Comment 6 for bug 204557

Revision history for this message
Reinhard Tartler (siretart) wrote :

in the mean time, a bugfix only release (1.1.11.1) has been uploaded to debian, here is the changelog diff:

+++ b/ChangeLog Sun Mar 30 15:43:16 2008 +0100
@@ -1,3 +1,14 @@ xine-lib (1.1.11) 2008-03-19
+xine-lib (1.1.11.1) 2008-03-30
+ * Security fixes:
+ - Integer overflows in FLV, Qt, Real, WC3Movie, Matroska and FILM
+ demuxers, allowing remote attackers to trigger heap overflows and
+ possibly execute arbitrary code. (CVE-2008-1482)
+ * Added a few more memory allocation checks to the above demuxers.
+ * WAV file playback fix: don't assume that the first chunk is "fmt ".
+ * Don't try to play partial 24-bit AIFF frames (decoder would lose data).
+ * Fixed AIFF comment chunk handling and sample rate reading.
+ * LPCM fixes: input over-reading, conversion of 24-bit samples.
+

I'd suggest now skipping 1.1.11, and go directly to 1.1.11.1.