[Bug 247852] [NEW] xine-lib 1.1.14-1ubuntu1 from intrepid contains lots of security and other important bugfixes, please backport
Mantas Kriaučiūnas
mantas at akl.lt
Sat Jul 12 12:14:33 BST 2008
Public bug reported:
Please backport xine-lib 1.1.14-1ubuntu1 from intrepid it contains lots
of security and other very important bugfixes, fixed since hardy's xine-
lib 1.1.11.1-1ubuntu3, also some very important improvements, eg. in DVB
support.
this will solve several important bugs, like:
* [CVE-2008-1878] Inadequate bounds checking in the NES Sound Format (NSF) demuxer
* LP bug #93076 - important display bug with Motion JPEG video's (such videos are produced by most photo cameras)
I'm pasting important info from xine-lib 1.1.12, 1.1.13 and 1.1.14
Release Notes:
xine-lib 1.1.12
This release contains a security fix (unchecked array index, CVE-2008-1686). There are also a few bug fixes (including the 1.1.11.1 regressions, which broke Quicktime container handling), a new version of the pulseaudio output plugin, and open-source support for RealAudio “cook”.
For front-end package maintainers, there's a tool to help maintain MIME type lists, and for developers who need raw frame data, you can now get that with the “raw” video output plugin.
See http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 for full release notes
xine-lib 1.1.13
Maintenance & security-fix release.
* Security fixes:
- Buffer overflow in the NSF demuxer which may allow remote attackers to
cause a denial of service (crash) or possibly execute arbitrary code
via an NSF file with a long title or copyright message. (CVE-2008-1878)
- For extra safety against possible Integer overflows like the ones found
in CVE-2008-1482, backport more calloc usage from 1.2 branch.
* Added MIME types and .mpp for musepack.
* Fixed display of some MJPEG streams (YUVJ420P).
* Provide a useful implementation of xine_register_log_cb().
* New version of the JACK output plugin.
See http://sourceforge.net/project/shownotes.php?release_id=606977&group_id=9655 for full release notes
xine-lib 1.1.14
Adds Xv port & type selection (this is backported from the 1.2 branch) and improved content type detection for HTTP streams. There are some DVB and V4L improvements, and a DVB audio bug, introduced in 1.1.13, is fixed.
See http://sourceforge.net/project/shownotes.php?release_id=610192&group_id=9655 for full release notes
-------
Ubuntu Changelog since 1.1.11-1ubuntu3 :
xine-lib (1.1.14-1ubuntu1) intrepid; urgency=low
* merge from debian unstable. Remaining changes:
- disable the jack plugin
in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
- Modify Maintainer value to match the DebianMaintainerField
specification.
* New upstream fixes:
- playback of MJPEG files LP: #93076
- CVE-2008-1878 LP: #235904
- CVE-2008-1686 LP: #218652
xine-lib (1.1.14-1) unstable; urgency=low
* New upstream release.
- All patches in 1.1.12-2 are present upstream.
- MIME types added. (Closes: #472869)
* Build-depend on libmagick9-dev | libmagick-dev | libmagickwand-dev.
* Build-depend on ghostscript | gs | gs-gpl.
-- Reinhard Tartler <email address hidden> Tue, 08 Jul 2008 22:35:48 +0200
xine-lib (1.1.12-2ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- disable the jack plugin
- add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
- Modify Maintainer value to match the DebianMaintainerField specification.
-- Reinhard Tartler <siretart at tauware.de> Thu, 08 May 2008 13:49:26 +0200
xine-lib (1.1.12-2) unstable; urgency=high
* Fixes from upstream hg:
- CVE-2008-1878: Buffer overflow in the NSF demuxer which may allow
remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code via an NSF file with a long title or copyright message.
(Our chosen option is to patch and disable this code.)
- Backport more calloc usage from the 1.2 branch for extra safety
against possible integer overflows such as found in CVE-2008-1482.
-- Darren Salt <email address hidden> Sun, 27 Apr 2008 14:20:41 +0100
xine-lib (1.1.12-1) unstable; urgency=high
* New upstream release.
- CVE-2008-1686: Insufficient boundary check in speex audio decoder.
- New tool "xine-list-1.1", which front-end maintainers will find useful
for updating .desktop files at install time and in conjunction with dpkg triggers.
-- Darren Salt <email address hidden> Mon, 14 Apr 2008 23:39:44 +0100
** Affects: hardy-backports
Importance: Undecided
Status: New
** Affects: baltix
Importance: Undecided
Status: New
** Also affects: baltix
Importance: Undecided
Status: New
--
xine-lib 1.1.14-1ubuntu1 from intrepid contains lots of security and other important bugfixes, please backport
https://bugs.launchpad.net/bugs/247852
You received this bug notification because you are a member of Ubuntu
Backports Testing Team, which is subscribed to Hardy Backports.
More information about the ubuntu-backports
mailing list