Bug 428620 (CVE-2008-0225) - CVE-2008-0225 xine-lib: SDP attributes buffer overflow
Summary: CVE-2008-0225 xine-lib: SDP attributes buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-0225
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-14 08:20 UTC by Tomas Hoger
Modified: 2019-09-29 12:22 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-08 15:48:17 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2008-01-14 08:20:29 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0225 to the following vulnerability:

Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field.  NOTE: some of these details are obtained from third party information.

References:

http://aluigi.altervista.org/adv/xinermffhof-adv.txt
http://secunia.com/advisories/28384

Comment 1 Tomas Hoger 2008-01-14 08:27:56 UTC
This issue was addressed in upstream version 1.1.9.1:

http://sourceforge.net/project/shownotes.php?release_id=567872&group_id=9655

Updates to F7 and F8 are pending approval.

Comment 2 Ville Skyttä 2008-01-14 21:48:51 UTC
Note that I submitted the F7 update "only" to testing, because I do not have a
F7 box to test with and it's an update from 1.1.7 to 1.1.9.1.

The F8 update works fine for me and I requested it to be pushed straight to the
non-testing updates repo.

BTW, could the script (?) you guys use to add security bugzilla entries be
modified so that it auto-Cc's co-maintainers as well as the primary package
owner?  Is the script (?) publically available somewhere?

Comment 3 Tomas Hoger 2008-01-15 08:01:16 UTC
(In reply to comment #2)
> The F8 update works fine for me and I requested it to be pushed straight to 
> the non-testing updates repo.

Can you please have a look at #428621 too?  That's another xine-lib issue that
got CVE id.  However, reference point to the same Secunia advisory as this one,
just wording seems to cover other exploitation vectors not originally described
in reporter's mail.  Looking into the patch referenced by 1.1.9.1 release notes,
those additional vectors seem to be addressed to.  But I would appreciate some
ack from someone more familiar with xine-lib.

> BTW, could the script (?) you guys use to add security bugzilla entries be
> modified so that it auto-Cc's co-maintainers as well as the primary package
> owner?

Current CC list it based on package ownership as known to Bugzilla.  Can you
recommend any source from where co-maintainers list can be extracted in
automated way?  pkgdb list of co-maintainers, but I do not see any obvious way
to turn that to list of Bugzilla emails/logins to CC the bug to.

> Is the script (?) publically available somewhere?

fedora-security repo should already contain it.


Comment 4 Fedora Update System 2008-01-15 22:54:25 UTC
xine-lib-1.1.9.1-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update xine-lib'

Comment 5 Fedora Update System 2008-01-15 23:11:28 UTC
xine-lib-1.1.9.1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Tomas Hoger 2008-02-08 15:48:17 UTC
Fixed upstream version xine-lib-1.1.10-1 currently available in all stable
Fedora versions, closing.


Note You need to log in before you can comment on or make changes to this bug.