Bug #11248 “libxine1: Security vulnerabilities in PNM and RTSP c...” : Bugs : xine-lib package : Ubuntu

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-17:

#1

Automatically imported from Debian bug report #286077 http://bugs.debian.org/286077

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-17:

#2

Message-id: <email address hidden>
Date: Fri, 17 Dec 2004 14:26:28 +0100
From: Sebastian Ley <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libxine1: Security vulnerabilities in PNM and RTSP components

Package: libxine1
Version: 1-rc7-1
Severity: grave
Tags: security
Justification: user security hole

As per announcement on the xine page, the authors fixed two probably
exploitable buffer overflows in xine-lib version 1-rc8.
Details can be found here:
https://sourceforge.net/project/shownotes.php?group_id=9655&release_id=290099

Regrads,
Sebastian

-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.9-1-k7
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages libxine1 depends on:
ii libasound2 1.0.7-4 ALSA library
ii libc6 2.3.2.ds1-19 GNU C Library: Shared libraries an
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libspeex1 1.0.rel.4-1 The Speex Speech Codec
ii libxext6 4.3.0.dfsg.1-9 X Window System miscellaneous exte
ii xlibs 4.3.0.dfsg.1-9 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime

-- no debconf information

Revision history for this message

Martin Pitt (pitti) wrote on 2004-12-17:

#3

*sigh* reassigning to me.

Revision history for this message

Martin Pitt (pitti) wrote on 2004-12-20:

#4

Fixed in Warty:
xine-lib (1-rc5-1ubuntu2.1) warty-security; urgency=low
.
   * SECURITY UPDATE: fix several potential buffer overflows
   * src/demuxers/demux_aiff.c: check AIFF chunk size, finish decoding if chunk
     is too large
   * src/input/libreal/real.c: check maximum size of RTSP description
     "Content-length" field; throw error if too long
   * src/input/pnm.c: do proper chunk size length checking
   * Patches taken from CVS for new release 1-rc8
   * References:
     http://www.idefense.com/application/poi/display?id=166
     https://sourceforge.net/project/shownotes.php?group_id=9655&release_id=290099

Hoary still vulnerable, waiting some days for Sid update.

Revision history for this message

In Debian Bug tracker #286077, Martin Schulze (joey-infodrom) wrote on 2004-12-22: CAN-2004-1188: Arbitrary code execution

#5

Please mention this CVE id in the changelog of fixed packages.

Here are more information:

* IDEFENSE:20041221 Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow Vulnerability
* URL:http://www.idefense.com/application/poi/display?id=177&type=vulnerabilities
* CONFIRM:http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21
* CONFIRM:http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff

Regards,

Joey

--
All language designers are arrogant. Goes with the territory...
-- Larry Wall

Please always Cc to me when replying to me on the lists.

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-22:

#6

Message-ID: <email address hidden>
Date: Wed, 22 Dec 2004 12:37:53 +0100
From: Martin Schulze <email address hidden>
To: <email address hidden>
Subject: CAN-2004-1188: Arbitrary code execution

Please mention this CVE id in the changelog of fixed packages.

Here are more information:

* IDEFENSE:20041221 Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow Vulnerability
* URL:http://www.idefense.com/application/poi/display?id=177&type=vulnerabilities
* CONFIRM:http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21
* CONFIRM:http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff

Regards,

Joey

--
All language designers are arrogant. Goes with the territory...
-- Larry Wall

Please always Cc to me when replying to me on the lists.

Revision history for this message

In Debian Bug tracker #286077, Siggi Langauf (siggi) wrote on 2004-12-23: Bug#286077: fixed in xine-lib 1-rc8-1

