xine-lib 1.1.14-1ubuntu1 from intrepid contains lots of security and other important bugfixes, please backport
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Hardy Backports |
Invalid
|
Wishlist
|
Unassigned | ||
Baltix |
New
|
Undecided
|
Unassigned |
Bug Description
Please backport xine-lib 1.1.14-1ubuntu1 from intrepid it contains lots of security and other very important bugfixes, fixed since hardy's xine-lib 1.1.11.1-1ubuntu3, also some very important improvements, eg. in DVB support.
this will solve several important bugs, like:
* [CVE-2008-1878] Inadequate bounds checking in the NES Sound Format (NSF) demuxer
* LP bug #93076 - important display bug with Motion JPEG video's (such videos are produced by most photo cameras)
I'm pasting important info from xine-lib 1.1.12, 1.1.13 and 1.1.14 Release Notes:
xine-lib 1.1.12
This release contains a security fix (unchecked array index, CVE-2008-1686). There are also a few bug fixes (including the 1.1.11.1 regressions, which broke Quicktime container handling), a new version of the pulseaudio output plugin, and open-source support for RealAudio “cook”.
For front-end package maintainers, there's a tool to help maintain MIME type lists, and for developers who need raw frame data, you can now get that with the “raw” video output plugin.
See http://
xine-lib 1.1.13
Maintenance & security-fix release.
* Security fixes:
- Buffer overflow in the NSF demuxer which may allow remote attackers to
cause a denial of service (crash) or possibly execute arbitrary code
via an NSF file with a long title or copyright message. (CVE-2008-1878)
- For extra safety against possible Integer overflows like the ones found
in CVE-2008-1482, backport more calloc usage from 1.2 branch.
* Added MIME types and .mpp for musepack.
* Fixed display of some MJPEG streams (YUVJ420P).
* Provide a useful implementation of xine_register_
* New version of the JACK output plugin.
See http://
xine-lib 1.1.14
Adds Xv port & type selection (this is backported from the 1.2 branch) and improved content type detection for HTTP streams. There are some DVB and V4L improvements, and a DVB audio bug, introduced in 1.1.13, is fixed.
See http://
-------
Ubuntu Changelog since 1.1.11-1ubuntu3 :
xine-lib (1.1.14-1ubuntu1) intrepid; urgency=low
* merge from debian unstable. Remaining changes:
- disable the jack plugin
in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
- Modify Maintainer value to match the DebianMaintaine
specifica
* New upstream fixes:
- playback of MJPEG files LP: #93076
- CVE-2008-1878 LP: #235904
- CVE-2008-1686 LP: #218652
xine-lib (1.1.14-1) unstable; urgency=low
* New upstream release.
- All patches in 1.1.12-2 are present upstream.
- MIME types added. (Closes: #472869)
* Build-depend on libmagick9-dev | libmagick-dev | libmagickwand-dev.
* Build-depend on ghostscript | gs | gs-gpl.
-- Reinhard Tartler <email address hidden> Tue, 08 Jul 2008 22:35:48 +0200
xine-lib (1.1.12-2ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- disable the jack plugin
- add Replaces: libxine-main1 (<< 1.1.2+repacked1
in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
- Modify Maintainer value to match the DebianMaintaine
-- Reinhard Tartler <email address hidden> Thu, 08 May 2008 13:49:26 +0200
xine-lib (1.1.12-2) unstable; urgency=high
* Fixes from upstream hg:
- CVE-2008-1878: Buffer overflow in the NSF demuxer which may allow
remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code via an NSF file with a long title or copyright message.
(Our chosen option is to patch and disable this code.)
- Backport more calloc usage from the 1.2 branch for extra safety
against possible integer overflows such as found in CVE-2008-1482.
-- Darren Salt <email address hidden> Sun, 27 Apr 2008 14:20:41 +0100
xine-lib (1.1.12-1) unstable; urgency=high
* New upstream release.
- CVE-2008-1686: Insufficient boundary check in speex audio decoder.
- New tool "xine-list-1.1", which front-end maintainers will find useful
for updating .desktop files at install time and in conjunction with dpkg triggers.
-- Darren Salt <email address hidden> Mon, 14 Apr 2008 23:39:44 +0100
I've backported new libxine 1.1.14 packages from Ubuntu Intrepid to Ubuntu 8.04 "Hardy", you can download them from my PPA: /launchpad. net/~mantas/ +archive
https:/
xine-lib 1.1.14 from Intrepid depends on new ffmpeg packages, so, I've also backported ffmpeg with amr video codecs support :)
Should I file separate bug on ffmpeg backport or you will do source backport for xine-lib 1.1.14 ?