thr3ads.net - Secure testing team - [Secure-testing-team] Bug#517792: CVE-2009-0698: integer overflow [Mar 2009]

If this information is useful, please help other people find it:
Share via:

Steffen Joeris

2009-Mar-02 02:28 UTC

[Secure-testing-team] Bug#517792: CVE-2009-0698: integer overflow

Package: xine-lib
Severity: grave
Tags: security, patch
Justification: user security hole

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xine-lib.

CVE-2009-0698[0]:
| Integer overflow in the 4xm demuxer (demuxers/demux_4xm.c) in xine-lib
| 1.1.16.1 allows remote attackers to cause a denial of service (crash)
| and possibly execute arbitrary code via a 4X movie file with a large
| current_track value, a similar issue to CVE-2009-0385.

The upstream bug is here[1]. I guess this should be fixed in stable as
well, do you concur? Also it would be nice to get a security round for
oldstable-security, as there are quite a few open xine-lib issues.
Do you concur?

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0698
    http://security-tracker.debian.net/tracker/CVE-2009-0698
[1] http://bugs.xine-project.org/show_bug.cgi?id=205
[2] http://security-tracker.debian.net/tracker/status/release/oldstable

Secure testing team - Mar 2009 - Bug#517792: CVE-2009-0698: integer overflow

[Secure-testing-team] Bug#517792: CVE-2009-0698: integer overflow