[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Wed, 3 Dec 2008 20:36:13 +0100
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Cc: redpig@...rt.org, coley@...re.org
Subject: Re: xine-lib and ocert-2008-008
Hi,
* Steven M. Christey <coley@...us.mitre.org> [2008-11-26 09:27]:
[...]
> Name: CVE-2008-5244
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5244
> Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
> Reference: SECTRACK:1020703
> Reference: URL:http://securitytracker.com/id?1020703
>
> Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact
> and attack vectors related to libfaad. NOTE: due to the lack of
> details, it is not clear whether this is an issue in xine-lib or in
> libfaad.
Checked back with upstream, this is:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=18c0264660b9;style=gitweb
So no xine issue, but a libfaad one.
Referring to upstream this is a fix for
http://caca.zoy.org/attachment/wiki/zzuf/bugs/lol-vlc.aac
which originally was CVE-2008-4610. I have no idea nor the
time to check the whole patch for the fix for that but I can
confirm that it is fixed in 2.6.1, no crash here.
I contacted upstream to get more information.
Steve, could you update this CVE id?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