xine-lib update closes security holes
A xine-lib update closes vulnerabilities in the media library. Attackers were able to use crafted data streams or MPEG files to inject arbitrary code into users' systems.
In version 220.127.116.11, the developers fixed a recently published vulnerability in the implementation of the Realtime Streaming Protocol (RTSP). The new version 1.1.10 addresses another flaw which allows malicious code to be injected and executed when processing crafted MPEG files. This flaw originally affected xine-lib 1.1.1 and was resolved, but developers reintroduced it as they continued to develop the software.
The new versions also fix additional flaws which for example can disrupt audio output. Source code packages of the updated versions for compilation are available for download from the project pages. Linux distributors should issue new packages shortly. Users of the software are advised to update as soon as possible.
- Changelog for xine-lib version 1.1.10
- Changelog for xine-lib version 18.104.22.168
- CVE entry about the flaw when processing specially crafted MPEG files
- xine-lib media library slips up when streaming, heise Security news item