Red Hat Bugzilla – Bug 495031
CVE-2009-1274 xine-lib: Quicktime STTS Atom Integer Overflow (TKADV2009-005)
Last modified: 2016-03-04 05:55:45 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1274 to the following vulnerability:
Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 126.96.36.199 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
large count value in an STTS atom, which triggers a heap-based buffer
Rawhide already has upstream 188.8.131.52.
OK, looks like all we need to do is push that out to all branches then. I'm going to build F9 and F10 updates right now.
xine-lib-184.108.40.206-1.fc10 has been submitted as an update for Fedora 10.
xine-lib-220.127.116.11-1.fc9 has been submitted as an update for Fedora 9.
xine-lib-18.104.22.168-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
xine-lib-22.214.171.124-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.