245774 CVE-2008-5032 2008-11-06 00:15 0000 media-video/vlc < 0.9.6: Buffer overflows in VLC RealText and CUE demuxers (CVE-2008-{5032,5036}) 2008-12-25 01:16:20 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.videolan.org/security/sa0810.html B2 [glsa] P2 normal --- 245793 1 aballier@gentoo.org security@gentoo.org aballier@gentoo.org fmccor@gentoo.org impulze@impulze.org aballier@gentoo.org 2008-11-06 00:15:34 0000 - Details - When parsing the header of an invalid CUE image file or an invalid RealText subtitle file, stack-based buffer overflows might occur. - Impact - If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player. - Threat mitigation - Exploitation of this issue requires the user to explicitly open a specially crafted file. http://www.videolan.org/security/sa0810.html http://www.trapkit.de/advisories/TKADV2008-011.txt http://www.trapkit.de/advisories/TKADV2008-012.txt craig@gentoo.org 2008-11-06 10:27:53 0000 Arches, please test and mark stable =media-video/vlc-0.9.6 Target keywords: amd64 ppc ppc64 sparc x86 hoffie@gentoo.org 2008-11-06 11:51:09 0000 This probably depends on bug 245793 being fixed (unable to reproduce here due to lack of a stable system). hoffie@gentoo.org 2008-11-06 12:23:01 0000 alpha: You need to rekeyword AND stable. ppc64: Apparently you never had VLC stable, so feel free to un-cc yourself. fmccor@gentoo.org 2008-11-06 14:49:12 0000 Sparc stable, works for me, but of course an exhaustive test of this package is almost impossible. Note, for sparc, this carries along a requirement to mark stable several other packages: =============== media-video/dirac-1.0.0 media-libs/libkate-0.2.5 media-libs/zvbi-0.2.33 media-libs/schroedinger-1.0.5 media-libs/libass-0.9.5 =========================== Of these, libkate, zvbi, and libass need to be marked stable on everything. coldwind@gentoo.org 2008-11-07 15:32:30 0000 There's a regression. Video is detached from the interface, which was fixed in media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was removed later. The patch can be applied cleanly to 0.9.6 and works. aballier@gentoo.org 2008-11-07 15:44:49 0000 (In reply to comment #5) > There's a regression. Video is detached from the interface, which was fixed in > media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was > removed later. The regression was to patch it in order to make it available again... See bug #240714, my last comment there and the link I posted. maekke@gentoo.org 2008-11-08 13:10:54 0000 amd64/x86 need the following packages stable, is this ok and which versions should we pick? Package Version Current Keywords Masks ============================= =================== ================= ========= media-libs/zvbi 0.2.31 ~x86 K media-libs/zvbi 0.2.32 ~x86 K media-libs/zvbi 0.2.33 ~x86 K media-libs/libv4l 0.5.1 ~x86 K media-libs/libv4l 0.5.3 ~x86 K media-libs/libass 0.9.5 ~x86 K media-libs/libkate 0.2.5 ~x86 K media-video/vlc 0.9.6 ~x86 K aballier@gentoo.org 2008-11-09 02:21:33 0000 (In reply to comment #7) > amd64/x86 need the following packages stable, is this ok and which versions > should we pick? > media-libs/zvbi 0.2.33 ~x86 K this one should be ok > media-libs/libv4l 0.5.3 ~x86 K and this one > media-libs/libass 0.9.5 ~x86 K ditto > media-libs/libkate 0.2.5 ~x86 K ditto maekke@gentoo.org 2008-11-09 13:44:56 0000 amd64/x86 stable klausman@gentoo.org 2008-11-09 14:53:33 0000 Stable on alpha. (also stabled the four deps mentioned by maekke as well as fluidsynth (and two of its deps, lash and ladspa-cmt). craig@gentoo.org 2008-11-11 00:36:16 0000 ====================================================== Name: CVE-2008-5032 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032 Reference: MLIST:[oss-security] 20081105 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5 Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810 Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4 Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13 Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-012.txt Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d Reference: CONFIRM:http://www.videolan.org/security/sa0810.html Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue related to RealText, but that issue has been assigned a separate identifier, CVE-2008-5036. ====================================================== Name: CVE-2008-5036 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5036 Reference: MLIST:[oss-security] 20081105 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5 Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810 Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4 Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13 Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-011.txt Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef651125701a2e33a8d75b815b3e39681a447 Reference: CONFIRM:http://www.videolan.org/security/sa0810.html Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110. corsair@gentoo.org 2008-11-12 18:30:17 0000 I'll keep vlc ~ppc64 for now. dertobi123@gentoo.org 2008-12-13 13:46:37 0000 0.9.8a is stable for ppc keytoaster@gentoo.org 2008-12-25 01:16:20 0000 GLSA 200812-24, thanks everyone, sorry about the delay.