CVE-2008-5234

2008-11-2600:00:00

ubuntu.com

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.096 Low

EPSS

Percentile

94.7%

JSON

Multiple heap-based buffer overflows in xine-lib 1.1.12, and other versions
before 1.1.15, allow remote attackers to execute arbitrary code via vectors
related to (1) a crafted metadata atom size processed by the
parse_moov_atom function in demux_qt.c and (2) frame reading in the
id3v23_interp_frame function in id3.c. NOTE: as of 20081122, it is
possible that vector 1 has not been fixed in 1.1.15.

Notes

Author	Note
mdeslaur	Patch below fixes the (1) part. The (2) part appears to be the same as CVE-2008-5246 This is 1A ((2) is 1E)

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchxine-lib< 1.1.1+ubuntu2-7.10UNKNOWN
ubuntu7.10noarchxine-lib< 1.1.7-1ubuntu1.4UNKNOWN
ubuntu8.04noarchxine-lib< 1.1.11.1-1ubuntu3.2UNKNOWN
ubuntu8.10noarchxine-lib< 1.1.15-0ubuntu3.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	xine-lib	< 1.1.1+ubuntu2-7.10	UNKNOWN
ubuntu	7.10	noarch	xine-lib	< 1.1.7-1ubuntu1.4	UNKNOWN
ubuntu	8.04	noarch	xine-lib	< 1.1.11.1-1ubuntu3.2	UNKNOWN
ubuntu	8.10	noarch	xine-lib	< 1.1.15-0ubuntu3.1	UNKNOWN