-
xine-lib (1.1.11.1-1ubuntu3.4) hardy-security; urgency=low
* SECURITY UPDATE: Integer overflow in the 4xm demuxer
- src/demuxers/demux_4xm.c: Fix additional integer overflow, as
previous fix was incomplete.
- http://hg.debian.org/hg/xine-lib/xine-lib/rev/7799748cc0f2
- CVE-2009-0698
* SECURITY UPDATE: Integer overflow in the QT demuxer via large count
value in an STTS atom
- src/demuxers/demux_qt.c: validate atom size
- http://hg.debian.org/hg/xine-lib/xine-lib/rev/d21a4564db03
- CVE-2009-1274
-- Marc Deslauriers <email address hidden> Fri, 17 Apr 2009 13:17:25 -0400
-
xine-lib (1.1.11.1-1ubuntu3.3) hardy-security; urgency=low
* REGRESSION: Broken size checks in CVE-2008-5239 input plugins patch
(LP: #322834)
- src/input/input_*.c: fix the size checks broken by the previous
security update.
- http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=b11cc37934629a2965859163db6095fbbe2b44be;style=gitweb
- CVE-2008-5239
* SECURITY UPDATE: Integer overflow in the 4xm demuxer
- src/demuxers/demux_4xm.c: Make sure we don't overflow
fourxm->track_count.
- http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=ba872682eba8a10217c48b7fe21f0fa763ef4af3;style=gitweb
- CVE-2009-0698
-- Marc Deslauriers <email address hidden> Tue, 24 Mar 2009 09:31:38 -0400
-
xine-lib (1.1.11.1-1ubuntu3.2) hardy-security; urgency=low
* SECURITY UPDATE: backported security fixes from upstream xine-lib hg repo:
- src/demuxers/demux_matroska.c: avoid segfault on invalid track type in
Matroska files.
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=7b472fa486db;style=gitweb
- src/combined/ffmpeg/ff_video_decoder.c: fix heap buffer overflow in the
ffmpeg video decoder.
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=ffb2e82d7bb77e87492734f72c2e5d21fb9ad2c0;style=gitweb
- misc/cdda_server.c: fix integer overflow in the the CDDA server.
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=30eb014e9b320035de309ee442ebbff6d405987b;style=gitweb
- src/demuxers/demux_{ogg,avi,asf}.c: fix crashes with fuzzed media files.
(CVE-2008-3231)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=967a8e515380c0c9b9858125a054082145002d00;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=67bfec7af3472674ba7396bd468b7607339fe102;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=4519eeeda3b3a20489b3699693d801c3696221da;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=18059453374c49ebfc9660dcc34acc28afa57d17;style=gitweb
- src/demuxers/demux_{mng,mod}.c: add some checks for memory allocation
failures. (CVE-2008-5233)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=35f09930323e46c92e521846b9ccdfd5e277ad16;style=gitweb
- src/demuxers/demux_qt.c: fix heap overflow in Quicktime atom parsing.
(CVE-2008-5234, CVE-2008-5242)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=6e81eec36701;style=gitweb
- src/demuxers/demux_matroska.c: fix buffer overflows in Matroska demuxer.
(CVE-2008-5236)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=e38bb4b22431123997a16a186fe8beb4edcfef87;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=8e125da9ecbe;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=b01a02595343;style=gitweb
- src/demuxers/demux_{mng,qt}.c: fix integer overflows in MNG and QT
demuxers. (CVE-2008-5237)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=9c97a9a9ba17a487116a198d80a74ec7879aa801;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=65f524e14623;style=gitweb
- src/demuxers/{demux_matroska.c,demux_mod.c,id3.h}: use size_t for data
length variables where there may be int overflows. (CVE-2008-5238)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a0830dddbd35625069506a9c49321317cbab8a2d;style=gitweb
- src/{input,demuxers}/*.c: fix out-of-bounds reads and heap-based buffer
overflows from unchecked or incompletely-checked read function results.
(CVE-2008-5239)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=7fb21abb15e5a7311a2c157721ddfab0a47090ab;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=5df277a7eec3;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=f775929597b1c10142e51674ee02e041b1b87df4;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib/?cmd=changeset;node=e6efc6d566961ab231686c1ee18044f2d45a2b4a;style=gitweb
- src/demuxers/demux_real.c: fix unchecked malloc using untrusted values.
