xine-lib may allow remote code execution!
in [Slackware]
|
Prev: [Security] xine-lib may allow remote code execution!
Next: Wifi on HP 6720s laptop Broadcom 4312 card Slackware 12.1current
From: Manuel Reimer on 18 Apr 2008 01:56 ... tried with the latest official xine-lib release. Even this release crashes with the exploit. The xine-team fixed the bug in "hg" (what the he** is "hg"?) http://bugs.xine-project.org/show_bug.cgi?id=84 IMHO this is not a good idea to fix the bug somewhere and not publish the patch or release a bugfix version. Is someone here able to find the patch, that has been used to fix in "hg" and publish it here? More and more security related bugs for xine-lib are published. Maybe it's a good idea to have a closer look at mplayer... CU Manuel
From: Someone on 18 Apr 2008 05:11 On Fri, 18 Apr 2008 07:56:59 +0200 Manuel Reimer <mreimer(a)expires-30-04-2008.news-group.org> wrote: > .. tried with the latest official xine-lib release. Even this release > crashes with the exploit. > > The xine-team fixed the bug in "hg" (what the he** is "hg"?) > http://bugs.xine-project.org/show_bug.cgi?id=84 > > IMHO this is not a good idea to fix the bug somewhere and not publish > the patch or release a bugfix version. > > Is someone here able to find the patch, that has been used to fix in > "hg" and publish it here? > > More and more security related bugs for xine-lib are published. Maybe > it's a good idea to have a closer look at mplayer... > > CU > > Manuel > What's better, Xine or Mplayer? --
From: Eef Hartman on 18 Apr 2008 05:17 Manuel Reimer <mreimer(a)expires-30-04-2008.news-group.org> wrote: > Hello, > > xine-lib in the version included with Slackware seems to have a critical > hole which may allow remote code execution. Exploit here: > > http://milw0rm.com/exploits/5458 According to that URL the bug is in all official releases (up to and including 1.1.12), so the only fixes are: 1) either patch the offending code yourself and rebuild 2) use a CVS version, not an official release Haven't looked at your SlackBuild to see if it also applies any patches on the release source. -- ******************************************************************** ** Eef Hartman, Delft University of Technology, dept. EWI/TW ** ** e-mail: E.J.M.Hartman(a)math.tudelft.nl, fax: +31-15-278 7295 ** ** snail-mail: P.O. Box 5031, 2600 GA Delft, The Netherlands ** ********************************************************************
From: Manuel Reimer on 18 Apr 2008 05:29 Eef Hartman wrote: > According to that URL the bug is in all official releases (up to > and including 1.1.12), so the only fixes are: > 1) either patch the offending code yourself and rebuild > 2) use a CVS version, not an official release ... or at least be careful with opening web streams or video files from web in xine. > Haven't looked at your SlackBuild to see if it also applies any > patches on the release source. It's not my SlackBuild, but I could create one, if someone (or one of the other distributions) offers a patch... CU Manuel
From: Manuel Reimer on 18 Apr 2008 05:31
Someone wrote: ^^^^^^^ Do you have a name ;-) > What's better, Xine or Mplayer? At least for embedding into the browser, currently mplayer is better, as mplayer also offers a GUI with controls. I, so far, didn't check if mplayer has to be patched less often, but I think so, as I much more often read about holes in xine-lib on news sites. CU Manuel |