Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1274 to the following vulnerability: Integer overflow in the qt_error parse_trak_atom function in demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote attackers to execute arbitrary code via a Quicktime movie file with a large count value in an STTS atom, which triggers a heap-based buffer overflow. References: http://www.trapkit.de/advisories/TKADV2009-005.txt http://www.securityfocus.com/archive/1/archive/1/502481/100/0/threaded http://bugs.xine-project.org/show_bug.cgi?id=224 http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=673233
Rawhide already has upstream 1.1.16.3.
OK, looks like all we need to do is push that out to all branches then. I'm going to build F9 and F10 updates right now.
xine-lib-1.1.16.3-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/xine-lib-1.1.16.3-1.fc10
xine-lib-1.1.16.3-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/xine-lib-1.1.16.3-1.fc9
xine-lib-1.1.16.3-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
xine-lib-1.1.16.3-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.