xine-lib update fixes security flaw
Released today, version 1.1.12 of the xine-lib multimedia player fixes a security flaw and other bugs. An attacker could previously inject malicious code into the player via crafted Ogg files using the Speex sound codec.
The vulnerability was due to a bug in the version of libfishsound used by the player. According to an oCERT advisory, libfishsound versions prior to 0.9.1 do not properly check the user input in the header structure, which can result in the function pointer pointing to an arbitrary position in memory. This allows remote code execution. Apart from xine-lib, the vulnerability affects other programs using libfishsound such as the OggPlay Firefox plugin and the Ogg-DirectShow-Filter from Illiminable.
The new version of xine-lib also fixes a regression in Version 18.104.22.168 that broke QuickTime container handling and another in the Matroska demuxer. The developers have also improved the PulseAudio driver.
Users of players based on xine-lib such as Totem and Kaffeine should install the latest version as soon as possible. The Linux distributors have already released updated packages, or are about to do so.
- Release notes for xine-lib 1.1.12
- Download xine- lib 1.1.12
- libfishsound insufficient boundary checks, oCERT security advisory
- Release: libfishsound 0.9.1, security advisory by libfishsound developer Conrad Parker