#7

Source: xine-lib
Source-Version: 1-rc8-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine-dev_1-rc8-1_powerpc.deb
libxine1_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine1_1-rc8-1_powerpc.deb
xine-lib_1-rc8-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.diff.gz
xine-lib_1-rc8-1.dsc
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.dsc
xine-lib_1-rc8.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Siggi Langauf <email address hidden> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 22 Dec 2004 11:31:09 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source powerpc
Version: 1-rc8-1
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <email address hidden>
Changed-By: Siggi Langauf <email address hidden>
Description:
libxine-dev - the xine video player library, development packages
libxine1 - the xine video/media player library, binary files
Closes: 281873 285899 286030 286077
Changes:
xine-lib (1-rc8-1) unstable; urgency=high
.
   * new upstream release (closes: #286030)
     * fixes PNM and RTSP related security vulnerabilities (closes: #286077)
     * fixes DVB playback for fullfeatured cards (possibly closes: #281873)
   * added patch to fix aiff vulnerability (CAN-2004-1300, closes: #285899)
Files:
b384d730b211b19f9a3a332fc46c7a1a 929 libs optional xine-lib_1-rc8-1.dsc
dd571489e361987805100fdd80e0b921 7354157 libs optional xine-lib_1-rc8.orig.tar.gz
b9105986e6fe6661e1282b311b2a139a 579 libs optional xine-lib_1-rc8-1.diff.gz
b4f387b9f552059651a02bf93ff405fb 105384 libdevel optional libxine-dev_1-rc8-1_powerpc.deb
0621d998348443bc2c17b4a655841f9b 4075828 libs optional libxine1_1-rc8-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFByezuGlPdX3lx7w8RAstWAJwIVDMRbaYduDV/P0UQI7EKNcEH2QCeJ0FC
1jn7cLX6MA/d0e656TeJDoU=
=Y2uh
-----END PGP SIGNATURE-----

Source: xine-lib
Source-Version: 1-rc8-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine-dev_1-rc8-1_powerpc.deb
libxine1_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine1_1-rc8-1_powerpc.deb
xine-lib_1-rc8-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.diff.gz
xine-lib_1-rc8-1.dsc
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.dsc
xine-lib_1-rc8.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286077@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Siggi Langauf <siggi@debian.org> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 22 Dec 2004 11:31:09 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source powerpc
Version: 1-rc8-1
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <siggi@debian.org>
Changed-By: Siggi Langauf <siggi@debian.org>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, binary files
Closes: 281873 285899 286030 286077
Changes: 
 xine-lib (1-rc8-1) unstable; urgency=high
 .
   * new upstream release (closes: #286030)
     * fixes PNM and RTSP related security vulnerabilities (closes: #286077)
     * fixes DVB playback for fullfeatured cards (possibly closes: #281873)
   * added patch to fix aiff vulnerability (CAN-2004-1300, closes: #285899)
Files: 
 b384d730b211b19f9a3a332fc46c7a1a 929 libs optional xine-lib_1-rc8-1.dsc
 dd571489e361987805100fdd80e0b921 7354157 libs optional xine-lib_1-rc8.orig.tar.gz
 b9105986e6fe6661e1282b311b2a139a 579 libs optional xine-lib_1-rc8-1.diff.gz
 b4f387b9f552059651a02bf93ff405fb 105384 libdevel optional libxine-dev_1-rc8-1_powerpc.deb
 0621d998348443bc2c17b4a655841f9b 4075828 libs optional libxine1_1-rc8-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFByezuGlPdX3lx7w8RAstWAJwIVDMRbaYduDV/P0UQI7EKNcEH2QCeJ0FC
1jn7cLX6MA/d0e656TeJDoU=
=Y2uh
-----END PGP SIGNATURE-----

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-23:

#8

Message-Id: <email address hidden>
Date: Wed, 22 Dec 2004 20:47:25 -0500
From: Siggi Langauf <email address hidden>
To: <email address hidden>
Subject: Bug#286077: fixed in xine-lib 1-rc8-1

Source: xine-lib
Source-Version: 1-rc8-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine-dev_1-rc8-1_powerpc.deb
libxine1_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine1_1-rc8-1_powerpc.deb
xine-lib_1-rc8-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.diff.gz
xine-lib_1-rc8-1.dsc
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.dsc
xine-lib_1-rc8.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Siggi Langauf <email address hidden> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 22 Dec 2004 11:31:09 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source powerpc
Version: 1-rc8-1
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <email address hidden>
Changed-By: Siggi Langauf <email address hidden>
Description:
libxine-dev - the xine video player library, development packages
libxine1 - the xine video/media player library, binary files
Closes: 281873 285899 286030 286077
Changes:
xine-lib (1-rc8-1) unstable; urgency=high
.
   * new upstream release (closes: #286030)
     * fixes PNM and RTSP related security vulnerabilities (closes: #286077)
     * fixes DVB playback for fullfeatured cards (possibly closes: #281873)
   * added patch to fix aiff vulnerability (CAN-2004-1300, closes: #285899)
Files:
b384d730b211b19f9a3a332fc46c7a1a 929 libs optional xine-lib_1-rc8-1.dsc
dd571489e361987805100fdd80e0b921 7354157 libs optional xine-lib_1-rc8.orig.tar.gz
b9105986e6fe6661e1282b311b2a139a 579 libs optional xine-lib_1-rc8-1.diff.gz
b4f387b9f552059651a02bf93ff405fb 105384 libdevel optional libxine-dev_1-rc8-1_powerpc.deb
0621d998348443bc2c17b4a655841f9b 4075828 libs optional libxine1_1-rc8-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFByezuGlPdX3lx7w8RAstWAJwIVDMRbaYduDV/P0UQI7EKNcEH2QCeJ0FC
1jn7cLX6MA/d0e656TeJDoU=
=Y2uh
-----END PGP SIGNATURE-----

Message-Id: <E1ChI4b-0000iL-00@newraff.debian.org>
Date: Wed, 22 Dec 2004 20:47:25 -0500
From: Siggi Langauf <siggi@debian.org>
To: 286077-close@bugs.debian.org
Subject: Bug#286077: fixed in xine-lib 1-rc8-1

Source: xine-lib
Source-Version: 1-rc8-1

We believe that the bug you reported is fixed in the latest version of
xine-lib, which is due to be installed in the Debian FTP archive:

libxine-dev_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine-dev_1-rc8-1_powerpc.deb
libxine1_1-rc8-1_powerpc.deb
  to pool/main/x/xine-lib/libxine1_1-rc8-1_powerpc.deb
xine-lib_1-rc8-1.diff.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.diff.gz
xine-lib_1-rc8-1.dsc
  to pool/main/x/xine-lib/xine-lib_1-rc8-1.dsc
xine-lib_1-rc8.orig.tar.gz
  to pool/main/x/xine-lib/xine-lib_1-rc8.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 286077@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Siggi Langauf <siggi@debian.org> (supplier of updated xine-lib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 22 Dec 2004 11:31:09 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source powerpc
Version: 1-rc8-1
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <siggi@debian.org>
Changed-By: Siggi Langauf <siggi@debian.org>
Description: 
 libxine-dev - the xine video player library, development packages
 libxine1   - the xine video/media player library, binary files
Closes: 281873 285899 286030 286077
Changes: 
 xine-lib (1-rc8-1) unstable; urgency=high
 .
   * new upstream release (closes: #286030)
     * fixes PNM and RTSP related security vulnerabilities (closes: #286077)
     * fixes DVB playback for fullfeatured cards (possibly closes: #281873)
   * added patch to fix aiff vulnerability (CAN-2004-1300, closes: #285899)
Files: 
 b384d730b211b19f9a3a332fc46c7a1a 929 libs optional xine-lib_1-rc8-1.dsc
 dd571489e361987805100fdd80e0b921 7354157 libs optional xine-lib_1-rc8.orig.tar.gz
 b9105986e6fe6661e1282b311b2a139a 579 libs optional xine-lib_1-rc8-1.diff.gz
 b4f387b9f552059651a02bf93ff405fb 105384 libdevel optional libxine-dev_1-rc8-1_powerpc.deb
 0621d998348443bc2c17b4a655841f9b 4075828 libs optional libxine1_1-rc8-1_powerpc.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFByezuGlPdX3lx7w8RAstWAJwIVDMRbaYduDV/P0UQI7EKNcEH2QCeJ0FC
1jn7cLX6MA/d0e656TeJDoU=
=Y2uh
-----END PGP SIGNATURE-----

Revision history for this message

In Debian Bug tracker #286077, Siggi Langauf (siggi) wrote on 2004-12-23: Re: Bug#286077: CAN-2004-1188: Arbitrary code execution

#9

On Wed, 22 Dec 2004, Martin Schulze wrote:

> Please mention this CVE id in the changelog of fixed packages.

Sorry, the ID came too late for the changelog.

What am I supposed to do in such a case? re-upload with the ID added?
mention the ID in my next changelog entry?
Nothing?

TIA,
Siggi

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-23:

#10

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 03:41:47 +0100 (CET)
From: Siggi Langauf <email address hidden>
To: Martin Schulze <email address hidden>, <email address hidden>
Subject: Re: Bug#286077: CAN-2004-1188: Arbitrary code execution

On Wed, 22 Dec 2004, Martin Schulze wrote:

> Please mention this CVE id in the changelog of fixed packages.

