Home > Security > Advisories

Advisories

Mandriva Advisories

Package name xine-ui
Date January 26th, 2007
Advisory ID MDKSA-2007:027
Affected versions CS3.0, 2007.0
Synopsis Updated xine-ui packages fix vulnerabilities

Problem Description

Format string vulnerability in the errors_create_window function in
errors.c in xine-ui allows attackers to execute arbitrary code via
unknown vectors. (CVE-2007-0254)

XINE 0.99.4 allows user-assisted remote attackers to cause a denial of
service (application crash) and possibly execute arbitrary code via a
certain M3U file that contains a long #EXTINF line and contains format
string specifiers in an invalid udp:// URI, possibly a variant of
CVE-2007-0017. (CVE-2007-0255)

The updated packages have been patched to correct these issues.

Updated Packages

Corporate Server 3.0

 47b308a588d752dd44a813a05a5aa20a  corporate/3.0/i586/xine-ui-0.9.23-3.4.C30mdk.i586.rpm
 41a13fc734f6d97f9b9c49763247df45  corporate/3.0/i586/xine-ui-aa-0.9.23-3.4.C30mdk.i586.rpm
 488ece09c2e10ffe0403ccb38f259f61  corporate/3.0/i586/xine-ui-fb-0.9.23-3.4.C30mdk.i586.rpm 
 c37c03e48156837ed8081f53f79006d8  corporate/3.0/SRPMS/xine-ui-0.9.23-3.4.C30mdk.src.rpm

Corporate Server 3.0/X86_64

 eec4092fa0e0ca22af09e1e6f291f6e0  corporate/3.0/x86_64/xine-ui-0.9.23-3.4.C30mdk.x86_64.rpm
 6763e423a13d3a9dffadf6c642085003  corporate/3.0/x86_64/xine-ui-aa-0.9.23-3.4.C30mdk.x86_64.rpm
 57863e4da81d1e698e23d6b0889b33cb  corporate/3.0/x86_64/xine-ui-fb-0.9.23-3.4.C30mdk.x86_64.rpm 
 c37c03e48156837ed8081f53f79006d8  corporate/3.0/SRPMS/xine-ui-0.9.23-3.4.C30mdk.src.rpm

Mandriva Linux 2007

 5a00fa676e755f473ed3894fdbed6fae  2007.0/i586/xine-ui-0.99.4-7.1mdv2007.0.i586.rpm
 22ee97e6cab9a53cfbb623911acbff08  2007.0/i586/xine-ui-aa-0.99.4-7.1mdv2007.0.i586.rpm
 323d3e53cff4659c12fa4c9c64b8cf80  2007.0/i586/xine-ui-fb-0.99.4-7.1mdv2007.0.i586.rpm 
 3df57e9d2ba0e239fb0efaac6aae80b9  2007.0/SRPMS/xine-ui-0.99.4-7.1mdv2007.0.src.rpm

Mandriva Linux 2007/X86_64

 6936d70577dac7200be466ddc5776ad8  2007.0/x86_64/xine-ui-0.99.4-7.1mdv2007.0.x86_64.rpm
 47692d8f90bb60344b780a93b1465784  2007.0/x86_64/xine-ui-aa-0.99.4-7.1mdv2007.0.x86_64.rpm
 afb78af3b93eb9ae77f5d26fa78a480e  2007.0/x86_64/xine-ui-fb-0.99.4-7.1mdv2007.0.x86_64.rpm 
 3df57e9d2ba0e239fb0efaac6aae80b9  2007.0/SRPMS/xine-ui-0.99.4-7.1mdv2007.0.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0255

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.