Debian Security Advisory DSA 1536-1 (xine-lib)

The remote host is missing an update to xine-lib announced via advisory DSA 1536-1.

Several local vulnerabilities have been discovered in Xine, a media player library, allowed for a denial of service or arbitrary code execution, which could be exploited through viewing malicious content. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1246 / CVE-2007-1387 The DMO_VideoDecoder_Open function does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code (applies to sarge only). CVE-2008-0073 Array index error in the sdpplin_parse function allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter. CVE-2008-0486 Array index vulnerability in libmpdemux/demux_audio.c might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow (applies to etch only). CVE-2008-1161 Buffer overflow in the Matroska demuxer allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Matroska file with invalid frame sizes. For the stable distribution (etch), these problems have been fixed in version 1.1.2+dfsg-6. For the old stable distribution (sarge), these problems have been fixed in version 1.0.1-1sarge7. For the unstable distribution (sid), these problems have been fixed in version 1.1.11-1. We recommend that you upgrade your xine-lib package.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201536-1