230692 – (CVE-2008-2430) media-video/vlc < 0.8.6i Integer overflow in WAV demuxer (CVE-2008-2430)

Bug 230692 (CVE-2008-2430) - media-video/vlc < 0.8.6i Integer overflow in WAV demuxer (CVE-2008-2430)

Summary: media-video/vlc < 0.8.6i Integer overflow in WAV demuxer (CVE-2008-2430)

Status:	RESOLVED FIXED

Alias:	CVE-2008-2430

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/30601/
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-07-03 23:59 UTC by Robert Buchholz (RETIRED)
Modified:	2008-07-31 18:25 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-07-03 23:59:59 UTC

Secunia writes:
Secunia Research has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an integer overflow error within the "Open()" function in "modules/demux/wav.c". This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large "fmt" chunk.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 0.8.6h on Windows. Prior versions may also be affected.

Solution:
The vulnerability will be fixed in an upcoming version 0.8.6i.

Fixed in the GIT repository.
http://git.videolan.org/gitweb.cgi?p=vlc.git;a=commitdiff_plain;h=3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1

Comment 1 Alexis Ballier gentoo-dev

2008-07-04 07:04:49 UTC

FYI: 0.9.0-test1 (_beta1 for us) isn't affected, but it is not really possible to stabilise it yet. Imho we should wait for 0.8.6i that should come with a couple of other bugfixes too.

Comment 2 Christian Hoffmann (RETIRED) gentoo-dev

2008-07-04 09:50:22 UTC

As I understood it, this is a Windows-only problem. I already saw the advisory some days ago (well, maybe it was only yesteday) and didnt file a bug for this reason.

See http://securitytracker.com/alerts/2008/Jul/1020429.html -- it says
  Underlying OS:  Windows (Any)


Secunia ($URL) says:
  The vulnerability is confirmed in version 0.8.6h *on Windows*.

No idea whether this really means that only Windows is affected, the wording is a bit ambiguous, imo.

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-07-04 17:49:06 UTC

The Secunia advisory stated that it is confirmed with version 0.8.6h on Windows, but that does not mean that only Windows versions are affected (neither does it mean that 0.8.6g is unaffected). The code path that is changed by the patch is not specific to Windows, so I would assume this issue affects Linux.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-07-09 20:45:31 UTC

Any news on the new version?

Comment 5 Alexis Ballier gentoo-dev

2008-07-13 11:00:58 UTC

0.8.6i is in the tree now.

Videolan SA:
http://www.videolan.org/security/sa0806.html

Release notes:
http://wiki.videolan.org/Changelog/0.8.6i

Changes from current stable aslo contains:
http://wiki.videolan.org/Changelog/0.8.6h

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-07-13 11:11:53 UTC

Arches, please test and mark stable:
=media-video/vlc-0.8.6i
Target keywords : "alpha amd64 ppc sparc x86"

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2008-07-14 10:48:53 UTC

sparc/x86 stable

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2008-07-14 18:50:59 UTC

Stable on alpha.

Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev

2008-07-15 17:46:32 UTC

ppc stable

Comment 10 Dawid Węgliński (RETIRED) gentoo-dev

2008-07-19 07:08:45 UTC

amd64 stable

Comment 11 Tobias Heinlein (RETIRED) gentoo-dev

2008-07-20 19:00:18 UTC

GLSA request filed.

Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-07-31 18:25:26 UTC

GLSA 200807-13