(CVE-2008-5240)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=01753933e6647ed29226f18e4489ce034b569d65;style=gitweb
* http://hg.debian.org/hg/xine-lib/xine-lib/?cmd=changeset;node=071dc93156e6940a7f1b8bb38762d521dd5731e8;style=gitweb
- src/demuxers/demux_qt.c: fix integer underflow in qt compressed atom
handling. (CVE-2008-5241)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a57d5ef86b65bcc195a5358125fdb34e10a37bb4;style=gitweb
- src/demuxers/demux_real.c: fix buffer indexing using untrusted or
unchecked values. (CVE-2008-5243)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=4982c9920f42657d0797145bf197127f18d8972c;style=gitweb
- src/libfaad/*: updated to libfaad 2.6.1 to fix crashes with corrupted
AAC files. (CVE-2008-5244)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=18c0264660b951b8e5672f1a66d1bcecdfeb6ea8;style=gitweb
- src/demuxers/id3.c: fix an exploitable ID3 heap buffer overflow.
(CVE-2008-5246)
* http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=268c1c1639d766d92b7e7bb11de7b38482ebe8e9;style=gitweb
- src/xine-engine/info_helper.c: fix crashes with MP3 files with metadata
consisting only of separators. (CVE-2008-5248)
* http://hg.debian.org/hg/xine-lib/xine-lib/?cmd=changeset;node=60ab5d2bdd82f00b10205f816a545337c9363134;style=gitweb
-- Marc Deslauriers <email address hidden> Wed, 21 Jan 2009 09:17:17 -0500
-
xine-lib (1.1.11.1-1ubuntu3.1) hardy-security; urgency=low
* SECURITY UPDATE: array index vulnerability
* fix for src/libxineadec/xine_speex_decoder.c to properly validate its
input
* SECURITY UPDATE: buffer overflow in the NSF demuxer
* fix for src/demuxers/demux_nsf.c to use strndup() instead of strdup()
* References
CVE-2008-1686
CVE-2008-1878
-- Jamie Strandboge <email address hidden> Wed, 30 Jul 2008 15:52:50 -0400
-
xine-lib (1.1.11.1-1ubuntu3) hardy; urgency=low
[ Darren Salt ]
* Fixes from upstream hg:
- Matroska demuxer regression. (Closes: #474316)
- PulseAudio plugin backported & re-enabled.
This takes precedence over ALSA, but falls back cleanly.
[ Reinhard Tartler ]
* Cherrypick the above changes to the ubuntu package (LP: #176332, #131914)
-- Reinhard Tartler <email address hidden> Sat, 12 Apr 2008 23:13:24 +0200
-
xine-lib (1.1.11.1-1ubuntu2) hardy; urgency=low
[ Darren Salt ]
* Fixes from upstream hg:
- Quicktime demuxer regression. (Closes: #473499, #473631)
- Wavpack MIME type information.
[ Reinhard Tartler ]
- merge changes from debian packaging hg to fetch fix for
LP: #210510
-- Reinhard Tartler <email address hidden> Wed, 02 Apr 2008 11:07:04 +0200
-
xine-lib (1.1.11.1-1ubuntu1) hardy; urgency=low
* New upstream Version, merge from debian/unstable.
- Freeze exception Granted in LP: #204557
- Inclused Security fixes: LP: #195700
* Remaining Changes:
- add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
- Modify Maintainer value to match the DebianMaintainerField
specification.
xine-lib (1.1.11.1-1) unstable; urgency=high
* New upstream release.
- CVE-2008-1482: integer overflows in FLV, Qt, Real, WC3Movie, Matroska
and FILM demuxers, allowing remote attackers to trigger heap overflows
and possibly execute arbitrary code. (Closes: #472639)
xine-lib (1.1.11-1) unstable; urgency=high
* New upstream release.
- CVE-2008-0073: Array index vulnerability which may allow remote
attackers to execute arbitrary code via a crafted SDP parameter in an
RTSP stream.
- DVD reader code no longer uses UDF-provided file sizes as
authoritative. (Closes: #463177)
[Darren Salt]
* Remove the versioning from the libmagick9-dev build-dep.
* Disable the pulseaudio plugin (don't build, don't install) and remove
the build-dep on libpulse-dev for now due to instability: xine-lib has
been observed closing the stream due to audio problems.
(Closes: #471676)
[ Reinhard Tartler ]
* add support for 'parallel' keyword in DEB_BUILD_OPTIONS
-- Reinhard Tartler <email address hidden> Tue, 01 Apr 2008 09:33:39 +0200
-
xine-lib (1.1.10.1-2ubuntu1) hardy; urgency=low
* debian/control:
- add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
in libxine1-bin to make dapper->hardy upgrades work (LP: #203605)
* Modify Maintainer value to match the DebianMaintainerField
specification.
