[Bug 247852] [NEW] xine-lib 1.1.14-1ubuntu1 from intrepid contains lots of security and other important bugfixes, please backport

Mantas Kriaučiūnas mantas at akl.lt
Sat Jul 12 12:14:33 BST 2008 

Public bug reported:

Please backport xine-lib 1.1.14-1ubuntu1 from intrepid it contains lots
of security and other very important bugfixes, fixed since hardy's xine-
lib 1.1.11.1-1ubuntu3, also some very important improvements, eg. in DVB
support.

this will solve several important bugs, like:
* [CVE-2008-1878] Inadequate bounds checking in the NES Sound Format (NSF) demuxer
* LP bug #93076 - important display bug with Motion JPEG video's (such videos are produced by most photo cameras)

I'm pasting important info from xine-lib 1.1.12, 1.1.13 and 1.1.14
Release Notes:

xine-lib 1.1.12
This release contains a security fix (unchecked array index, CVE-2008-1686). There are also a few bug fixes (including the 1.1.11.1 regressions, which broke Quicktime container handling), a new version of the pulseaudio output plugin, and open-source support for RealAudio “cook”.
For front-end package maintainers, there's a tool to help maintain MIME type lists, and for developers who need raw frame data, you can now get that with the “raw” video output plugin. 
See http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 for full release notes

xine-lib 1.1.13
Maintenance & security-fix release.
* Security fixes:
  - Buffer overflow in the NSF demuxer which may allow remote attackers to
    cause a denial of service (crash) or possibly execute arbitrary code
    via an NSF file with a long title or copyright message. (CVE-2008-1878)
  - For extra safety against possible Integer overflows like the ones found
    in CVE-2008-1482, backport more calloc usage from 1.2 branch.
* Added MIME types and .mpp for musepack.
* Fixed display of some MJPEG streams (YUVJ420P).
* Provide a useful implementation of xine_register_log_cb().
* New version of the JACK output plugin.
See http://sourceforge.net/project/shownotes.php?release_id=606977&group_id=9655 for full release notes

xine-lib 1.1.14
Adds Xv port & type selection (this is backported from the 1.2 branch) and improved content type detection for HTTP streams. There are some DVB and V4L improvements, and a DVB audio bug, introduced in 1.1.13, is fixed. 
See http://sourceforge.net/project/shownotes.php?release_id=610192&group_id=9655 for full release notes

-------

Ubuntu Changelog since 1.1.11-1ubuntu3 :

xine-lib (1.1.14-1ubuntu1) intrepid; urgency=low
  * merge from debian unstable. Remaining changes:
    - disable the jack plugin
      in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
    - Modify Maintainer value to match the DebianMaintainerField
      specification.
  * New upstream fixes:
    - playback of MJPEG files LP: #93076
    - CVE-2008-1878 LP: #235904
    - CVE-2008-1686 LP: #218652
xine-lib (1.1.14-1) unstable; urgency=low
  * New upstream release.
    - All patches in 1.1.12-2 are present upstream.
    - MIME types added. (Closes: #472869)
  * Build-depend on libmagick9-dev | libmagick-dev | libmagickwand-dev.
  * Build-depend on ghostscript | gs | gs-gpl.
 -- Reinhard Tartler <email address hidden> Tue, 08 Jul 2008 22:35:48 +0200

xine-lib (1.1.12-2ubuntu1) intrepid; urgency=low
  * Merge from debian unstable, remaining changes:
    - disable the jack plugin
    - add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
      in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
    - Modify Maintainer value to match the DebianMaintainerField specification.
 -- Reinhard Tartler <siretart at tauware.de>  Thu, 08 May 2008 13:49:26 +0200

xine-lib (1.1.12-2) unstable; urgency=high
  * Fixes from upstream hg:
    - CVE-2008-1878: Buffer overflow in the NSF demuxer which may allow
      remote attackers to cause a denial of service (crash) or possibly
      execute arbitrary code via an NSF file with a long title or copyright message.
      (Our chosen option is to patch and disable this code.)
    - Backport more calloc usage from the 1.2 branch for extra safety
      against possible integer overflows such as found in CVE-2008-1482.
 -- Darren Salt <email address hidden>  Sun, 27 Apr 2008 14:20:41 +0100

xine-lib (1.1.12-1) unstable; urgency=high
  * New upstream release.
    - CVE-2008-1686: Insufficient boundary check in speex audio decoder.
    - New tool "xine-list-1.1", which front-end maintainers will find useful
      for updating .desktop files at install time and in conjunction with dpkg triggers.
 -- Darren Salt <email address hidden>  Mon, 14 Apr 2008 23:39:44 +0100

** Affects: hardy-backports
     Importance: Undecided
         Status: New

** Affects: baltix
     Importance: Undecided
         Status: New

** Also affects: baltix
   Importance: Undecided
       Status: New

-- 
xine-lib 1.1.14-1ubuntu1 from intrepid contains lots of security and other important bugfixes, please backport
https://bugs.launchpad.net/bugs/247852
You received this bug notification because you are a member of Ubuntu
Backports Testing Team, which is subscribed to Hardy Backports.

More information about the ubuntu-backports mailing list