in the mean time, a bugfix only release (1.1.11.1) has been uploaded to debian, here is the changelog diff:
+++ b/ChangeLog Sun Mar 30 15:43:16 2008 +0100 @@ -1,3 +1,14 @@ xine-lib (1.1.11) 2008-03-19 +xine-lib (1.1.11.1) 2008-03-30 + * Security fixes: + - Integer overflows in FLV, Qt, Real, WC3Movie, Matroska and FILM + demuxers, allowing remote attackers to trigger heap overflows and + possibly execute arbitrary code. (CVE-2008-1482) + * Added a few more memory allocation checks to the above demuxers. + * WAV file playback fix: don't assume that the first chunk is "fmt ". + * Don't try to play partial 24-bit AIFF frames (decoder would lose data). + * Fixed AIFF comment chunk handling and sample rate reading. + * LPCM fixes: input over-reading, conversion of 24-bit samples. + I'd suggest now skipping 1.1.11, and go directly to 1.1.11.1. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1482 -- Freeze exception for xine-lib 1.1.11 https://bugs.launchpad.net/bugs/204557 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
