In association with heise online

15 April 2008, 18:40

xine-lib update fixes security flaw

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Released today, version 1.1.12 of the xine-lib multimedia player fixes a security flaw and other bugs. An attacker could previously inject malicious code into the player via crafted Ogg files using the Speex sound codec.

The vulnerability was due to a bug in the version of libfishsound used by the player. According to an oCERT advisory, libfishsound versions prior to 0.9.1 do not properly check the user input in the header structure, which can result in the function pointer pointing to an arbitrary position in memory. This allows remote code execution. Apart from xine-lib, the vulnerability affects other programs using libfishsound such as the OggPlay Firefox plugin and the Ogg-DirectShow-Filter from Illiminable.

The new version of xine-lib also fixes a regression in Version that broke QuickTime container handling and another in the Matroska demuxer. The developers have also improved the PulseAudio driver.

Users of players based on xine-lib such as Totem and Kaffeine should install the latest version as soon as possible. The Linux distributors have already released updated packages, or are about to do so.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit