Comment 4 for bug 25182

Message-Id: <email address hidden>
Date: Wed, 23 Nov 2005 10:33:33 +0100
From: Thijs Kinkhorst <email address hidden>
To: <email address hidden>, <email address hidden>, <email address hidden>,
 =?ISO-8859-1?Q?J=E9r=F4me?= Marant <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: #332919 Still not fixed

--=-4kijn+3twrPUuoRosIth
Content-Type: multipart/mixed; boundary="=-QaeWL16TumS5KjBRZHzH"

--=-QaeWL16TumS5KjBRZHzH
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Tue, 2005-11-22 at 23:31 +0100, J=E9r=F4me Marant wrote:
> Hi,
>=20
> I've just noticed that this security bug has not been fixed:
>=20
> #332919: CAN-2005-2967: Format string vulnerability in xine-lib's CDDB =
response parsing
>=20
> Any action taken?

This bug has been addressed for stable in DSA-863, it's only etch/sid
which have to be fixed. The package has two maintainers, but I can't
trace recent activity for any of them.

I've prepared updated packages for xine-lib, which fix this security
issue and the FTBFS-bug. They thus fix 2 RC bugs (or 3 if you count
merged separately). The diff is attached, the updated packages can be
found here: http://www.a-eskwadraat.nl/~kink/xine-lib/

Since I can't upload them myself, maybe someone else can review and
upload?

regards,
Thijs

--=-QaeWL16TumS5KjBRZHzH
Content-Disposition: attachment; filename=xine-lib_CVE-2005-2967.diff
Content-Type: text/x-patch; name=xine-lib_CVE-2005-2967.diff; charset=ANSI_X3.4-1968
Content-Transfer-Encoding: base64

ZGlmZiAtdSB4aW5lLWxpYi0xLjAuMS9kZWJpYW4vcnVsZXMgeGluZS1saWItMS4wLjEvZGViaWFu
L3J1bGVzDQotLS0geGluZS1saWItMS4wLjEvZGViaWFuL3J1bGVzDQorKysgeGluZS1saWItMS4w
LjEvZGViaWFuL3J1bGVzDQpAQCAtOTcsOCArOTcsMTAgQEANCiAJZGhfaW5zdGFsbCAtLWF1dG9k
ZXN0DQogCWRoX2luc3RhbGxkb2NzDQogCSN1Z2x5IGhhY2ssIGRvY3VtZW50YXRpb24gc2hvdWxk
IG5ldmVyIGhhdmUgYmVlbiBpbiAvdS9zL2QveGluZS8uLi4NCi0JbXYgZGViaWFuL3RtcC91c3Iv
c2hhcmUvZG9jL3hpbmUve2ZhcSxSRUFETUUqfSBcDQotICAgICAgICAgICBkZWJpYW4vbGlieGlu
ZTEvdXNyL3NoYXJlL2RvYy9saWJ4aW5lMQ0KKwltdiBkZWJpYW4vdG1wL3Vzci9zaGFyZS9kb2Mv
eGluZS9mYXEgXA0KKwkJZGViaWFuL2xpYnhpbmUxL3Vzci9zaGFyZS9kb2MvbGlieGluZTENCisJ
bXYgZGViaWFuL3RtcC91c3Ivc2hhcmUvZG9jL3hpbmUvUkVBRE1FKiBcDQorCQlkZWJpYW4vbGli
eGluZTEvdXNyL3NoYXJlL2RvYy9saWJ4aW5lMQ0KIAlkaF9pbnN0YWxsY2hhbmdlbG9ncyAtayBD
aGFuZ2VMb2cNCiAJZGhfbGluaw0KIAlkaF9zdHJpcA0KZGlmZiAtdSB4aW5lLWxpYi0xLjAuMS9k
ZWJpYW4vY2hhbmdlbG9nIHhpbmUtbGliLTEuMC4xL2RlYmlhbi9jaGFuZ2Vsb2cNCi0tLSB4aW5l
LWxpYi0xLjAuMS9kZWJpYW4vY2hhbmdlbG9nDQorKysgeGluZS1saWItMS4wLjEvZGViaWFuL2No
YW5nZWxvZw0KQEAgLTEsMyArMSwxMiBAQA0KK3hpbmUtbGliICgxLjAuMS0xLjQpIHVuc3RhYmxl
OyB1cmdlbmN5PWhpZ2gNCisNCisgICogTm9uLW1haW50YWluZXIgdXBsb2FkIGZvciBSQy0oc2Vj
dXJpdHktKWJ1Z3MuDQorICAqIEFwcGx5IHBhdGNoIGZyb20gVWxmIEhhcm5oYW1tYXIgZml4aW5n
IGEgZm9ybWF0IHN0cmluZyB2dWxuZXJhYmlsaXR5DQorICAgIGluIENEREIgcmVzcG9uc2UgcGFy
c2luZyAoQ1ZFLTIwMDUtMjk2NywgQ2xvc2VzOiAjMzMyOTE5LCAjMzMzNjgyKS4NCisgICogRml4
IGJhc2hpc20gaW4gZGViaWFuL3J1bGVzIGNhdXNpbmcgYSBGVEJGUyAoQ2xvc2VzOiAjMzM3OTk2
KS4NCisNCisgLS0gVGhpanMgS2lua2hvcnN0IDxraW5rQHNxdWlycmVsbWFpbC5vcmc+ICBXZWQs
IDIzIE5vdiAyMDA1IDA5OjQyOjM5ICswMTAwDQorDQogeGluZS1saWIgKDEuMC4xLTEuMykgdW5z
dGFibGU7IHVyZ2VuY3k9bG93DQogDQogICAqIE5vbi1tYWludGFpbmVyIHVwbG9hZC4NCm9ubHkg
aW4gcGF0Y2gyOg0KdW5jaGFuZ2VkOg0KLS0tIHhpbmUtbGliLTEuMC4xLm9yaWcvc3JjL2lucHV0
L2lucHV0X2NkZGEuYw0KKysrIHhpbmUtbGliLTEuMC4xL3NyYy9pbnB1dC9pbnB1dF9jZGRhLmMN
CkBAIC0xNDczLDcgKzE0NzMsNyBAQA0KICAgICByZXR1cm47DQogICB9DQogICBlbHNlIHsNCi0g
ICAgZnByaW50ZihmZCwgZmlsZWNvbnRlbnQpOw0KKyAgICBmcHJpbnRmKGZkLCAiJXMiLCBmaWxl
Y29udGVudCk7DQogICAgIGZjbG9zZShmZCk7DQogICB9DQogICANCg==

--=-QaeWL16TumS5KjBRZHzH--

--=-4kijn+3twrPUuoRosIth
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQBDhDdtJdKMxZV9WM8RAnAcAJ4oCbWgB+j4QBMjFcD3ETvixofKgQCfW52y
24vOo1iAeCCbKMnfBtL0kag=
=Wp97
-----END PGP SIGNATURE-----

--=-4kijn+3twrPUuoRosIth--