[Secure-testing-team] xine issues

[Darren Salt]

I demand that Nico Golde may or may not have written...

> * Steffen Joeris <steffen.joeris at skolelinux.de> [2008-12-16 22:35]:
>> There are a few security issues (list below), which are still marked as
>> TODO in our security tracker and I would like to hear your comments. Nico
>> has done a great job tracking several of them down and I started to have
>> a look as well, but since there were so many in one go, it would greatly
>> be appreciated, if you could provide us with the necessary information.
>> Could you please point us to the version it was fixed in (if it's already
>> fixed) and the exact point in the code, preferrably with a patch?

http://alioth.debian.org/~dsalt-guest/security/.private/

_crash.tar contains several problematic files which either cause problems or
have caused problems.

CVE_patches.tar.gz is a split-up version of the oCERT patch. It may not be
correctly split up; if not, provide details and I'll correct it.

xine-lib-security-20081215.bundle is what I have locally committed. I intend
to add the content of CVE_patches.tar.gz and any other relevant individual
patches to that before I push the patches into the upstream repositories, get
1.1.16 released, then deal with the Debian side of things.

I think that all of them, even those filed in the Debian BTS and marked as
"normal" severity, should be fixed for lenny.

> Note that we still have to validate the patches as well as some of them
> looked incomplete. Maybe you could give Steffen access to #xine-private on
> oftc as well so he can join the discussions in irc, that's a bit faster
> than mailing :)

db.d.o says "white"... done.

-- 
| Darren Salt    | linux or ds at              | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + RIPA NOTICE: NO CONSENT GIVEN FOR INTERCEPTION OF MESSAGE TRANSMISSION

I'd like to, but I did my own thing and now I've got to undo it.