Two vulnerabilities discovered in xine-lib allow remote execution of arbitrary code: Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field. Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP Title, Author, or Copyright attribute, related to the rmff_dump_header function, different vectors than CVE-2008-0225. Besides those security issues, the xine-lib provided in Mandriva Linux 2008.0 and 2007.1 did not automatically use Real binary codecs, when the user had them installed in /usr/lib64/real on x86_64 architecture. Also, xine-lib of Mandriva Linux 2007.1 did not automatically use the Real codecs from /usr/lib/RealPlayer10GOLD/codecs, which is provided by RealPlayer package of Mandriva Powerpack editions. The updated packages fix these issues.