Your message dated Sat, 10 Jun 2006 07:39:43 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#363127: CVE-2006-1664: Malformed MPEG Stream Buffer
Overflow Vulnerability
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libxine1
Version: 1.1.1-1
Severity: grave
Tags: security
Justification: user security hole
According to CVE-2006-1664, there is a "buffer overflow in
xine_list_delete_current in libxine 1.14 and earlier, as distributed
in xine-lib 1.1.1 and earlier, allows remote attackers to execute
arbitrary code via a crafted MPEG stream."
--- End Message ---
--- Begin Message ---
On Wed, Apr 26, 2006 at 07:56:04PM +0200, Stefan Fritsch wrote:
> No, I didn't test the exploit when I filed the bug. I can't reproduce
> the crash now, neither with xine nor gxine (gxine is in a separate
> package).
I think we can close this bug for now. It is unreproducable with
debian's xine, and I haven't found any distribution having fixed this by
other means than upgrading to a CVS snapshot, which we are planning to
do soon in experimental. I expect etch to be released with 1.1.2, or a
snapshot of that.
With this rationale, I'm closing this bug, but feel free to reopen it
immediately if you further input on how to reproduce this bug (e.g. link
to exploit and a sample file, with which it is exploitable).
Gruesse,
Reinhard
--- End Message ---
