Re: xine-lib and ocert-2008-008

[Nico Golde <oss-security+ml () ngolde de>]

Hi,
* Steven M. Christey <coley () linus mitre org> [2008-11-26 09:27]:
[...] 
> Name: CVE-2008-5244
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5244
> Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=619869
> Reference: SECTRACK:1020703
> Reference: URL:http://securitytracker.com/id?1020703
>
> Unspecified vulnerability in xine-lib before 1.1.15 has unknown impact
> and attack vectors related to libfaad.  NOTE: due to the lack of
> details, it is not clear whether this is an issue in xine-lib or in
> libfaad.

Checked back with upstream, this is:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=18c0264660b9;style=gitweb

So no xine issue, but a libfaad one.
Referring to upstream this is a fix for 
http://caca.zoy.org/attachment/wiki/zzuf/bugs/lol-vlc.aac 
which originally was CVE-2008-4610. I have no idea nor the 
time to check the whole patch for the fix for that but I can 
confirm that it is fixed in 2.6.1, no crash here.

I contacted upstream to get more information.

Steve, could you update this CVE id?

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: