[Secure-testing-team] Bug#517792: CVE-2009-0698: integer overflow
Steffen Joeris
steffen.joeris at skolelinux.de
Mon Mar 2 02:28:14 UTC 2009
Package: xine-lib
Severity: grave
Tags: security, patch
Justification: user security hole
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.
CVE-2009-0698[0]:
| Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib
| 1.1.16.1 allows remote attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a 4X movie file with a large
| current_track value, a similar issue to CVE-2009-0385.
The upstream bug is here[1]. I guess this should be fixed in stable as
well, do you concur? Also it would be nice to get a security round for
oldstable-security, as there are quite a few open xine-lib issues.
Do you concur?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698
http://security-tracker.debian.net/tracker/CVE-2009-0698
[1] http://bugs.xine-project.org/show_bug.cgi?id=205
[2] http://security-tracker.debian.net/tracker/status/release/oldstable
More information about the Secure-testing-team
mailing list