-- Michael Vogt <email address hidden> Tue, 18 Mar 2008 17:22:33 +0100
-
xine-lib (1.1.10.1-2) unstable; urgency=low
[Darren Salt]
* libxine-dev: backport an m4 version-parsing fix from hg.
* Fixed an off-by-one (introduced in the security fix) which breaks
playback of some FLAC files. (Closes: #466746)
* Versioned build-dep on libmagick9-dev (for libmagick10). (Closes: #466681)
Add libmagick-dev as an alternative, with the same version requirement.
xine-lib (1.1.10.1-1) unstable; urgency=high
* New upstream release.
- CVE-2008-0486: Array index vulnerability which may allow remote
attackers to execute arbitrary code via a crafted FLAC tag, which
triggers a buffer overflow. (Closes: #464696)
- Real codec detection was looking in the wrong places. (Closes: #462964)
[Darren Salt]
* Add pkg-config dependency to libxine-dev, fixing xine-plugin FTBFS.
(Closes: #464178, #464321)
* Put libxine1-doc back into section doc until somewhere better is created
for it. (Closes: #462710)
* No longer build-conflict with libxine-dev from xine-lib-1.2. This is no
longer needed due to link order changes.
-- Reinhard Tartler <email address hidden> Tue, 26 Feb 2008 00:09:05 +0000
-
xine-lib (1.1.10-1build1) hardy; urgency=low
* No-change rebuild against libmagick10.
-- Steve Langasek <email address hidden> Wed, 20 Feb 2008 17:35:41 +0000
-
xine-lib (1.1.10-1) unstable; urgency=high
* New upstream release (Closes: #459836)...
* ... fixing some security bugs:
- CVE-2008-0225: Heap-based buffer overflow in rmff_dump_cont function
which allows remote attacker to execute arbitrary code via a crafted
SDP Abstract attribute (Closes: #460551).
This also acks 1.1.8-3+lenny1 (NMU by the security team).
- Related to CVE-2006-1664: Buffer overflow which allows a remote
attacker to execute arbitrary code or crash the client program via a
crafted ASF header.
* ... and fixing some other bugs, including:
- Disappearing audio. (Closes: #461970)
[ Darren Salt ]
* Build-depend on gs-gpl | gs. Avoids FTBFS where recommended packages
aren't automatically installed.
* Put libxine1-doc in section libdevel.
* Move libxine1-doc | libxine-doc to Suggests: in libxine1. (Closes: #458103)
* Add postinst scripts to ensure that the documentation symlinks are
properly created. (This is really dpkg bugginess.) (Closes: #458865)
* Standards version 3.7.3; no changes needed.
[ Reinhard Tartler ]
* Actually install xineplug_decode_w32dll.so and xineplug_decode_qt.so
on i386. debian/rules accidentally used $< where it should have been
$^. Thanks to Gert Kulyk for reporting! LP: #182400
* Fix XS-Hg-VCS headers in debian/control LP: #183886
xine-lib (1.1.9-1) unstable; urgency=low
* New upstream release.
[Darren Salt]
* Re-enable the pulseaudio plugin.
[Reinhard Tartler]
* Remove really unnecessary versioned build depends on binutils. Even
oldstable (sarge) has a newer version available.
* Bug fix: "unable to handle ipv6 MRLs", thanks to Mau (Closes:
#448801).
-- Reinhard Tartler <email address hidden> Fri, 01 Feb 2008 16:21:13 +0000
-
xine-lib (1.1.9-0ubuntu1) hardy; urgency=low
* New upstream release.
[Reinhard Tartler]
* Remove really unnecessary versioned build depends on binutils. Even
oldstable (sarge) has a newer version available.
* Bug fix: "unable to handle ipv6 MRLs", thanks to Mau (Closes:
#448801).
* upload prerelease package to hardy.
-- Reinhard Tartler <email address hidden> Wed, 09 Jan 2008 14:33:46 +0100
-
xine-lib (1.1.8-5) unstable; urgency=low
[Darren Salt]
* Build fix: avoid lots of "make install" invocations (introduced in -4).
* Fix dependency issues with respect to documentation symlinks.
The problem was an incorrect debian/shlibs.local. (Closes: #457328)
* Use a symlink for libxine1-dbg's documentation (this got missed in -4).
* libxine1-bin (-4) should have contained AUTHORS. This is fixed.
xine-lib (1.1.8-4) unstable; urgency=low
[Darren Salt]
* libxine1-dbg was missing some debug symbols. Fixed by building it after
xine-lib's other arch:any packages.
