Bug 428620 - (CVE-2008-0225) CVE-2008-0225 xine-lib: SDP attributes buffer overflow
CVE-2008-0225 xine-lib: SDP attributes buffer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20080110,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-14 03:20 EST by Tomas Hoger
Modified: 2008-02-08 10:48 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-08 10:48:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-01-14 03:20:29 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-0225 to the following vulnerability:

Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field.  NOTE: some of these details are obtained from third party information.

References:

http://aluigi.altervista.org/adv/xinermffhof-adv.txt
http://secunia.com/advisories/28384
Comment 1 Tomas Hoger 2008-01-14 03:27:56 EST
This issue was addressed in upstream version 1.1.9.1:

http://sourceforge.net/project/shownotes.php?release_id=567872&group_id=9655

Updates to F7 and F8 are pending approval.
Comment 2 Ville Skyttä 2008-01-14 16:48:51 EST
Note that I submitted the F7 update "only" to testing, because I do not have a
F7 box to test with and it's an update from 1.1.7 to 1.1.9.1.

The F8 update works fine for me and I requested it to be pushed straight to the
non-testing updates repo.

BTW, could the script (?) you guys use to add security bugzilla entries be
modified so that it auto-Cc's co-maintainers as well as the primary package
owner?  Is the script (?) publically available somewhere?
Comment 3 Tomas Hoger 2008-01-15 03:01:16 EST
(In reply to comment #2)
> The F8 update works fine for me and I requested it to be pushed straight to 
> the non-testing updates repo.

Can you please have a look at #428621 too?  That's another xine-lib issue that
got CVE id.  However, reference point to the same Secunia advisory as this one,
just wording seems to cover other exploitation vectors not originally described
in reporter's mail.  Looking into the patch referenced by 1.1.9.1 release notes,
those additional vectors seem to be addressed to.  But I would appreciate some
ack from someone more familiar with xine-lib.

> BTW, could the script (?) you guys use to add security bugzilla entries be
> modified so that it auto-Cc's co-maintainers as well as the primary package
> owner?

Current CC list it based on package ownership as known to Bugzilla.  Can you
recommend any source from where co-maintainers list can be extracted in
automated way?  pkgdb list of co-maintainers, but I do not see any obvious way
to turn that to list of Bugzilla emails/logins to CC the bug to.

> Is the script (?) publically available somewhere?

fedora-security repo should already contain it.
Comment 4 Fedora Update System 2008-01-15 17:54:25 EST
xine-lib-1.1.9.1-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update xine-lib'
Comment 5 Fedora Update System 2008-01-15 18:11:28 EST
xine-lib-1.1.9.1-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Tomas Hoger 2008-02-08 10:48:17 EST
Fixed upstream version xine-lib-1.1.10-1 currently available in all stable
Fedora versions, closing.

Note You need to log in before you can comment on or make changes to this bug.