Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 231734

Summary: CVE-2007-1246, CVE-2007-1387: xine-lib buffer overflows
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: xine-libAssignee: Aurelien Bompard <gauret>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: fedora-security-list, ville.skytta
Target Milestone: ---Keywords: Patch, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.1.7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-17 17:13:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
Fix from upstream CVS none

Description Ville Skyttä 2007-03-10 22:29:35 UTC
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1246

Originally reported against MPlayer, but it turns out xine-lib is vulnerable
too.  Upstream fix pushed to FC6+ (1.1.4-3 currently building), but FC5 is still
at 1.1.2, probably already lacking "several bug and security fixes" as put by
upstream in the 1.1.3 release announcement.  No FC5 system here to test with, so
leaving up to Aurelien to decide whether to update while at it or just to
possibly apply the patch for this issue from FC6+ (if it applies, unchecked).

Comment 1 Ville Skyttä 2007-03-10 22:29:35 UTC
Created attachment 149781 [details]
Fix from upstream CVS

Comment 2 Ville Skyttä 2007-03-14 14:35:12 UTC
Patch in comment 1 fixes CVE-2007-1387 too.