Bug 428620 (CVE-2008-0225)
| Summary: | CVE-2008-0225 xine-lib: SDP attributes buffer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | extras-orphan, gauret, rdieter, ville.skytta |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0225 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-02-08 15:48:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Tomas Hoger
2008-01-14 08:20:29 UTC
This issue was addressed in upstream version 1.1.9.1: http://sourceforge.net/project/shownotes.php?release_id=567872&group_id=9655 Updates to F7 and F8 are pending approval. Note that I submitted the F7 update "only" to testing, because I do not have a F7 box to test with and it's an update from 1.1.7 to 1.1.9.1. The F8 update works fine for me and I requested it to be pushed straight to the non-testing updates repo. BTW, could the script (?) you guys use to add security bugzilla entries be modified so that it auto-Cc's co-maintainers as well as the primary package owner? Is the script (?) publically available somewhere? (In reply to comment #2) > The F8 update works fine for me and I requested it to be pushed straight to > the non-testing updates repo. Can you please have a look at #428621 too? That's another xine-lib issue that got CVE id. However, reference point to the same Secunia advisory as this one, just wording seems to cover other exploitation vectors not originally described in reporter's mail. Looking into the patch referenced by 1.1.9.1 release notes, those additional vectors seem to be addressed to. But I would appreciate some ack from someone more familiar with xine-lib. > BTW, could the script (?) you guys use to add security bugzilla entries be > modified so that it auto-Cc's co-maintainers as well as the primary package > owner? Current CC list it based on package ownership as known to Bugzilla. Can you recommend any source from where co-maintainers list can be extracted in automated way? pkgdb list of co-maintainers, but I do not see any obvious way to turn that to list of Bugzilla emails/logins to CC the bug to. > Is the script (?) publically available somewhere? fedora-security repo should already contain it. xine-lib-1.1.9.1-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update xine-lib' xine-lib-1.1.9.1-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. Fixed upstream version xine-lib-1.1.10-1 currently available in all stable Fedora versions, closing. |