A fairly vague report [1] indicates that xine-lib < 1.1.19 suffers from a memory corruption flaw because it would free a variable without first initializing it, leading to possible arbitrary code execution. I have been unable to find any further information beyond a Gentoo bug report [2]; no CVE name or patch. [1] http://labs.mwrinfosecurity.com/advisories/mwri_xine_free_uninit/ [2] https://bugs.gentoo.org/show_bug.cgi?id=346897 Fedora currently provides xine-lib 1.1.19, but EPEL5 and EPEL6 both provide older versions.
Created xine-lib tracking bugs for this issue Affects: epel-5 [bug 720499] Affects: epel-6 [bug 720500]
xine-lib-1.1.21-10.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
xine-lib-1.1.21-10.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.