Freeze exception for xine-lib 1.1.11

package for testing available here:
https://edge.launchpad.net/~motumedia/+archive

> The following packages needs to be rebuilt against the new xine if accepted:
> - libxine1-xvdr.

Please elaborate on this. Is this the only out-of-tree plugin in the archive? If not, why is it the only one that requires a rebuild? (Is this a rebuild for an ABI change?)

Steve Langasek <email address hidden> writes:

> Please elaborate on this. Is this the only out-of-tree plugin in the
> archive?

Excatly. It requires a rebuild because the plugin directory is dependent
on the xine version. Actually, This is changed in 1.1.11, see the 2nd
point in the upstream changelog for details.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

in the mean time, a bugfix only release (1.1.11.1) has been uploaded to debian, here is the changelog diff:

+++ b/ChangeLog Sun Mar 30 15:43:16 2008 +0100
@@ -1,3 +1,14 @@ xine-lib (1.1.11) 2008-03-19
+xine-lib (1.1.11.1) 2008-03-30
+ * Security fixes:
+ - Integer overflows in FLV, Qt, Real, WC3Movie, Matroska and FILM
+ demuxers, allowing remote attackers to trigger heap overflows and
+ possibly execute arbitrary code. (CVE-2008-1482)
+ * Added a few more memory allocation checks to the above demuxers.
+ * WAV file playback fix: don't assume that the first chunk is "fmt ".
+ * Don't try to play partial 24-bit AIFF frames (decoder would lose data).
+ * Fixed AIFF comment chunk handling and sample rate reading.
+ * LPCM fixes: input over-reading, conversion of 24-bit samples.
+

I'd suggest now skipping 1.1.11, and go directly to 1.1.11.1.

Since it is bugfix-only, there is nothing to approve here. Fine for me.

Martin, the 1.1.11.1 update is bugfix-only, but this was a FFe request for 1.1.11 which is not.

Anyway, I've reviewed the exception request and it has my ack as well. Reinhard, please remember to take care of libxine1-xvdr once the xine-lib update is in.

This bug was fixed in the package xine-lib - 1.1.11.1-1ubuntu1

---------------
xine-lib (1.1.11.1-1ubuntu1) hardy; urgency=low

  * New upstream Version, merge from debian/unstable.
    - Freeze exception Granted in LP: #204557
    - Inclused Security fixes: LP: #195700
  * Remaining Changes:
     - add Replaces: libxine-main1 (<< 1.1.2+repacked1-0ubuntu1)
       in libxine1-bin to make dapper->hardy upgrades work (LP #203605)
     - Modify Maintainer value to match the DebianMaintainerField
       specification.

xine-lib (1.1.11.1-1) unstable; urgency=high

  * New upstream release.
    - CVE-2008-1482: integer overflows in FLV, Qt, Real, WC3Movie, Matroska
      and FILM demuxers, allowing remote attackers to trigger heap overflows
      and possibly execute arbitrary code. (Closes: #472639)

xine-lib (1.1.11-1) unstable; urgency=high

  * New upstream release.
    - CVE-2008-0073: Array index vulnerability which may allow remote
      attackers to execute arbitrary code via a crafted SDP parameter in an
      RTSP stream.
    - DVD reader code no longer uses UDF-provided file sizes as
      authoritative. (Closes: #463177)

  [Darren Salt]
  * Remove the versioning from the libmagick9-dev build-dep.
  * Disable the pulseaudio plugin (don't build, don't install) and remove
    the build-dep on libpulse-dev for now due to instability: xine-lib has
    been observed closing the stream due to audio problems.
    (Closes: #471676)

  [ Reinhard Tartler ]
  * add support for 'parallel' keyword in DEB_BUILD_OPTIONS

 -- Reinhard Tartler <email address hidden> Tue, 01 Apr 2008 09:33:39 +0200

https://bugs.launchpad.net/ubuntu/+source/xine-lib/+bug/210510