a vulnerability in VLC Media Player has been reported, which can potentially be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in within modules/access/rtsp/real_sdpplin.c when processing SDP data (Session Description Protocol) for RTSP sessions. This can be exploited to cause a heap-based buffer overflow e.g. when a user is enticed to connect to a malicious server. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in version 0.8.6d. Other versions may also be affected. Solution: none avaible jet
is upstream aware of this ? I haven't seen anything related on the ML
Luigi usually seems to contac upstream, probably in a private mail. If you can, please ask for a status update.
Problem is fixed in r24246. Not sure if we should use CVE-2008-0238 or CVE-2008-0225 for the VLC issues, I'd have to look at the code. Also, two new issues were reported via CVE -- both are fixed upstream. I don't know if the VLC team plans a new release, otherwise grabbing the patches for us would be the way to go. Alexis, what do you think? ====================================================== Name: CVE-2007-6683 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6683 Reference: MLIST:[vlc-devel] 20071226 Regarding "obscure" security problem Reference: URL:http://mailman.videolan.org/pipermail/vlc-devel/2007-December/037726.html Reference: CONFIRM:https://trac.videolan.org/vlc/changeset/23197 Reference: CONFIRM:https://trac.videolan.org/vlc/ticket/1371 The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to overwrite arbitrary files via (1) the :demuxdump-file option in a filename in a playlist, or (2) a EXTVLCOPT statement in an MP3 file, possibly an argument injection vulnerability. ====================================================== Name: CVE-2007-6684 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6684 Reference: MLIST:[vlc-devel] 20070915 vlc: svn commit r22023 (courmisch) Reference: URL:http://mailman.videolan.org/pipermail/vlc-devel/2007-September/034722.html Reference: CONFIRM:http://trac.videolan.org/vlc/changeset/22023 The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to cause a denial of service (crash) via a request without a Transport parameter, which triggers a NULL pointer dereference.
another issue is reported: CVE-2007-6681 Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via a long subtitle in a (1) MicroDvd, (2) SSA, and (3) Vplayer file. CVE-2007-6682 Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via format string specifiers in the Connection parameter.
CVE-2008-0295 Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows user-assisted remote attackers to cause a denial of service (crash) or execute arbitrary code via long Session Description Protocol (SDP) data. CVE-2008-0296 Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to cause a denial of service (application crash) or execute arbitrary code via a long string.
I'm starting to be really confused there... the initial vuln. is (as far as I know) not even fixed in trunk; perhaps I missed something. some are bug #205197 that is fixed in trunk but not backported to -bugfix as far as I know. some are bug #203345 that is already fixed and stable. some others I don't know could someone please help me sorting out what has been applied and what not ? and for sure adding all the CVE assigned to vlc since 1 year wont help.
(In reply to comment #3) > ====================================================== > Name: CVE-2007-6684 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6684 > Reference: MLIST:[vlc-devel] 20070915 vlc: svn commit r22023 (courmisch) > Reference: > URL:http://mailman.videolan.org/pipermail/vlc-devel/2007-September/034722.html > Reference: CONFIRM:http://trac.videolan.org/vlc/changeset/22023 > > The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to > cause a denial of service (crash) via a request without a Transport > parameter, which triggers a NULL pointer dereference. > doesnt seem to be in 0.8.6d hint: check the date: http://download.videolan.org/pub/vlc/0.8.6d/ anything commited to -bugfix branch before that date is most likely to be in that realease.
this will probably help: http://trac.videolan.org/vlc/changeset/24425
(In reply to comment #4) > another issue is reported: > > CVE-2007-6681 > Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d > allows remote attackers to execute arbitrary code via a long subtitle in a (1) > MicroDvd, (2) SSA, and (3) Vplayer file. > > CVE-2007-6682 > Format string vulnerability in the httpd_FileCallBack function > (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute > arbitrary code via format string specifiers in the Connection parameter. Please don't start a confusion here. We handled those issues in bug 203345.
CVE-2007-6683: http://trac.videolan.org/vlc/changeset/23197 CVE-2007-6684: http://trac.videolan.org/vlc/changeset/22023 CVE-2008-0295: * CVE-2008-0296: Windows only, according to reporter. * Is this http://trac.videolan.org/vlc/changeset/24246 ?
(In reply to comment #10) > CVE-2007-6683: http://trac.videolan.org/vlc/changeset/23197 our 0.8.6d still has this one http://www.videolan.org/security/sa0802.html > CVE-2007-6684: http://trac.videolan.org/vlc/changeset/22023 As far as I can tell, this one is included in 0.8.6d and can be handled in bug #203345 > CVE-2008-0295: * > * Is this http://trac.videolan.org/vlc/changeset/24246 ? Nope, as far as I can tell, if you have a look at trunk in modules/access/rtsp/real_sdpplin.c, you still have something in the fashion of: buf = malloc(3200) if (filter(data, "m=", &buf)) ... where filter does a memcopy of the size of data onto buf, where of course data is the input. I'm not sure changeset 24246 fixes something security related. We could ask Diego as hg log tells me he's the one who fixed that in xine-lib :) However, changeset 24247 is supposed to be bug #205197, aka CVE-2008-0225 > CVE-2008-0296: Windows only, according to reporter. I fail to see how it is different from CVE-2008-0295
(In reply to comment #11) > > > CVE-2008-0295: * > > * Is this http://trac.videolan.org/vlc/changeset/24246 ? > > Nope, as far as I can tell, if you have a look at trunk in > modules/access/rtsp/real_sdpplin.c, you still have something in the fashion of: > buf = malloc(3200) > if (filter(data, "m=", &buf)) > ... > where filter does a memcopy of the size of data onto buf, where of course data > is the input. > > I'm not sure changeset 24246 fixes something security related. We could ask > Diego as hg log tells me he's the one who fixed that in xine-lib :) > > However, changeset 24247 is supposed to be bug #205197, aka CVE-2008-0225 > this is: http://trac.videolan.org/vlc/changeset/24440
(In reply to comment #11) > (In reply to comment #10) > > CVE-2007-6683: http://trac.videolan.org/vlc/changeset/23197 > > our 0.8.6d still has this one > http://www.videolan.org/security/sa0802.html In fact it doesn't: http://trac.videolan.org/vlc/changeset/23198 http://trac.videolan.org/vlc/changeset/23303 From NEWS file: * You now need to append --m3u-extvlcopt to your command line to enable EXTVLCOPT options parsing in m3u playlists. So please move this one to bug #203345
0.8.6d-r1 in the tree, with changeset 24247 and 24440 in its patches. That should be all what is needed. Now for the ranting, I'd really appreciate if you could at least check the changelog and that our version is affected before copying all the CVE you can find there, thanks.
I did not intend to paste "all the CVEs I could find". There were six CVE identifiers assigned within one day, four of which were unknown to me, and I tried to sort our their status on this bug. I'm sorry, but I also have to deal with this mess and partial information, and to be honest, could not do so without your help. I don't know the people, code, and practices in VLC. So I'll do my best to give the info I find, but I hope you can understand I rely on your help there. So thanks for sorting this out.
Arches, please test and mark stable: =media-video/vlc-0.8.6d-r1 Target keywords : "alpha amd64 ppc sparc x86"
x86 stable
Tested media-video/vlc-0.8.6d-r1 USE="X a52 aalib alsa avahi dts dvd flac gnome hal mp3 mpeg musepack ncurses nsplugin ogg opengl png samba sdl speex svg theora truetype vcd vorbis x264 xinerama xv (-3dfx) (-altivec) -arts -bidi -cdda -cddb -corba -daap -dc1394 -debug (-directfb) (-dvb) -esd -fbcon -ggi -gnutls -httpd -jack -libcaca -libnotify (-lirc) -live -matroska (-modplug) -optimisememory -oss -rtsp -sdl-image -seamonkey -shout -skins -stream (-svga) -upnp -v4l -vlm (-win32codecs) -wxwindows -xml -xosd" on sparc. - compiles - no test phase - no collisions - works # emerge --info Portage 2.1.3.19 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r6 sparc64) ================================================================= System uname: 2.6.23-gentoo-r6 sparc64 sun4u Timestamp of tree: Tue, 29 Jan 2008 17:30:01 +0000 app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="sparc" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CPPFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb" CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb" DISTDIR="/tmp/distfiles" FEATURES="collision-protect distlocks installsources metadata-transfer parallel-fetch sanxbox splitdebug strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="64bit 7zip X a52 aac aalib alsa amr artworkextra audacious avahi blender-game bluetooth bzip2 caps cups custom-cflags cvs dbus dga divx dts dv dvd dvdread encode fastcgi fat ffmpeg flac ftp fuse gcj gd gif gimp gimpprint gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 ithreads javascript jpeg jpeg2k lzo mad memcache midi mikmod mjpeg mp2 mp3 mpeg mpeg2 mplayer musepack nautilus ncurses network networking nls nptl nptlonly nsplugin offensive ogg openal opengl opera pam pcre png pnm ppds quicktime realmedia regex ruby samba sdl slang smartcard smp sms sound soundex sparc speex spell sqlite3 ssl subversion svg symlink test theora threads tiff timidity truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf wmp x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="mach64" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 done.
ppc stable
alpha/sparc stable, thanks Tobias and Friedrich
GLSA 200803-13