xine-lib 1.1.14-1ubuntu1 from intrepid contains lots of security and other important bugfixes, please backport

Bug #247852 reported by Mantas Kriaučiūnas on 2008-07-12
2
Affects Status Importance Assigned to Milestone
Hardy Backports
Wishlist
Unassigned
Baltix
Undecided
Unassigned

Bug Description

Please backport xine-lib 1.1.14-1ubuntu1 from intrepid it contains lots of security and other very important bugfixes, fixed since hardy's xine-lib 1.1.11.1-1ubuntu3, also some very important improvements, eg. in DVB support.

this will solve several important bugs, like:
* [CVE-2008-1878] Inadequate bounds checking in the NES Sound Format (NSF) demuxer
* LP bug #93076 - important display bug with Motion JPEG video's (such videos are produced by most photo cameras)

I'm pasting important info from xine-lib 1.1.12, 1.1.13 and 1.1.14 Release Notes:

xine-lib 1.1.12
This release contains a security fix (unchecked array index, CVE-2008-1686). There are also a few bug fixes (including the 1.1.11.1 regressions, which broke Quicktime container handling), a new version of the pulseaudio output plugin, and open-source support for RealAudio “cook”.
For front-end package maintainers, there's a tool to help maintain MIME type lists, and for developers who need raw frame data, you can now get that with the “raw” video output plugin.
See http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 for full release notes

xine-lib 1.1.13
Maintenance & security-fix release.
* Security fixes:
  - Buffer overflow in the NSF demuxer which may allow remote attackers to
    cause a denial of service (crash) or possibly execute arbitrary code
    via an NSF file with a long title or copyright message. (CVE-2008-1878)
  - For extra safety against possible Integer overflows like the ones found
    in CVE-2008-1482, backport more calloc usage from 1.2 branch.
* Added MIME types and .mpp for musepack.
* Fixed display of some MJPEG streams (YUVJ420P).
* Provide a useful implementation of xine_register_log_cb().
* New version of the JACK output plugin.
See http://sourceforge.net/project/shownotes.php?release_id=606977&group_id=9655 for full release notes

xine-lib 1.1.14
Adds Xv port & type selection (this is backported from the 1.2 branch) and improved content type detection for HTTP streams. There are some DVB and V4L improvements, and a DVB audio bug, introduced in 1.1.13, is fixed.
See http://sourceforge.net/project/shownotes.php?release_id=610192&group_id=9655 for full release notes

-------

Ubuntu Changelog since 1.1.11-1ubuntu3 :

xine-lib (1.1.14-1ubuntu1) intrepid; urgency=low
  * merge from debian unstable. Remaining changes:
    - disable the jack plugin
      in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
    - Modify Maintainer value to match the DebianMaintainerField
      specification.
  * New upstream fixes:
    - playback of MJPEG files LP: #93076
    - CVE-2008-1878 LP: #235904
    - CVE-2008-1686 LP: #218652
xine-lib (1.1.14-1) unstable; urgency=low
  * New upstream release.
    - All patches in 1.1.12-2 are present upstream.
    - MIME types added. (Closes: #472869)
  * Build-depend on libmagick9-dev | libmagick-dev | libmagickwand-dev.
  * Build-depend on ghostscript | gs | gs-gpl.
 -- Reinhard Tartler <email address hidden> Tue, 08 Jul 2008 22:35:48 +0200

xine-lib (1.1.12-2ubuntu1) intrepid; urgency=low
  * Merge from debian unstable, remaining changes:
    - disable the jack plugin
    - add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
      in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
    - Modify Maintainer value to match the DebianMaintainerField specification.
 -- Reinhard Tartler <email address hidden> Thu, 08 May 2008 13:49:26 +0200

xine-lib (1.1.12-2) unstable; urgency=high
  * Fixes from upstream hg:
    - CVE-2008-1878: Buffer overflow in the NSF demuxer which may allow
      remote attackers to cause a denial of service (crash) or possibly
      execute arbitrary code via an NSF file with a long title or copyright message.
      (Our chosen option is to patch and disable this code.)
    - Backport more calloc usage from the 1.2 branch for extra safety
      against possible integer overflows such as found in CVE-2008-1482.
 -- Darren Salt <email address hidden> Sun, 27 Apr 2008 14:20:41 +0100

xine-lib (1.1.12-1) unstable; urgency=high
  * New upstream release.
    - CVE-2008-1686: Insufficient boundary check in speex audio decoder.
    - New tool "xine-list-1.1", which front-end maintainers will find useful
      for updating .desktop files at install time and in conjunction with dpkg triggers.
 -- Darren Salt <email address hidden> Mon, 14 Apr 2008 23:39:44 +0100

Mantas Kriaučiūnas (mantas) wrote :

I've backported new libxine 1.1.14 packages from Ubuntu Intrepid to Ubuntu 8.04 "Hardy", you can download them from my PPA:
https://launchpad.net/~mantas/+archive

xine-lib 1.1.14 from Intrepid depends on new ffmpeg packages, so, I've also backported ffmpeg with amr video codecs support :)

Should I file separate bug on ffmpeg backport or you will do source backport for xine-lib 1.1.14 ?

Looking at the bugs, and considering this is an upstream microrelease, this may be suitable for SRU vs. backporting. Please file a bug against libxine, and subscribe the SRU team. If SRU rejects it, please reopen this bug, and we'll consider backporting it.

Marking Invalid

Changed in hardy-backports:
importance: Undecided → Wishlist
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers