Baltix

xine-lib 1.1.14-1ubuntu1 from intrepid contains lots of security and other important bugfixes, please backport

Bug #247852 reported by Mantas Kriaučiūnas on 2008-07-12

Affects		Status	Importance	Assigned to	Milestone
	Hardy Backports	Invalid	Wishlist	Unassigned
	Baltix	New	Undecided	Unassigned

Bug Description

Please backport xine-lib 1.1.14-1ubuntu1 from intrepid it contains lots of security and other very important bugfixes, fixed since hardy's xine-lib 1.1.11.1-1ubuntu3, also some very important improvements, eg. in DVB support.

this will solve several important bugs, like:
* [CVE-2008-1878] Inadequate bounds checking in the NES Sound Format (NSF) demuxer
* LP bug #93076 - important display bug with Motion JPEG video's (such videos are produced by most photo cameras)

I'm pasting important info from xine-lib 1.1.12, 1.1.13 and 1.1.14 Release Notes:

xine-lib 1.1.12
This release contains a security fix (unchecked array index, CVE-2008-1686). There are also a few bug fixes (including the 1.1.11.1 regressions, which broke Quicktime container handling), a new version of the pulseaudio output plugin, and open-source support for RealAudio “cook”.
For front-end package maintainers, there's a tool to help maintain MIME type lists, and for developers who need raw frame data, you can now get that with the “raw” video output plugin.
See http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 for full release notes

xine-lib 1.1.13
Maintenance & security-fix release.
* Security fixes:
  - Buffer overflow in the NSF demuxer which may allow remote attackers to
    cause a denial of service (crash) or possibly execute arbitrary code
    via an NSF file with a long title or copyright message. (CVE-2008-1878)
  - For extra safety against possible Integer overflows like the ones found
    in CVE-2008-1482, backport more calloc usage from 1.2 branch.
* Added MIME types and .mpp for musepack.
* Fixed display of some MJPEG streams (YUVJ420P).
* Provide a useful implementation of xine_register_log_cb().
* New version of the JACK output plugin.
See http://sourceforge.net/project/shownotes.php?release_id=606977&group_id=9655 for full release notes

xine-lib 1.1.14
Adds Xv port & type selection (this is backported from the 1.2 branch) and improved content type detection for HTTP streams. There are some DVB and V4L improvements, and a DVB audio bug, introduced in 1.1.13, is fixed.
See http://sourceforge.net/project/shownotes.php?release_id=610192&group_id=9655 for full release notes

-------

Ubuntu Changelog since 1.1.11-1ubuntu3 :

xine-lib (1.1.14-1ubuntu1) intrepid; urgency=low
  * merge from debian unstable. Remaining changes:
    - disable the jack plugin
      in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
    - Modify Maintainer value to match the DebianMaintainerField
      specification.
  * New upstream fixes:
    - playback of MJPEG files LP: #93076
    - CVE-2008-1878 LP: #235904
    - CVE-2008-1686 LP: #218652
xine-lib (1.1.14-1) unstable; urgency=low
  * New upstream release.
    - All patches in 1.1.12-2 are present upstream.
    - MIME types added. (Closes: #472869)
  * Build-depend on libmagick9-dev | libmagick-dev | libmagickwand-dev.
  * Build-depend on ghostscript | gs | gs-gpl.
-- Reinhard Tartler <email address hidden> Tue, 08 Jul 2008 22:35:48 +0200

xine-lib (1.1.12-2ubuntu1) intrepid; urgency=low
  * Merge from debian unstable, remaining changes:
    - disable the jack plugin
    - add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
      in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
    - Modify Maintainer value to match the DebianMaintainerField specification.
-- Reinhard Tartler <email address hidden> Thu, 08 May 2008 13:49:26 +0200

xine-lib (1.1.12-2) unstable; urgency=high
  * Fixes from upstream hg:
    - CVE-2008-1878: Buffer overflow in the NSF demuxer which may allow
      remote attackers to cause a denial of service (crash) or possibly
      execute arbitrary code via an NSF file with a long title or copyright message.
      (Our chosen option is to patch and disable this code.)
    - Backport more calloc usage from the 1.2 branch for extra safety
      against possible integer overflows such as found in CVE-2008-1482.
-- Darren Salt <email address hidden> Sun, 27 Apr 2008 14:20:41 +0100

xine-lib (1.1.12-1) unstable; urgency=high
  * New upstream release.
    - CVE-2008-1686: Insufficient boundary check in speex audio decoder.
    - New tool "xine-list-1.1", which front-end maintainers will find useful
      for updating .desktop files at install time and in conjunction with dpkg triggers.
-- Darren Salt <email address hidden> Mon, 14 Apr 2008 23:39:44 +0100

Revision history for this message

Mantas Kriaučiūnas (mantas) wrote on 2008-08-08:

I've backported new libxine 1.1.14 packages from Ubuntu Intrepid to Ubuntu 8.04 "Hardy", you can download them from my PPA:
https://launchpad.net/~mantas/+archive

xine-lib 1.1.14 from Intrepid depends on new ffmpeg packages, so, I've also backported ffmpeg with amr video codecs support :)

Should I file separate bug on ffmpeg backport or you will do source backport for xine-lib 1.1.14 ?

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-08-28:

Looking at the bugs, and considering this is an upstream microrelease, this may be suitable for SRU vs. backporting. Please file a bug against libxine, and subscribe the SRU team. If SRU rejects it, please reopen this bug, and we'll consider backporting it.

Marking Invalid

Changed in hardy-backports:
importance:	Undecided → Wishlist
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.