-
xine-lib (1.1.15-0ubuntu3.3) intrepid-security; urgency=low
* SECURITY UPDATE: Integer overflow in the 4xm demuxer
- debian/patches/14_SECURITY_CVE-2009-0698-2.dpatch: Previous fix was
incomplete. Fix additional integer overflow in src/demuxers/demux_4xm.c.
- CVE-2009-0698
* SECURITY UPDATE: Integer overflow in the QT demuxer via large count
value in an STTS atom
- debian/patches/15_SECURITY_CVE-2009-1274.dpatch: validate atom size
in src/demuxers/demux_qt.c.
- CVE-2009-1274
-- Marc Deslauriers <email address hidden> Fri, 17 Apr 2009 13:05:39 -0400
-
xine-lib (1.1.15-0ubuntu3.2) intrepid-security; urgency=low
* REGRESSION: Broken size checks in CVE-2008-5239 input plugins patch
(LP: #322834)
- debian/patches/12_SECURITY_CVE-2008-5239-fix.dpatch: fix the size
checks in src/input/input_*.c broken by the
08_SECURITY_CVE-2008-5239.dpatch security patch.
- CVE-2008-5239
* SECURITY UPDATE: Integer overflow in the 4xm demuxer
- debian/patches/13_SECURITY_CVE-2009-0698.dpatch: Make sure we don't
overflow fourxm->track_count in src/demuxers/demux_4xm.c.
- CVE-2009-0698
-- Marc Deslauriers <email address hidden> Tue, 24 Mar 2009 09:05:03 -0400
-
xine-lib (1.1.15-0ubuntu3.1intrepid1) intrepid-proposed; urgency=low
* Merge 1.1.15-0ubuntu3.1.
xine-lib (1.1.15-0ubuntu3.1) intrepid-security; urgency=low
* SECURITY UPDATE: backported security fixes from upstream xine-lib hg repo:
- debian/patches/01_SECURITY_invalid_track_type.dpatch: Avoid segfault on
invalid track type in Matroska files.
- debian/patches/02_SECURITY_ffmpeg_video_overflow.dpatch: Heap buffer
overflow in the ffmpeg video decoder.
- debian/patches/03_SECURITY_ffmpeg_audio_overflow.dpatch: Integer overflow
in the ffmpeg audio decoder
- debian/patches/04_SECURITY_cdda_server_overflow.dpatch: Integer overflow
in the the CDDA server.
- debian/patches/05_SECURITY_CVE-2008-5234.dpatch: Heap overflow and
unchecked malloc in Quicktime atom parsing. (CVE-2008-5234, CVE-2008-5242)
- debian/patches/06_SECURITY_CVE-2008-5236.dpatch: Buffer overflows in
Matroska, Real and RealAudio demuxers. (CVE-2008-5236)
- debian/patches/07_SECURITY_CVE-2008-5237.dpatch: Integer overflows in
MNG and QT demuxers. (CVE-2008-5237)
- debian/patches/08_SECURITY_CVE-2008-5239.dpatch: Out-of-bounds reads and
heap-based buffer overflows from unchecked or incompletely-checked read
function results. (CVE-2008-5239)
- debian/patches/09_SECURITY_CVE-2008-5240.dpatch: Unchecked malloc using
untrusted values. (CVE-2008-5240)
- debian/patches/10_SECURITY_CVE-2008-5241.dpatch: Integer underflow in qt
compressed atom handling. (CVE-2008-5241)
- debian/patches/11_SECURITY_CVE-2008-5243.dpatch: Buffer indexing using
untrusted or unchecked values. (CVE-2008-5243)
xine-lib (1.1.15-0ubuntu3intrepid1) intrepid-proposed; urgency=low
* New dpatch, 10_translation-fixes, fixes missing "%s" to protect against
broken translations; LP: #290768.
-- Loic Minier <email address hidden> Tue, 27 Jan 2009 14:35:33 +0100
-
xine-lib (1.1.15-0ubuntu3.1) intrepid-security; urgency=low
* SECURITY UPDATE: backported security fixes from upstream xine-lib hg repo:
- debian/patches/01_SECURITY_invalid_track_type.dpatch: Avoid segfault on
invalid track type in Matroska files.
- debian/patches/02_SECURITY_ffmpeg_video_overflow.dpatch: Heap buffer
overflow in the ffmpeg video decoder.
- debian/patches/03_SECURITY_ffmpeg_audio_overflow.dpatch: Integer overflow
in the ffmpeg audio decoder
- debian/patches/04_SECURITY_cdda_server_overflow.dpatch: Integer overflow
in the the CDDA server.
- debian/patches/05_SECURITY_CVE-2008-5234.dpatch: Heap overflow and
unchecked malloc in Quicktime atom parsing. (CVE-2008-5234, CVE-2008-5242)
- debian/patches/06_SECURITY_CVE-2008-5236.dpatch: Buffer overflows in
Matroska, Real and RealAudio demuxers. (CVE-2008-5236)
- debian/patches/07_SECURITY_CVE-2008-5237.dpatch: Integer overflows in
MNG and QT demuxers. (CVE-2008-5237)
- debian/patches/08_SECURITY_CVE-2008-5239.dpatch: Out-of-bounds reads and
heap-based buffer overflows from unchecked or incompletely-checked read
function results. (CVE-2008-5239)
- debian/patches/09_SECURITY_CVE-2008-5240.dpatch: Unchecked malloc using
untrusted values. (CVE-2008-5240)
- debian/patches/10_SECURITY_CVE-2008-5241.dpatch: Integer underflow in qt
compressed atom handling. (CVE-2008-5241)
- debian/patches/11_SECURITY_CVE-2008-5243.dpatch: Buffer indexing using
untrusted or unchecked values. (CVE-2008-5243)
-- Marc Deslauriers <email address hidden> Wed, 21 Jan 2009 08:32:25 -0500
-
xine-lib (1.1.15-0ubuntu3intrepid1) intrepid-proposed; urgency=low
* New dpatch, 10_translation-fixes, fixes missing "%s" to protect against
broken translations; LP: #290768.
-- Loic Minier <email address hidden> Thu, 15 Jan 2009 17:51:01 +0100
-
xine-lib (1.1.15-0ubuntu3) intrepid; urgency=low
* Changed xine-engine/buffer.h to use __inline__
vs inline in patch 00_fix_inline.diff to correct
applications from FTBFS when using c90 mode of GCC (LP: #274194)
-- Michael Casadevall <email address hidden> Wed, 24 Sep 2008 19:27:06 -0400
-
xine-lib (1.1.15-0ubuntu2) intrepid; urgency=low
* drop dependency on libfaad-dev, it is not in main.
-- Reinhard Tartler <email address hidden> Wed, 10 Sep 2008 20:04:03 +0200
-
xine-lib (1.1.15-0ubuntu1) intrepid; urgency=low
* New upstream release (LP: #261135)
- introduces updated faad plugin (LP: #76566, #123456)
- Fixes CVE-2008-3231
-- Reinhard Tartler <email address hidden> Tue, 26 Aug 2008 21:07:40 +0200
-
xine-lib (1.1.14-3ubuntu1) intrepid; urgency=low
* merge from debian unstable. Remaining changes:
- disable the jack plugin
- Modify Maintainer value to match the DebianMaintainerField
specification.
* update XS-Vcs-Url to public branch location.
xine-lib (1.1.14-3) unstable; urgency=high
* More security fixes from upstream hg:
- Fix an exploitable ID3 heap buffer overflow.
- Check for possible buffer overflow attempts in the Real demuxer.
- Use size_t for data length variables where there may be int overflows.
- Add some checks for memory allocation failures.
xine-lib (1.1.14-2) unstable; urgency=high
* Fixes from upstream hg:
- CVE-2008-3231: denial of service (application crash) via a crafted OGG
file. (Closes: #492870)
- DoS (application crashes) via crafted Windows Media & AVI files.
- Fix crashes with some MP3 files on i386. (Closes: #491671)
- Avoid Xv deinterlacer image corruption on some chipsets.
- V4L buffer overflow & cleanup crash fixes.
- V4L CVBS & S-Video input fix.
* Fix a DoS (application crash) via crafted AAC files. This uses external
libfaad and, consequently, adds a build-dependency on libfaad-dev.
* Use standards version 3.8.0.
* Adjust libcdio-dev build-dep versioning (lintian warning).
-- Reinhard Tartler <email address hidden> Mon, 25 Aug 2008 13:02:33 +0200
-
xine-lib (1.1.14-2ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- disable the jack plugin to make dapper->hardy upgrades work (LP #203605)
- adjust deps to make sure Kubuntu CDs are installable.
xine-lib (1.1.14-2) unstable; urgency=high
* Fixes from upstream hg:
- CVE-2008-3231: denial of service (application crash) via a crafted OGG
file. (Closes: #492870)
- DoS (application crashes) via crafted Windows Media & AVI files.
- Fix crashes with some MP3 files on i386. (Closes: #491671)
- Avoid Xv deinterlacer image corruption on some chipsets.
- V4L buffer overflow & cleanup crash fixes.
- V4L CVBS & S-Video input fix.
* Fix a DoS (application crash) via crafted AAC files. This uses external
libfaad and, consequently, adds a build-dependency on libfaad-dev.
