-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1277-1                security@debian.org
http://www.debian.org/security/                         Noah Meyerhans
April 04, 2007
- ------------------------------------------------------------------------

Package        : xmms
Vulnerability  : several
Problem type   : local
Debian-specific: no
CVE Id(s)      : CVE-2007-0654 CVE-2007-0653
BugTraq ID     : 23078
Debian Bug     : 416423

Multiple errors have been found in the skin handling routines in xmms,
the X Multimedia System.  These vulnerabilities could allow an
attacker to run arbitrary code as the user running xmms by inducing
the victim to load specially crafted interface skin files.

For the stable distribution (sarge), these problems have been fixed in
version 1.2.10+cvs20050209-2sarge1

For the upcoming stable distrubution (etch) and the unstable
distribution (sid), these problems have been fixed in versions
1:1.2.10+20061101-1etch1 and 1:1.2.10+20070401-1, respectively.

We recommend that you upgrade your xmms packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian 3.1 (stable)
- -------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.diff.gz
    Size/MD5 checksum:   333600 8d25c5173ec7d94d0db9f92b418610ce
  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209.orig.tar.gz
    Size/MD5 checksum:  2796215 ec03ce185b2fd255d58ef5d2267024eb
  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1.dsc
    Size/MD5 checksum:     1065 d03e55ebe9c6a5ba2337d5f3542bc883

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_alpha.deb
    Size/MD5 checksum:  2700990 aa024afc093e8f415b19d783e39b81c0
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_alpha.deb
    Size/MD5 checksum:    48766 5fd631196c28fd44df02ecf25ab9c676

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_amd64.deb
    Size/MD5 checksum:  2434966 5c10a5a20aa5329b1c120cef213ef164
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_amd64.deb
    Size/MD5 checksum:    37810 06a82b2325505c9e30e4b7d9c6a17ffe

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_arm.deb
    Size/MD5 checksum:  2396722 fcead4025c4743996a4c307a003377df
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_arm.deb
    Size/MD5 checksum:    35376 e4f630de7290d4141964cc6ae8758ac4

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_hppa.deb
    Size/MD5 checksum:  2585550 c73dd34f37131785adcf699e65b55ac3
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_hppa.deb
    Size/MD5 checksum:    40834 90fe696e1dee1d694cd8148ac83a6b88

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_i386.deb
    Size/MD5 checksum:    33842 52fef7c2ef6a73f329d18b4df43ee6e5
  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_i386.deb
    Size/MD5 checksum:  2395578 c0a4c275b67ce3bc166128cd4c1fa747

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_ia64.deb
    Size/MD5 checksum:  2717624 e7d9b41eda0f4b32c3bba2c2dff15fc1
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_ia64.deb
    Size/MD5 checksum:    48220 28fef757212bef0da7ed46bec7e76740

m68k architecture (Motorola Mc680x0)

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_m68k.deb
    Size/MD5 checksum:  2315470 1a93ec2577d2a79b9b645003e1d22a03
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_m68k.deb
    Size/MD5 checksum:    31624 30bd86c18e943f3a93a983a63c2c1fb7

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_mips.deb
    Size/MD5 checksum:  2412762 e340f997cfbbe0ef8ef50f78b5ec5d71
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_mips.deb
    Size/MD5 checksum:    40580 698dfcf5c909de3a955f6337fb23e425

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_mipsel.deb
    Size/MD5 checksum:  2391432 b2ef3697588a72e735f5caa02593d1b7
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_mipsel.deb
    Size/MD5 checksum:    40516 10443e075a1f4840d4de22f2dcfc355b

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_powerpc.deb
    Size/MD5 checksum:    36946 057d90024cae6e6a0fdfa2d0de666134
  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_powerpc.deb
    Size/MD5 checksum:  2487280 e0571a0993112c79d6751509e548193d

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_s390.deb
    Size/MD5 checksum:  2430886 2cc8a1371309b973c1f963a93fc58a80
  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_s390.deb
    Size/MD5 checksum:    37424 3e6eb798d0a7a6137fbb1ad1a961da75

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/x/xmms/xmms-dev_1.2.10+cvs20050209-2sarge1_sparc.deb
    Size/MD5 checksum:    34526 2e7e99b117f6c9ab83d9a8c0afc12f79
  http://security.debian.org/pool/updates/main/x/xmms/xmms_1.2.10+cvs20050209-2sarge1_sparc.deb
    Size/MD5 checksum:  2422962 9d5a5484287a3773e8f7a8f5bac4d29a


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGFCB0YrVLjBFATsMRAlUnAJ982xgAnPh05aTYs5FoAqCdRJeazQCffIP2
PXuuTTivH7wU3YxZ+xJzXY0=
=ttw5
-----END PGP SIGNATURE-----