* Introduce a new package, libxine1-bin, which contains the binaries
formerly in libxine1. Dependencies are moved and updated accordingly.
thanks to Bill Allombert. (Closes: #454267)
* Except for libxine1-doc, libxine1-bin and libxine-dev, symlink to
libxine1-bin's documentation. (AUTHORS is now in libxine1-bin.)
* Backported patches from upstream 1.1 branch:
- Fix compilation of DXR3 support with external ffmpeg.
This is currently only needed for compilation against libavcodeccvs-dev
(from debian-multimedia). Untested with actual DXR3 hardware since I
have none. (cset e55bc398cc7c)
- Fix a problem with non-seekable Flash video (cset de8c671a419c)
- Fix "missing" channels.conf with ATSC (cset fd875c4a15bc)
- Fix a possible crash when changing channels (DVB) (cset bf1ec833d87a)
- Don't stop reading Ogg streams early (cset e4c8ac4a6b49)
- Fix a possible crash when a video output is closed (cset 06494c094761)
- Fix a possible crash when video playback is finished (cset 293845e465cc)
[ Reinhard Tartler ]
* Bug fix: "FTBFS with GCC 4.3: missing #includes", thanks to Martin
Michlmayr and Daniel Schepler (Closes: #455438, #455322).
* Bug fix: "libxine1-plugins: should not depend on libxine1-gnome",
thanks to Hermogenes Hebert Pereira Oliveira. (Closes: #454162).
Instead, a new package is introduced: libxine1-all-plugins, which
additionally depends on the gnome plugin.
* remove the jack plugin. According to upstream it is unfinished and of
poor quality. A rewrite is available in the 1.2 branch.
* adjust dependencies on libxine1-dev and libxine1-dbg
* add XS-DM-Upload-Allowed: yes field to debian/control
* Bug fix: "xine-lib: FTBFS on GNU/kFreeBSD (debian specific part)",
thanks to Petr Salinger (Closes: #449531). Patch applied with some
(minor) modifications.
* Bug fix: "libxine1: FTBFS on GNU/kFreeBSD", thanks to Uwe Hermann
(Closes: #438849). Patch taken from upstream hg repo, cset
1db8870cd7c9
* Bug fix: "typo "A various plugins" in package description",
thanks to Philippe Cloutier (Closes: #455067).
-- Reinhard Tartler <email address hidden> Fri, 04 Jan 2008 10:50:24 +0000
-
xine-lib (1.1.8-3ubuntu2) hardy; urgency=low
* adjust dependencies on libxine1-dev and libxine1-dbg
* adjust conflicts in libxine1-bin
-- Reinhard Tartler <email address hidden> Fri, 14 Dec 2007 08:08:10 +0100
-
xine-lib (1.1.8-3ubuntu1) hardy; urgency=low
Merged from the current state of the debian packaging branch. Will appear
in unstable shortly.
[Darren Salt]
* libxine1-dbg was missing some debug symbols. Fixed by building it after
xine-lib's other arch:any packages.
* Introduce a new package, libxine1-bin, which contains the binaries
formerly in libxine1. Dependencies are moved and updated accordingly.
thanks to Bill Allombert. (Closes: #454267)
* Except for libxine1-doc, libxine1-bin and libxine-dev, symlink to
libxine1-bin's documentation. (AUTHORS is now in libxine1-bin.)
* Fix compilation of DXR3 support with external ffmpeg.
This is currently only needed for compilation against libavcodeccvs-dev
(from debian-multimedia). Untested with actual DXR3 hardware since I
have none.
[ Reinhard Tartler ]
* Bug fix: "FTBFS with GCC 4.3: missing #includes", thanks to Martin
Michlmayr and Daniel Schepler (Closes: #455438, #455322).
* Bug fix: "libxine1-plugins: should not depend on libxine1-gnome",
thanks to Hermogenes Hebert Pereira Oliveira. (Closes: #454162, LP: #164801)
Instead, a new package is introduced: libxine1-all-plugins, which
additionally depends on the gnome plugin.
* remove the jack plugin. According to upstream it is unfinished and of
poor quality. A rewrite is available in the 1.2 branch. LP: #152487
xine-lib (1.1.8-3) unstable; urgency=low
[Darren Salt]
* Patches from the 1.1.9 dev tree:
- Silence "lacing: N" messages from the matroska demuxer.
- Extra identifier for MPEG video (in AVIs etc.).
* Tighten the dependencies of libxine1 and libxine1-plugins on libxine1-*
packages.
* Move deps on libxine1-{x,console} from libxine1-plugins to libxine1 to
avoid further problems such as bug 448077.
[ Reinhard Tartler ]
* remove gs from build-deps
* don't build the pulseaudio plugin. (Closes: #452211, #427991)
-- Reinhard Tartler <email address hidden> Wed, 12 Dec 2007 22:23:32 +0100
-
xine-lib (1.1.8-2ubuntu2) hardy; urgency=low
* Don't try to install the (removed) jack plugin. fixes FTBFS.
-- Reinhard Tartler <email address hidden> Thu, 25 Oct 2007 21:44:32 +0200
-
xine-lib (1.1.8-2ubuntu1) hardy; urgency=low
* merge from debian. Remaining changes:
- drop the jack plugin. not in main.
xine-lib (1.1.8-2) unstable; urgency=low
[Reinhard Tartler]
* use dh_listpackages instead of hardcoded list for determining the
provided binary packages.
* Bug fix: "Depends->Recommends dependency change breaking other
packages", thanks to Christoph Pfister and Sune Vuorela
(Closes: #439389)
- introduce new package libxine1-misc-plugins, which contains
(nearly) all plugins formerly found in the package libxine1.
- promote all dependencies of libxine1-misc-plugins to Depends.
- Make libxine1 depend on libxine1-plugins | libxine1-misc-plugins.
Apt will prefer the first alternative, which results many
plugins installed by default. Caveat: If one plugin package has
unsatisfiable dependencies, the user will end up with only
libxine1-misc-plugins installed.
- Make libxine1-plugins depend on libxine1-misc-plugins.
- Make libxine1-plugins not depend on libxine1-console.
- NB: From now on, frontends need to explicitly depend on either
libxine1-x or libxine1-console, depending on whether they are
console based (like cacaxine or fbxine) or X11 based (like gxine).
libxine1-plugins will not depend on libxine1-x or libxine1-console.
* Make libxine1-dev Arch:any. Being arch:all makes a lot of trouble
building frontends on architectures that are out of sync.
* Remove alternative depends on libz-dev (not found even in oldstable)
and slang1-dev (not found in stable, only oldstable) from libxine1-dev.
* Add Homepage field to debian/control
[Darren Salt]
* Add patches from upstream:
- DVD MRL title.chapter fix
* Move libxine1-doc into section "doc".
* Improve package descriptions a bit; in particular, a grammatical
correction for libxine1-console, and an extra sentence describing common
uses of libxine1-ffmpeg.
* New package libxine1-x, which contains the X-based video output plugins.
These were previously in libxine1.
* Move the fb video output plugin into libxine1-console.
xine-lib (1.1.8-1) unstable; urgency=low
* New upstream release. (Closes: #440248)
[Darren Salt]
* Remove config.log when cleaning the build tree.
[Reinhard Tartler]
* Bug fix: "libxine1: copyright file references non-existent AUTHORS
file", thanks to Felipe Sateler (Closes: #438677).
xine-lib (1.1.7-3) unstable; urgency=low
* promote dependencies of xineplug_dmx_audio.so from Suggests to
Recommends. This is necesarry for e.g. mp3 files or streams
(Closes: #437906, #437693), thanks to François Valenduc and
Paulo Marcel Coelho Aragão.
xine-lib (1.1.7-2) unstable; urgency=low
[Darren Salt]
* Enable the wavpack plugin. (Closes: #437331)
* Correct the description of libxine-doc. (Closes: #432919, #435590)
* Build-depend on libjack-dev.
* Enable freetype support. (Closes: #416077)
* Add patches from upstream:
- allow using ffmpegvideo w/o direct rendering to play mpeg2 ts;
- handle escaped characters in DVD MRLs;
- fix attempted free of static data, e.g. when using "dvd:/";
- rename mrl_unescape & export it (needed by the previous fix).
These are csets acc7197f7cca, 2e301bc2cce8, 09e652c8188f & 82bc4a5c2b4c.
[ Reinhard Tartler ]
* libxine1: demote all dependencies of the plugins to Recommends.
This includes the directfb plugin and therefore Closes: #427982.
* introduce debian/shlibs.local.libxine1 to avoid self-dependency of
libxine1. Fixes a lintian warning.
* some small changes to package descriptions.
* debian/rules: Don't ignore potential failiures in clean when running
$(MAKE) distclean. Check for presence instead (thanks lintian).
-- Reinhard Tartler <email address hidden> Tue, 23 Oct 2007 23:32:26 +0200
-
xine-lib (1.1.7-1ubuntu1) gutsy; urgency=low
* merge debian changes. Remaining change:
- remove the jack plugin, not in main
-- Reinhard Tartler <email address hidden> Sat, 16 Jun 2007 21:22:52 +0100