* Use standards version 3.8.0.
* Adjust libcdio-dev build-dep versioning (lintian warning).
-- Kees Cook <email address hidden> Wed, 20 Aug 2008 12:36:21 -0700
-
xine-lib (1.1.14-1ubuntu3) intrepid; urgency=low
* Drop libxine-ffmpeg recommends from libxine1, since otherwise Kubuntu CDs
are still uninstallable. (LP: #257611)
-- Martin Pitt <email address hidden> Wed, 13 Aug 2008 17:04:34 +0200
-
xine-lib (1.1.14-1ubuntu2) intrepid; urgency=low
* libxine1 dependencies: Prefer libxine1-misc-plugins over libxine1-plugins,
since the latter pulls in -ffmpeg, whic pulls in libavcodec51, which is
banned from CDs. This unbreaks Kubuntu CDs for Alpha 4, although is not
the final solution we might want.
-- Martin Pitt <email address hidden> Wed, 13 Aug 2008 11:18:51 +0200
-
xine-lib (1.1.14-1ubuntu1) intrepid; urgency=low
* merge from debian unstable. Remaining changes:
- disable the jack plugin
in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
- Modify Maintainer value to match the DebianMaintainerField
specification.
* New upstream fixes:
- playback of MJPEG files LP: #93076
- CVE-2008-1878 LP: #235904
- CVE-2008-1686 LP: #218652
* remove Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1). We don't
support upgrades from dapper/feisty anymore.
xine-lib (1.1.14-1) unstable; urgency=low
* The "beat the freeze" release.
* New upstream release.
- All patches in 1.1.12-2 are present upstream.
- MIME types added. (Closes: #472869)
* Build-depend on libmagick9-dev | libmagick-dev | libmagickwand-dev.
* Build-depend on ghostscript | gs | gs-gpl.
-- Reinhard Tartler <email address hidden> Tue, 08 Jul 2008 22:35:48 +0200
-
xine-lib (1.1.12-2ubuntu2) intrepid; urgency=low
* build against a newer ffmpeg.
* don't try to install the jack plugin, fixes FTBFS.
-- Reinhard Tartler <email address hidden> Mon, 12 May 2008 19:13:47 +0200
-
xine-lib (1.1.12-2ubuntu1) intrepid; urgency=low
* Merge from debian unstable, remaining changes:
- disable the jack plugin
- add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
- Modify Maintainer value to match the DebianMaintainerField
specification.
xine-lib (1.1.12-2) unstable; urgency=high
* Fixes from upstream hg:
- CVE-2008-1878: Buffer overflow in the NSF demuxer which may allow
remote attackers to cause a denial of service (crash) or possibly
execute arbitrary code via an NSF file with a long title or copyright
message.
(Our chosen option is to patch and disable this code.)
- Backport more calloc usage from the 1.2 branch for extra safety
against possible integer overflows such as found in CVE-2008-1482.
xine-lib (1.1.12-1) unstable; urgency=high
* New upstream release.
- CVE-2008-1686: Insufficient boundary check in speex audio decoder.
- New tool "xine-list-1.1", which front-end maintainers will find useful
for updating .desktop files at install time and in conjunction with
dpkg triggers.
xine-lib (1.1.11.1-3) unstable; urgency=medium
* Fixes from upstream hg:
- Matroska demuxer regression. (Closes: #474316)
- PulseAudio plugin backported & re-enabled.
This takes precedence over ALSA, but falls back cleanly.
* Re-enabled & replaced the JACK audio-put plugin. (Closes: #462663)
This has not yet been committed upstream.
* Don't link with libstdc++ or libm when linking with libmodplug.
(Workaround for bug 457278 and buggy build environments, fixing FTBFS.)
* Urgency=medium; t-p-u has a security-patched version, but it also has
backported bugs...
xine-lib (1.1.11.1-2) unstable; urgency=high
* Fixes from upstream hg:
- Quicktime demuxer regression. (Closes: #473499, #473631)
- Wavpack MIME type information.
-- Reinhard Tartler <email address hidden> Thu, 08 May 2008 13:49:26 +0200
-
xine-lib (1.1.11.1-1ubuntu3) hardy; urgency=low
[ Darren Salt ]
* Fixes from upstream hg:
- Matroska demuxer regression. (Closes: #474316)
- PulseAudio plugin backported & re-enabled.
This takes precedence over ALSA, but falls back cleanly.
[ Reinhard Tartler ]
* Cherrypick the above changes to the ubuntu package (LP: #176332, #131914)
-- Reinhard Tartler <email address hidden> Sat, 12 Apr 2008 23:13:24 +0200