xine-lib-1.1.11.1 security update change???

shadowsnipes · 04-01-2008, 12:50 PM

A day or two ago I upgraded xine-lib with the
xine-lib-1.1.11-i686-1_slack12.0.tgz security update with
md5sum 04dfd67cfc12258f05b2e01612494572

Today I received another notification that a security update for this was available. The file name is the same but
md5sum c883b1ebae2955f6d8f289e9e80cf7b2

What is going on here? The slackware.com website still shows the old md5sum, but it has indeed been changed on ftp.slackware.com.

Jeebizz · 04-01-2008, 12:57 PM

If you received an update, I would imagine that there would also be an explanation of the second version of that file.

From today's changelog:

Quote:

Tue Apr 1 02:41:32 CDT 2008
...
xap/xine-lib-1.1.11.1-i686-1.tgz: Earlier versions of xine-lib suffer from an
integer overflow which may lead to a buffer overflow that could potentially
be used to gain unauthorized access to the machine if a malicious media
file is played back. File types affected this time include .flv, .mov, .rm,
.mve, .mkv, and .cak.
For more information on this security issue, please see:
http://cve.mitre.org/cgi-bin/cvename...=CVE-2008-1482
(* Security fix *)
...

Woo! my 666th post, yea!! \o/

\o/

H_TeXMeX_H · 04-01-2008, 01:16 PM

Quick, throw salt over your shoulder ... no, wait, that's for something else isn't it ?

shadowsnipes · 04-01-2008, 01:23 PM

Normally, I wouldn't be confused, but this update was just put out a day or two ago

Code:

Mon Mar 31 23:33:58 CDT 2008
xap/xine-lib-1.1.11.1-i686-1_slack12.0.tgz:
  Upgraded to xine-lib-1.1.11.1.
  Earlier versions of xine-lib suffer from an integer overflow which may lead
  to a buffer overflow that could potentially be used to gain unauthorized
  access to the machine if a malicious media file is played back.  File types
  affected this time include .flv, .mov, .rm, .mve, .mkv, and .cak.
  For more information on this security issue, please see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1482
  (* Security fix *)
+--------------------------+
Sat Mar 29 03:09:17 CDT 2008
.
.
.
patches/packages/xine-lib-1.1.11-i686-1_slack12.0.tgz:
  Earlier versions of xine-lib suffer from an array index bug that
  may have security implications if a malicious RTSP stream is
  played.  Playback of other media formats is not affected.
  If you use RTSP, you should probably upgrade xine-lib.
  For more information on the security issue, please see:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073
  (* Security fix *)

I guess what I don't understand is why wasn't there a note that it was updated again (to avoid confusion) or why didn't the build number at least change.

I suppose the build number didn't change because the build script might be exactly the same. But then the source should be different so you would think the version number would be different.

Ahh, the security advisory just got updated on slackware.com. All is well

brianL · 04-01-2008, 02:13 PM

Quote:

Originally Posted by Jeebizz

Woo! my 666th post, yea!! \o/

\o/

Jeebizz is the Antichrist!!!

shadowsnipes · 04-01-2008, 02:21 PM

I apparently need to start getting more rest....the version number is slightly different.

April fools on me!!!

T3slider · 04-01-2008, 02:56 PM

Darn it, I forgot it was April fools' day. I guess it's too late to get out the Whoopee cushion.

(And yes, the version number is slightly different, with an extra .1)