Sorry, the ID came too late for the changelog.

What am I supposed to do in such a case? re-upload with the ID added?
mention the ID in my next changelog entry?
Nothing?

TIA,
Siggi

Revision history for this message

In Debian Bug tracker #286077, Martin Schulze (joey-infodrom) wrote on 2004-12-23:

#11

Siggi Langauf wrote:
> On Wed, 22 Dec 2004, Martin Schulze wrote:
>
> > Please mention this CVE id in the changelog of fixed packages.
>
> Sorry, the ID came too late for the changelog.
>
> What am I supposed to do in such a case? re-upload with the ID added?
> mention the ID in my next changelog entry?
> Nothing?

Simply add it to the proper changelog entry with your next upload.
No need to upload only for this change, though. Just adjust the
changelog when you are working on the next upload anyway.

Regards,

Joey

--
Open source is important from a technical angle. -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-23:

#12

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 10:09:48 +0100
From: Martin Schulze <email address hidden>
To: Siggi Langauf <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286077: CAN-2004-1188: Arbitrary code execution

Siggi Langauf wrote:
> On Wed, 22 Dec 2004, Martin Schulze wrote:
>
> > Please mention this CVE id in the changelog of fixed packages.
>
> Sorry, the ID came too late for the changelog.
>
> What am I supposed to do in such a case? re-upload with the ID added?
> mention the ID in my next changelog entry?
> Nothing?

Simply add it to the proper changelog entry with your next upload.
No need to upload only for this change, though. Just adjust the
changelog when you are working on the next upload anyway.

Regards,

Joey

--
Open source is important from a technical angle. -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Revision history for this message

In Debian Bug tracker #286077, Martin Schulze (joey-infodrom) wrote on 2004-12-23:

#13

Martin Schulze wrote:
> Siggi Langauf wrote:
> > On Wed, 22 Dec 2004, Martin Schulze wrote:
> >
> > > Please mention this CVE id in the changelog of fixed packages.
> >
> > Sorry, the ID came too late for the changelog.
> >
> > What am I supposed to do in such a case? re-upload with the ID added?
> > mention the ID in my next changelog entry?
> > Nothing?
>
> Simply add it to the proper changelog entry with your next upload.
> No need to upload only for this change, though. Just adjust the
> changelog when you are working on the next upload anyway.

I just noticed that these vulnerabilities have been assigned two CVE ids:

CAN-2004-1187
CAN-2004-1188

Hence, please mention both

Regards,

Joey

--
Open source is important from a technical angle. -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-23:

#14

Message-ID: <email address hidden>
Date: Thu, 23 Dec 2004 16:54:09 +0100
From: Martin Schulze <email address hidden>
To: Siggi Langauf <email address hidden>, <email address hidden>
Subject: Re: Bug#286077: CAN-2004-1188: Arbitrary code execution

Martin Schulze wrote:
> Siggi Langauf wrote:
> > On Wed, 22 Dec 2004, Martin Schulze wrote:
> >
> > > Please mention this CVE id in the changelog of fixed packages.
> >
> > Sorry, the ID came too late for the changelog.
> >
> > What am I supposed to do in such a case? re-upload with the ID added?
> > mention the ID in my next changelog entry?
> > Nothing?
>
> Simply add it to the proper changelog entry with your next upload.
> No need to upload only for this change, though. Just adjust the
> changelog when you are working on the next upload anyway.

I just noticed that these vulnerabilities have been assigned two CVE ids:

CAN-2004-1187
CAN-2004-1188

Hence, please mention both

Regards,

Joey

--
Open source is important from a technical angle. -- Linus Torvalds

Please always Cc to me when replying to me on the lists.

Revision history for this message

Martin Pitt (pitti) wrote on 2004-12-29:

#15

Already fixed in Warty (USN-42-1). Fixed in Hoary in 1-rc7-1ubuntu2.

Bug Watch Updater (bug-watch-updater) on 2006-09-27

Changed in xine-lib:
status:	Unknown → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	xine-lib (Debian)	Fix Released	Unknown	debbugs #286077
	xine-lib (Ubuntu)	Fix Released	Medium	Martin Pitt	Ubuntu ubuntu-5.04

Ubuntu
xine-lib package

libxine1: Security vulnerabilities in PNM and RTSP components

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntuxine-lib package

libxine1: Security vulnerabilities in PNM and RTSP components

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
xine-lib package