PublicDate: 2008-02-05 12:00:00 UTC
Candidate: CVE-2008-0486
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0486
 https://ubuntu.com/security/notices/USN-635-1
Description:
 Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and
 SVN before r25917, and possibly earlier versions, as used in Xine-lib
 1.1.10, might allow remote attackers to execute arbitrary code via a
 crafted FLAC tag, which triggers a buffer overflow.
Ubuntu-Description:
Notes:
 jdstrand> according to http://xinehq.de/index.php/security, 1.1.1 and older
   are not affected
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/mplayer/+bug/191488
 https://bugs.launchpad.net/ubuntu/+source/xine-lib/+bug/195700
 https://bugs.launchpad.net/ubuntu/+source/xine-lib/+bug/210163
Priority: medium
Discovered-by: Damian Frizza and Alfredo Ortega
Assigned-to: jdstrand
CVSS: 

Patches_xine-lib:
 vendor: http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:046
 vendor: http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:046-1
upstream_xine-lib: released (1.1.10.1-1)
dapper_xine-lib: not-affected (1.1.1+ubuntu2-7.7)
edgy_xine-lib: needed (reached end-of-life)
feisty_xine-lib: released (1.1.4-2ubuntu3.1)
gutsy_xine-lib: released (1.1.7-1ubuntu1.3)
hardy_xine-lib: not-affected (1.1.11.1-1ubuntu3)
devel_xine-lib: not-affected (1.1.11.1-1ubuntu3)

Patches_mplayer:
 other: https://bugs.launchpad.net/ubuntu/+source/mplayer/+bug/191488
 vendor: http://www.debian.org/security/2008/dsa-1496
upstream_mplayer: needed
dapper_mplayer: not-affected
edgy_mplayer: released (2:0.99+1.0pre8-0ubuntu8.2)
feisty_mplayer: released (2:1.0~rc1-0ubuntu9.3)
gutsy_mplayer: released (2:1.0~rc1-0ubuntu13.2)
hardy_mplayer: released (2:1.0~rc2-0ubuntu9)
devel_mplayer: released (2:1.0~rc2-0ubuntu9)