Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0225 to the following vulnerability:
Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field. NOTE: some of these details are obtained from third party information.
This issue was addressed in upstream version 18.104.22.168:
Updates to F7 and F8 are pending approval.
Note that I submitted the F7 update "only" to testing, because I do not have a
F7 box to test with and it's an update from 1.1.7 to 22.214.171.124.
The F8 update works fine for me and I requested it to be pushed straight to the
non-testing updates repo.
BTW, could the script (?) you guys use to add security bugzilla entries be
modified so that it auto-Cc's co-maintainers as well as the primary package
owner? Is the script (?) publically available somewhere?
(In reply to comment #2)
> The F8 update works fine for me and I requested it to be pushed straight to
> the non-testing updates repo.
Can you please have a look at #428621 too? That's another xine-lib issue that
got CVE id. However, reference point to the same Secunia advisory as this one,
just wording seems to cover other exploitation vectors not originally described
in reporter's mail. Looking into the patch referenced by 126.96.36.199 release notes,
those additional vectors seem to be addressed to. But I would appreciate some
ack from someone more familiar with xine-lib.
> BTW, could the script (?) you guys use to add security bugzilla entries be
> modified so that it auto-Cc's co-maintainers as well as the primary package
Current CC list it based on package ownership as known to Bugzilla. Can you
recommend any source from where co-maintainers list can be extracted in
automated way? pkgdb list of co-maintainers, but I do not see any obvious way
to turn that to list of Bugzilla emails/logins to CC the bug to.
> Is the script (?) publically available somewhere?
fedora-security repo should already contain it.
xine-lib-188.8.131.52-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update xine-lib'
xine-lib-184.108.40.206-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Fixed upstream version xine-lib-1.1.10-1 currently available in all stable
Fedora versions, closing.