PublicDate: 2008-03-24 22:44:00 UTC
Candidate: CVE-2008-1482
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482
 https://ubuntu.com/security/notices/USN-635-1
Description:
 Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote
 attackers to trigger heap-based buffer overflows and possibly execute
 arbitrary code via (1) a crafted .FLV file, which triggers an overflow in
 demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an overflow
 in demuxers/demux_qt.c; (3) a crafted .RM file, which triggers an overflow
 in demuxers/demux_real.c; (4) a crafted .MVE file, which triggers an
 overflow in demuxers/demux_wc3movie.c; (5) a crafted .MKV file, which
 triggers an overflow in demuxers/ebml.c; or (6) a crafted .CAK file, which
 triggers an overflow in demuxers/demux_film.c.
Ubuntu-Description:
Notes:
 jdstrand> FLV on dapper not affected as vulnerable code not present
Bugs:
 https://bugs.launchpad.net/ubuntu/+source/xine-lib/+bug/195700
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=472639
Priority: medium
Discovered-by: Luigi Auriemma
Assigned-to: jdstrand
CVSS: 

Patches_xine-lib:
 vendor: http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:046
 vendor: http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:046-1
 vendor: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a3f2772fd14b57e0557ef45797ff04c768657a7e;style=gitweb
upstream_xine-lib: released (1.1.11.1-1)
dapper_xine-lib: released (1.1.1+ubuntu2-7.9)
edgy_xine-lib: needed (reached end-of-life)
feisty_xine-lib: released (1.1.4-2ubuntu3.1)
gutsy_xine-lib: released (1.1.7-1ubuntu1.3)
hardy_xine-lib: not-affected (1.1.11.1-1ubuntu3)
devel_xine-lib: not-affected (1.1.11.1-1ubuntu3)