CVE-2008-0073 — xine-lib - multiple vulnerabilities

Description

Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter.

How to fix CVE-2008-0073

To remediate CVE-2008-0073, upgrade the affected package to a fixed version below.

Debian/vlc—upgrade to 0.8.6.e-2 or later
Debian/vlc—upgrade to 0.8.6.c-6+lenny3 or later
Debian/xine-lib—upgrade to 1.1.10.1-2+lenny2 or later

Is CVE-2008-0073 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.8.6.e-2
from 0, < 0.8.6.c-6+lenny3
from 0, < 1.1.10.1-2+lenny2

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-0073