CVE-2008-5234

Name of the Vulnerable Software and Affected Versions xine-lib versions 1.1.12 through 1.1.14 xine-lib version 1.1.15 (vector 1 may not be fixed)

Description The issue is related to multiple heap-based buffer overflows that can be exploited by remote attackers to execute arbitrary code. This is achieved through vectors related to a crafted metadata atom size processed by the parse moov atom function in demux qt.c and frame reading in the id3v23 interp frame function in id3.c.

Recommendations For xine-lib versions 1.1.12 through 1.1.14, update to version 1.1.15 or later. For xine-lib version 1.1.15, as vector 1 may not be fixed, consider disabling the parse moov atom function in demux qt.c until a patch is available. Restrict access to the id3v23 interp frame function in id3.c to minimize the risk of exploitation.