-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:057 http://www.mandriva.com/security/ _______________________________________________________________________ Package : xine-lib Date : March 8, 2007 Affected: 2007.0, Corporate 3.0 _______________________________________________________________________ Problem Description: The DMO_VideoDecoder_Open function in dmo/DMO_VideoDecoder.c in xine-lib does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code. Updated packages have been patched to address this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 241273125b4e2014a0fa1580c7ed0413 2007.0/i586/libxine1-1.1.2-3.3mdv2007.0.i586.rpm e2855220283ec658301068cf00bb266a 2007.0/i586/libxine1-devel-1.1.2-3.3mdv2007.0.i586.rpm b98b3376e156fb87a34f30aad34e65e5 2007.0/i586/xine-aa-1.1.2-3.3mdv2007.0.i586.rpm 88d1b8d538dcff220bf528674d0bf5b0 2007.0/i586/xine-arts-1.1.2-3.3mdv2007.0.i586.rpm ce54bd05bd941b2224c549bf685c0a08 2007.0/i586/xine-dxr3-1.1.2-3.3mdv2007.0.i586.rpm 0e33ea09058a1cd82fd8720278243c14 2007.0/i586/xine-esd-1.1.2-3.3mdv2007.0.i586.rpm 0e8c92ffdc4c3c8073531a72a47da8ca 2007.0/i586/xine-flac-1.1.2-3.3mdv2007.0.i586.rpm 3d7eb8f9a5f45ddebd7ccc20cec808f0 2007.0/i586/xine-gnomevfs-1.1.2-3.3mdv2007.0.i586.rpm 5a1390613c4505b2bfcd326ff0156b0c 2007.0/i586/xine-image-1.1.2-3.3mdv2007.0.i586.rpm 79899e7608558bb490003b9cba2a978c 2007.0/i586/xine-plugins-1.1.2-3.3mdv2007.0.i586.rpm ed4c39cfe82d66caa19c023a8495c4a1 2007.0/i586/xine-sdl-1.1.2-3.3mdv2007.0.i586.rpm 9256f65fff35cd6c25fd0b19823dcc8a 2007.0/i586/xine-smb-1.1.2-3.3mdv2007.0.i586.rpm 0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: d92a6bebe5c1e915ed6dca150f32de2e 2007.0/x86_64/lib64xine1-1.1.2-3.3mdv2007.0.x86_64.rpm eb0c2f9d95f04e3d9c8ea1282c41f5dc 2007.0/x86_64/lib64xine1-devel-1.1.2-3.3mdv2007.0.x86_64.rpm cd81757a9c25e480d10932cb4d40f6e0 2007.0/x86_64/xine-aa-1.1.2-3.3mdv2007.0.x86_64.rpm acbaf60373d75281d3c3c7da24d7a1de 2007.0/x86_64/xine-arts-1.1.2-3.3mdv2007.0.x86_64.rpm 38997b2bd174345dcec41682569868c1 2007.0/x86_64/xine-dxr3-1.1.2-3.3mdv2007.0.x86_64.rpm 2425cc89f26171fc32f889ccf0b5b96c 2007.0/x86_64/xine-esd-1.1.2-3.3mdv2007.0.x86_64.rpm 5ddcb92e47e6f35de1db5482edf98a9c 2007.0/x86_64/xine-flac-1.1.2-3.3mdv2007.0.x86_64.rpm c68e811900a94bd92d65832f64bcdb8a 2007.0/x86_64/xine-gnomevfs-1.1.2-3.3mdv2007.0.x86_64.rpm f6aa73615c7c9a7238838641afc6af6a 2007.0/x86_64/xine-image-1.1.2-3.3mdv2007.0.x86_64.rpm 4437aff317d159abbd1785fbe53368e7 2007.0/x86_64/xine-plugins-1.1.2-3.3mdv2007.0.x86_64.rpm 4f062b56c298e09b0ec364c18814917f 2007.0/x86_64/xine-sdl-1.1.2-3.3mdv2007.0.x86_64.rpm fa2a314dbde0ccedf85043e10d94f3d3 2007.0/x86_64/xine-smb-1.1.2-3.3mdv2007.0.x86_64.rpm 0bf2ceba6a15a079bf2890265b8f1a55 2007.0/SRPMS/xine-lib-1.1.2-3.3mdv2007.0.src.rpm Corporate 3.0: dffe302693d57f09ad55573f20400258 corporate/3.0/i586/libxine1-1-0.rc3.6.15.C30mdk.i586.rpm 76bb6cba723566a5a0a02043d5e02fe2 corporate/3.0/i586/libxine1-devel-1-0.rc3.6.15.C30mdk.i586.rpm 24645aa6d547c1077236248eb54645f0 corporate/3.0/i586/xine-aa-1-0.rc3.6.15.C30mdk.i586.rpm 246938c45fe9d795c96aa349bf8cd107 corporate/3.0/i586/xine-arts-1-0.rc3.6.15.C30mdk.i586.rpm 0af50984ecd9fd2979f3da178871ac1d corporate/3.0/i586/xine-dxr3-1-0.rc3.6.15.C30mdk.i586.rpm 80b08a823d7793fb677bbb121a07f9cb corporate/3.0/i586/xine-esd-1-0.rc3.6.15.C30mdk.i586.rpm 31c8ad519bfab253300f5d575ea22f5b corporate/3.0/i586/xine-flac-1-0.rc3.6.15.C30mdk.i586.rpm 38bcaf1e4bf6f673c0e39048e7701348 corporate/3.0/i586/xine-gnomevfs-1-0.rc3.6.15.C30mdk.i586.rpm 27627560d6c1c7e5aa2fd63bde435b37 corporate/3.0/i586/xine-plugins-1-0.rc3.6.15.C30mdk.i586.rpm 3f124f14f5fa8b1e7e3f3917afda3705 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.15.C30mdk.src.rpm Corporate 3.0/X86_64: 0182ddc1159b46c24589b397412733e1 corporate/3.0/x86_64/lib64xine1-1-0.rc3.6.15.C30mdk.x86_64.rpm 01cb9805548452a161da99ad385ed474 corporate/3.0/x86_64/lib64xine1-devel-1-0.rc3.6.15.C30mdk.x86_64.rpm b121a2b09b0da74ad2553f94319c2771 corporate/3.0/x86_64/xine-aa-1-0.rc3.6.15.C30mdk.x86_64.rpm 91534b8494ab6ac1eec6c47261f6389b corporate/3.0/x86_64/xine-arts-1-0.rc3.6.15.C30mdk.x86_64.rpm 81d95f1a15722144e856384e4fe4a27b corporate/3.0/x86_64/xine-esd-1-0.rc3.6.15.C30mdk.x86_64.rpm f35de55cb2d1b241c60479728ab84ca0 corporate/3.0/x86_64/xine-flac-1-0.rc3.6.15.C30mdk.x86_64.rpm b83e2f8b1cbf0802077ee0f7bc1ac6ec corporate/3.0/x86_64/xine-gnomevfs-1-0.rc3.6.15.C30mdk.x86_64.rpm aa6982efb1978493f4d278e5d7ee8787 corporate/3.0/x86_64/xine-plugins-1-0.rc3.6.15.C30mdk.x86_64.rpm 3f124f14f5fa8b1e7e3f3917afda3705 corporate/3.0/SRPMS/xine-lib-1-0.rc3.6.15.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF7/rEmqjQ0CJFipgRAtZdAJ94tgd8KDteZ2S363e6T0kKNlNV/ACeMI5H JdD2wOBXCUVX7Vv3c2bdD1Y= =X6nW -----END PGP SIGNATURE-----