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-17 17:13:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix from upstream CVS none

Description Ville Skyttä 2007-03-10 22:29:35 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1246

Originally reported against MPlayer, but it turns out xine-lib is vulnerable
too.  Upstream fix pushed to FC6+ (1.1.4-3 currently building), but FC5 is still
at 1.1.2, probably already lacking "several bug and security fixes" as put by
upstream in the 1.1.3 release announcement.  No FC5 system here to test with, so
leaving up to Aurelien to decide whether to update while at it or just to
possibly apply the patch for this issue from FC6+ (if it applies, unchecked).

Comment 1 Ville Skyttä 2007-03-10 22:29:35 UTC
Created attachment 149781 [details]
Fix from upstream CVS

Comment 2 Ville Skyttä 2007-03-14 14:35:12 UTC
Patch in comment 1 fixes CVE-2007-1387 too.