Format string vulnerabilities in xine-ui may lead to the execution of
arbitrary code.
Background
==========
xine-ui is a skin-based user interface for xine. xine is a free
multimedia player. It plays CDs, DVDs, and VCDs, and can also decode
other common multimedia formats.
Ludwig Nussel discovered that xine-ui incorrectly implements formatted
printing.
Impact
======
By constructing a malicious playlist file, a remote attacker could
exploit these vulnerabilities to execute arbitrary code with the rights
of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All xine-ui users should upgrade to the latest version:
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
Gentoo Linux Security Advisory GLSA 200604-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: xine-ui: Format string vulnerabilities
Date: April 26, 2006
Bugs: #130801
ID: 200604-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Format string vulnerabilities in xine-ui may lead to the execution of
arbitrary code.
Background
==========
xine-ui is a skin-based user interface for xine. xine is a free
multimedia player. It plays CDs, DVDs, and VCDs, and can also decode
other common multimedia formats.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 media-video/xine-ui < 0.99.4-r5 >= 0.99.4-r5
Description
===========
Ludwig Nussel discovered that xine-ui incorrectly implements formatted
printing.
Impact
======
By constructing a malicious playlist file, a remote attacker could
exploit these vulnerabilities to execute arbitrary code with the rights
of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All xine-ui users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/xine-ui-0.99.4-r5"
References
==========
[ 1 ] CVE-2006-1905
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1905
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200604-15.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBET6bIzKC5hMHO6rkRAmI3AJ4sUHvvHrrINxZkeyVoq75cm6/yZQCfeltU
NHt2JyiQuOjPB8oPZd/Qd+Q=
=vTc8
-----END PGP SIGNATURE-----
[ reply ]