Bug 245774 - media-video/vlc < 0.9.6: Buffer overflows in VLC RealText and CUE demuxers (CVE-2008-{5032,5036})
Bug#: 245774 (CVE-2008-5032) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: aballier@gentoo.org
Component: Vulnerabilities
URL:  http://www.videolan.org/security/sa0810.html
Summary: media-video/vlc < 0.9.6: Buffer overflows in VLC RealText and CUE demuxers (CVE-2008-{5032,5036})
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2008-11-06 00:15 0000
Description:   Opened: 2008-11-06 00:15 0000 
- Details -

When parsing the header of an invalid CUE image file or an invalid RealText 
subtitle file, stack-based buffer overflows might occur. 


- Impact -

If successful, a malicious third party could trigger execution of arbitrary 
code within the context of the VLC media player. 


- Threat mitigation -

Exploitation of this issue requires the user to explicitly open a specially 
crafted file. 


http://www.videolan.org/security/sa0810.html
http://www.trapkit.de/advisories/TKADV2008-011.txt
http://www.trapkit.de/advisories/TKADV2008-012.txt

------- Comment #1 From Stefan Behte 2008-11-06 10:27:53 0000 ------- 
Arches, please test and mark stable
=media-video/vlc-0.9.6

Target keywords:
amd64 ppc ppc64 sparc x86

------- Comment #2 From Christian Hoffmann 2008-11-06 11:51:09 0000 ------- 
This probably depends on bug 245793 being fixed (unable to reproduce here due
to lack of a stable system).

------- Comment #3 From Christian Hoffmann 2008-11-06 12:23:01 0000 ------- 
alpha: You need to rekeyword AND stable.
ppc64: Apparently you never had VLC stable, so feel free to un-cc yourself.

------- Comment #4 From Ferris McCormick 2008-11-06 14:49:12 0000 ------- 
Sparc stable, works for me, but of course an exhaustive test of this package is
almost impossible.  Note, for sparc, this carries along a requirement to mark
stable several other packages:
===============
media-video/dirac-1.0.0
media-libs/libkate-0.2.5
media-libs/zvbi-0.2.33
media-libs/schroedinger-1.0.5
media-libs/libass-0.9.5
===========================
Of these, libkate, zvbi, and libass need to be marked stable on everything.

------- Comment #5 From Santiago M. Mola 2008-11-07 15:32:30 0000 ------- 
There's a regression. Video is detached from the interface, which was fixed in
media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was
removed later.

The patch can be applied cleanly to 0.9.6 and works.

------- Comment #6 From Alexis Ballier 2008-11-07 15:44:49 0000 ------- 
(In reply to comment #5)
> There's a regression. Video is detached from the interface, which was fixed in
> media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was
> removed later.

The regression was to patch it in order to make it available again...
See bug #240714, my last comment there and the link I posted.

------- Comment #7 From Markus Meier 2008-11-08 13:10:54 0000 ------- 
amd64/x86 need the following packages stable, is this ok and which versions
should we pick?

Package                       Version             Current Keywords  Masks     
============================= =================== ================= =========
media-libs/zvbi               0.2.31              ~x86              K         
media-libs/zvbi               0.2.32              ~x86              K         
media-libs/zvbi               0.2.33              ~x86              K         
media-libs/libv4l             0.5.1               ~x86              K         
media-libs/libv4l             0.5.3               ~x86              K         
media-libs/libass             0.9.5               ~x86              K         
media-libs/libkate            0.2.5               ~x86              K         
media-video/vlc               0.9.6               ~x86              K

------- Comment #8 From Alexis Ballier 2008-11-09 02:21:33 0000 ------- 
(In reply to comment #7)
> amd64/x86 need the following packages stable, is this ok and which versions
> should we pick?

> media-libs/zvbi               0.2.33              ~x86              K         

this one should be ok

> media-libs/libv4l             0.5.3               ~x86              K         

and this one

> media-libs/libass             0.9.5               ~x86              K         

ditto

> media-libs/libkate            0.2.5               ~x86              K         

ditto

------- Comment #9 From Markus Meier 2008-11-09 13:44:56 0000 ------- 
amd64/x86 stable

------- Comment #10 From Tobias Klausmann 2008-11-09 14:53:33 0000 ------- 
Stable on alpha. (also stabled the four deps mentioned by maekke as well as
fluidsynth (and two of its deps, lash and ladspa-cmt).

------- Comment #11 From Stefan Behte 2008-11-11 00:36:16 0000 ------- 
======================================================
Name: CVE-2008-5032
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032
Reference: MLIST:[oss-security] 20081105 CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5
Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4
Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13
Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-012.txt
Reference:
CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d
Reference: CONFIRM:http://www.videolan.org/security/sa0810.html

Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through
0.9.5 might allow user-assisted attackers to execute arbitrary code
via the header of an invalid CUE image file, related to
modules/access/vcd/cdrom.c.  NOTE: this identifier originally included
an issue related to RealText, but that issue has been assigned a
separate identifier, CVE-2008-5036.


======================================================
Name: CVE-2008-5036
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5036
Reference: MLIST:[oss-security] 20081105 CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5
Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4
Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13
Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-011.txt
Reference:
CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef651125701a2e33a8d75b815b3e39681a447
Reference: CONFIRM:http://www.videolan.org/security/sa0810.html

Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before
0.9.6 might allow user-assisted attackers to execute arbitrary code
via an an invalid RealText (rt) subtitle file, related to the
ParseRealText function in modules/demux/subtitle.c.  NOTE: this issue
was SPLIT from CVE-2008-5032 on 20081110.

------- Comment #12 From Markus Rothe 2008-11-12 18:30:17 0000 ------- 
I'll keep vlc ~ppc64 for now.

------- Comment #13 From Tobias Scherbaum 2008-12-13 13:46:37 0000 ------- 
0.9.8a is stable for ppc

------- Comment #14 From Tobias Heinlein 2008-12-25 01:16:20 0000 ------- 
GLSA 200812-24, thanks everyone, sorry about the delay.