Bug#332919: #332919 Still not fixed

Wed, 23 Nov 2005 01:48:03 -0800 

On Tue, 2005-11-22 at 23:31 +0100, Jérôme Marant wrote:
> Hi,
> 
> I've just noticed that this security bug has not been fixed:
> 
>   #332919: CAN-2005-2967: Format string vulnerability in xine-lib's CDDB 
> response parsing
> 
> Any action taken?

This bug has been addressed for stable in DSA-863, it's only etch/sid
which have to be fixed. The package has two maintainers, but I can't
trace recent activity for any of them.

I've prepared updated packages for xine-lib, which fix this security
issue and the FTBFS-bug. They thus fix 2 RC bugs (or 3 if you count
merged separately). The diff is attached, the updated packages can be
found here: http://www.a-eskwadraat.nl/~kink/xine-lib/

Since I can't upload them myself, maybe someone else can review and
upload?

regards,
Thijs

diff -u xine-lib-1.0.1/debian/rules xine-lib-1.0.1/debian/rules
--- xine-lib-1.0.1/debian/rules
+++ xine-lib-1.0.1/debian/rules
@@ -97,8 +97,10 @@
 	dh_install --autodest
 	dh_installdocs
 	#ugly hack, documentation should never have been in /u/s/d/xine/...
-	mv debian/tmp/usr/share/doc/xine/{faq,README*} \
-           debian/libxine1/usr/share/doc/libxine1
+	mv debian/tmp/usr/share/doc/xine/faq \
+		debian/libxine1/usr/share/doc/libxine1
+	mv debian/tmp/usr/share/doc/xine/README* \
+		debian/libxine1/usr/share/doc/libxine1
 	dh_installchangelogs -k ChangeLog
 	dh_link
 	dh_strip
diff -u xine-lib-1.0.1/debian/changelog xine-lib-1.0.1/debian/changelog
--- xine-lib-1.0.1/debian/changelog
+++ xine-lib-1.0.1/debian/changelog
@@ -1,3 +1,12 @@
+xine-lib (1.0.1-1.4) unstable; urgency=high
+
+  * Non-maintainer upload for RC-(security-)bugs.
+  * Apply patch from Ulf Harnhammar fixing a format string vulnerability
+    in CDDB response parsing (CVE-2005-2967, Closes: #332919, #333682).
+  * Fix bashism in debian/rules causing a FTBFS (Closes: #337996).
+
+ -- Thijs Kinkhorst <[EMAIL PROTECTED]>  Wed, 23 Nov 2005 09:42:39 +0100
+
 xine-lib (1.0.1-1.3) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- xine-lib-1.0.1.orig/src/input/input_cdda.c
+++ xine-lib-1.0.1/src/input/input_cdda.c
@@ -1473,7 +1473,7 @@
     return;
   }
   else {
-    fprintf(fd, filecontent);
+    fprintf(fd, "%s", filecontent);
     fclose(fd);
   }

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to