Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 211575 (CVE-2008-0984) - media-video/vlc < 0.8.6e MP4 demuxer Code execution (CVE-2008-0984)
Summary: media-video/vlc < 0.8.6e MP4 demuxer Code execution (CVE-2008-0984)
Status: RESOLVED FIXED
Alias: CVE-2008-0984
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.videolan.org/security/sa08...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-26 22:47 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-07 22:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 22:47:44 UTC
CVE-2008-0984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0984):
  The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier allows remote
  attackers to overwrite arbitrary memory and execute arbitrary code via a
  malformed MP4 file.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 22:52:46 UTC
Patch is here:
http://www.videolan.org/patches/vlc-0.8.6-CORE-2008-0130.patch

And this should be fixed in the "e" release, whenever that goes public. So I'd go for patching our 0.8.6d-r1. Media-video, what do you think?
Comment 2 Alexis Ballier gentoo-dev 2008-02-26 23:04:55 UTC
http://download.videolan.org/pub/videolan/vlc/0.8.6e/vlc-0.8.6e.tar.bz2 exists

it's been tagged a few days ago, but I didn't see an announcement yet.
lemme check what's up with this
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-28 11:28:53 UTC
0.8.6e is officially released.
Comment 4 Alexis Ballier gentoo-dev 2008-02-28 12:02:45 UTC
(In reply to comment #3)
> 0.8.6e is officially released.
> 

yeah but the build hadn't finished when I had to leave home ;)

I'll bump it most likely this evening
Comment 5 Alexis Ballier gentoo-dev 2008-02-28 18:10:41 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > 0.8.6e is officially released.
> > 
> 
> yeah but the build hadn't finished when I had to leave home ;)
> 
> I'll bump it most likely this evening
> 

its bumped now
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-29 07:49:01 UTC
Please arches do:

media-video/vlc-0.8.6e 
target keywords are "alpha amd64 ppc ~ppc64 sparc x86 ~x86-fbsd"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-29 08:59:28 UTC
x86 stable
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2008-02-29 15:12:52 UTC
Initial test on sparc results in a BadAlloc error from X followed by a SegFault.  I'll investigate further on another system, but for now, I'm holding off on sparc.
Comment 9 Ferris McCormick (RETIRED) gentoo-dev 2008-02-29 16:18:42 UTC
(In reply to comment #8)
> Initial test on sparc results in a BadAlloc error from X followed by a
> SegFault.  I'll investigate further on another system, but for now, I'm holding
> off on sparc.
> 

This problem is specific to one out-of-date system.  On my reference system (whick is completely current) it does not occur.  Hence,

Stable for sparc.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-03-02 14:45:37 UTC
alpha stable, thanks Tobias
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-04 19:34:21 UTC
ppc stable
Comment 12 Santiago M. Mola (RETIRED) gentoo-dev 2008-03-07 12:47:53 UTC
amd64 stable, sorry for the delay.
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-03-07 16:13:08 UTC
Fixed in release snapshot.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-07 22:49:41 UTC
GLSA 200803-13