security problem within CDDB communication

Message-Id: <email address hidden>
Date: Thu, 13 Oct 2005 10:52:28 +0200
From: =?utf-8?b?TWljaGFsIMSMaWhhxZk=?= <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: security problem within CDDB communication

Package: libxine1
Version: 1.0.1-1.3
Severity: grave
Tags: security patch

Hi

xine announcement [1] is four day old, it says issue has been found by
Debian Security Audit Project, so I'd expect that Debian will have it
fixed also :-).

Patch is available in xine cvs [2].

Sorry if you're already working on this issue and I interrupt you from
work, but I wanted to make sure you know about this.

1. http://xinehq.de/index.php/security/XSA-2005-1
2. http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/input_cdda.c?r1=1.77&r2=1.78&diff_format=u

--
    Michal Čihař | http://cihar.com

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.12
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libxine1 depends on:
ii libasound2 1.0.9-3 ALSA library
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared lib
ii libglu1-xorg [libglu1] 6.8.2.dfsg.1-8 Mesa OpenGL utility library [X.Org
ii libmodplug0c2 1:0.7-5 shared libraries for mod music bas
ii libogg0 1.1.2-1 Ogg Bitstream Library
ii libpng12-0 1.2.8rel-5 PNG library - runtime
ii libspeex1 1.1.6-2 The Speex Speech Codec
ii libtheora0 0.0.0.alpha4-1.1 The Theora Video Compression Codec
ii libvorbis0a 1.1.0-1 The Vorbis General Audio Compressi
ii libxext6 6.8.2.dfsg.1-8 X Window System miscellaneous exte
ii libxinerama1 6.8.2.dfsg.1-8 X Window System multi-head display
ii xlibmesa-gl [libgl1] 6.8.2.dfsg.1-8 Mesa 3D graphics library [X.Org]
ii xlibs 6.8.2.dfsg.1-8 X Window System client libraries m
ii zlib1g 1:1.2.3-4 compression library - runtime

Versions of packages libxine1 recommends:
ii libmng1 1.0.8-1 Multiple-image Network Graphics li
ii libxv1 6.8.2.dfsg.1-8 X Window System video extension li

-- no debconf information

Message-ID: <email address hidden>
Date: Thu, 13 Oct 2005 11:32:21 +0100
From: Steve Kemp <email address hidden>
To: Michal ??iha?? <email address hidden>, <email address hidden>
Subject: Re: Bug#333682: security problem within CDDB communication

On Thu, Oct 13, 2005 at 10:52:28AM +0200, Michal ??iha?? wrote:

> xine announcement [1] is four day old, it says issue has been found by
> Debian Security Audit Project, so I'd expect that Debian will have it
> fixed also :-).

  We do.

> Sorry if you're already working on this issue and I interrupt you from
> work, but I wanted to make sure you know about this.

  Please see DSA-863, released on the 12th of October:

 http://www.us.debian.org/security/2005/dsa-863

Steve
--

Message-Id: <email address hidden>
Date: Wed, 19 Oct 2005 22:09:11 -0400
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: reassign 333682 to xine-lib, merging 333682 332919

# Automatically generated email from bts, devscripts version 2.9.8
reassign 333682 xine-lib
merge 333682 332919

Marking as duplicate based on debbugs merge (332919,333682)

This bug has been marked as a duplicate of bug 23555.

Message-Id: <email address hidden>
Date: Wed, 23 Nov 2005 10:33:33 +0100
From: Thijs Kinkhorst <email address hidden>
To: <email address hidden>, <email address hidden>, <email address hidden>,
 =?ISO-8859-1?Q?J=E9r=F4me?= Marant <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: #332919 Still not fixed

--=-4kijn+3twrPUuoRosIth
Content-Type: multipart/mixed; boundary="=-QaeWL16TumS5KjBRZHzH"

--=-QaeWL16TumS5KjBRZHzH
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Tue, 2005-11-22 at 23:31 +0100, J=E9r=F4me Marant wrote:
> Hi,
>=20
> I've just noticed that this security bug has not been fixed:
>=20
> #332919: CAN-2005-2967: Format string vulnerability in xine-lib's CDDB =
response parsing
>=20
> Any action taken?

This bug has been addressed for stable in DSA-863, it's only etch/sid
which have to be fixed. The package has two maintainers, but I can't
trace recent activity for any of them.

I've prepared updated packages for xine-lib, which fix this security
issue and the FTBFS-bug. They thus fix 2 RC bugs (or 3 if you count
merged separately). The diff is attached, the updated packages can be
found here: http://www.a-eskwadraat.nl/~kink/xine-lib/

Since I can't upload them myself, maybe someone else can review and
upload?

regards,
Thijs

--=-QaeWL16TumS5KjBRZHzH
Content-Disposition: attachment; filename=xine-lib_CVE-2005-2967.diff
Content-Type: text/x-patch; name=xine-lib_CVE-2005-2967.diff; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: base64

ZGlmZiAtdSB4aW5lLWxpYi0xLjAuMS9kZWJpYW4vcnVsZXMgeGluZS1saWItMS4wLjEvZGViaWFu
L3J1bGVzDQotLS0geGluZS1saWItMS4wLjEvZGViaWFuL3J1bGVzDQorKysgeGluZS1saWItMS4w
LjEvZGViaWFuL3J1bGVzDQpAQCAtOTcsOCArOTcsMTAgQEANCiAJZGhfaW5zdGFsbCAtLWF1dG9k
ZXN0DQogCWRoX2luc3RhbGxkb2NzDQogCSN1Z2x5IGhhY2ssIGRvY3VtZW50YXRpb24gc2hvdWxk
IG5ldmVyIGhhdmUgYmVlbiBpbiAvdS9zL2QveGluZS8uLi4NCi0JbXYgZGViaWFuL3RtcC91c3Iv
c2hhcmUvZG9jL3hpbmUve2ZhcSxSRUFETUUqfSBcDQotICAgICAgICAgICBkZWJpYW4vbGlieGlu
ZTEvdXNyL3NoYXJlL2RvYy9saWJ4aW5lMQ0KKwltdiBkZWJpYW4vdG1wL3Vzci9zaGFyZS9kb2Mv
eGluZS9mYXEgXA0KKwkJZGViaWFuL2xpYnhpbmUxL3Vzci9zaGFyZS9kb2MvbGlieGluZTENCisJ
bXYgZGViaWFuL3RtcC91c3Ivc2hhcmUvZG9jL3hpbmUvUkVBRE1FKiBcDQorCQlkZWJpYW4vbGli
eGluZTEvdXNyL3NoYXJlL2RvYy9saWJ4aW5lMQ0KIAlkaF9pbnN0YWxsY2hhbmdlbG9ncyAtayBD
aGFuZ2VMb2cNCiAJZGhfbGluaw0KIAlkaF9zdHJpcA0KZGlmZiAtdSB4aW5lLWxpYi0xLjAuMS9k
ZWJpYW4vY2hhbmdlbG9nIHhpbmUtbGliLTEuMC4xL2RlYmlhbi9jaGFuZ2Vsb2cNCi0tLSB4aW5l
LWxpYi0xLjAuMS9kZWJpYW4vY2hhbmdlbG9nDQorKysgeGluZS1saWItMS4wLjEvZGViaWFuL2No
YW5nZWxvZw0KQEAgLTEsMyArMSwxMiBAQA0KK3hpbmUtbGliICgxLjAuMS0xLjQpIHVuc3RhYmxl
OyB1cmdlbmN5PWhpZ2gNCisNCisgICogTm9uLW1haW50YWluZXIgdXBsb2FkIGZvciBSQy0oc2Vj
dXJpdHktKWJ1Z3MuDQorICAqIEFwcGx5IHBhdGNoIGZyb20gVWxmIEhhcm5oYW1tYXIgZml4aW5n
IGEgZm9ybWF0IHN0cmluZyB2dWxuZXJhYmlsaXR5DQorICAgIGluIENEREIgcmVzcG9uc2UgcGFy
c2luZyAoQ1ZFLTIwMDUtMjk2NywgQ2xvc2VzOiAjMzMyOTE5LCAjMzMzNjgyKS4NCisgICogRml4
IGJhc2hpc20gaW4gZGViaWFuL3J1bGVzIGNhdXNpbmcgYSBGVEJGUyAoQ2xvc2VzOiAjMzM3OTk2
KS4NCisNCisgLS0gVGhpanMgS2lua2hvcnN0IDxraW5rQHNxdWlycmVsbWFpbC5vcmc+ICBXZWQs
IDIzIE5vdiAyMDA1IDA5OjQyOjM5ICswMTAwDQorDQogeGluZS1saWIgKDEuMC4xLTEuMykg...

Message-ID: <email address hidden>
Date: Thu, 24 Nov 2005 13:02:45 +0100
From: Thomas Viehmann <email address hidden>
To: Steve Langasek <email address hidden>, <email address hidden>,
 <email address hidden>
Cc: Thijs Kinkhorst <email address hidden>,
 <email address hidden>
Subject: Re: #332919 Still not fixed

tag 332919 + pending
thanks

I'm presently uploading Thijs' NMU.

Steve Langasek wrote:
> On Wed, Nov 23, 2005 at 09:15:29PM +0100, Thomas Viehmann wrote:
[build-problem]
> This is an accidental dependency on i386 only due to a samba misbuild. It
> should be fixed as soon as samba gets binNMUed (autobuilder binNMUs are
> currently down for maintenance).
Ah. Thanks for the info. So I've built xine-lib with a local binNMU of
samba on i386 and am uploading the xine-lib NMU.

Kind regards

T.
--
Thomas Viehmann, http://thomas.viehmann.net/

Message-Id: <email address hidden>
Date: Thu, 24 Nov 2005 04:17:07 -0800
From: Thijs Kinkhorst <email address hidden>
To: <email address hidden>
Cc: Thijs Kinkhorst <email address hidden>, Siggi Langauf <email address hidden>
Subject: Fixed in NMU of xine-lib 1.0.1-1.4

tag 332919 + fixed
tag 333682 + fixed
tag 337996 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 23 Nov 2005 09:42:39 +0100
Source: xine-lib
Binary: libxine-dev libxine1
Architecture: source i386
Version: 1.0.1-1.4
Distribution: unstable
Urgency: high
Maintainer: Siggi Langauf <email address hidden>
Changed-By: Thijs Kinkhorst <email address hidden>
Description:
 libxine-dev - the xine video player library, development packages
 libxine1 - the xine video/media player library, binary files
Closes: 332919 333682 337996
Changes:
 xine-lib (1.0.1-1.4) unstable; urgency=high
 .
   * Non-maintainer upload for RC-(security-)bugs.
   * Apply patch from Ulf Harnhammar fixing a format string vulnerability
     in CDDB response parsing (CVE-2005-2967, Closes: #332919, #333682).
   * Fix bashism in debian/rules causing a FTBFS (Closes: #337996).
Files:
 4f201c064f874cd28cd3fc1494157435 1103 libs optional xine-lib_1.0.1-1.4.dsc
 9f48de634d231a863a1cc48b19a1480b 97462 libs optional xine-lib_1.0.1-1.4.diff.gz
 41e688e695473119bb6102417e4d3075 108838 libdevel optional libxine-dev_1.0.1-1.4_i386.deb
 864da56df34734b732f07d16f8358bfd 4431800 libs optional libxine1_1.0.1-1.4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: GnuPG key at <http://thomas.viehmann.net/>

iD8DBQFDhZ3zriZpaaIa1PkRAnNzAKCbMfg6nPo7MGaGP+wuQTc4Z+HvMQCfWb1H
yedfa5GWYm6Tpn073+l+qGc=
=QsWX
-----END PGP SIGNATURE-----