Comment 1 Alex Legler (RETIRED) 2009-03-16 20:34:25 UTC

Interestingly, if a video is playing, playback just restarts, but if not, VLC hangs. In other words, the exploit works (0.9.8a, amd64)

Comment 2 Alex Legler (RETIRED) 2009-03-23 22:02:19 UTC

CVE-2009-1045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1045):
  Stack-based buffer overflow in requests/status.xml in VLC 0.9.8a
  allows remote attackers to cause a denial of service (crash) and
  possible execute arbitrary code via a long input argument in an
  in_play action.

Comment 3 Bjoern Tropf (RETIRED) 2009-04-15 07:29:38 UTC

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522170#10
This bug is fixed in the latest version of vlc.

The actual problem here is not DoS, ("because if you have access to the html interface and want to DoS vlc, you'd quicker to click on the "Close"
button"), but possible execution of arbitrary code.

Comment 4 Alexis Ballier 2009-04-15 07:39:25 UTC

(In reply to comment #3)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522170#10
> This bug is fixed in the latest version of vlc.

are you sure? it still crashed when I tried it.

moreover there is this commit which i'm still unsure about the implications:

http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=c5f355b77a5f11f7a75e7de2e485fab25ad638df

Comment 5 Bjoern Tropf (RETIRED) 2009-04-16 07:08:59 UTC

The Debian resource is incorrect.

This bug might be fixed in vlc 0.9.10.

> Changes between 0.9.9a and 0.9.10-git:
> * Fix default ACL of http interface

http://git.videolan.org/gitweb.cgi?p=vlc.git;a=commit;h=8f621703c2c4d2a4a48a2bfe3c49548e57f74df5

Comment 6 Alexis Ballier 2009-05-10 13:55:35 UTC

(In reply to comment #5)
> The Debian resource is incorrect.
> 
> This bug might be fixed in vlc 0.9.10.
> 
> > Changes between 0.9.9a and 0.9.10-git:
> > * Fix default ACL of http interface

I've added the relevant patch to 0.9.9a-r1's patchset

Comment 7 Christian Faulhammer (RETIRED) 2009-07-02 20:02:58 UTC

arches, please go for media-video/vlc-0.9.9a-r1

Comment 8 Ferris McCormick (RETIRED) 2009-07-02 20:42:19 UTC

Sparc stable, I was already using it.

Comment 9 Christian Faulhammer (RETIRED) 2009-07-02 21:26:13 UTC

x86 stable

Comment 10 Markus Meier 2009-07-05 12:48:51 UTC

amd64 stable

Comment 11 Alexis Ballier 2009-07-07 08:21:11 UTC

(In reply to comment #10)
> amd64 stable
> 

 05 Jul 2009; Markus Meier <maekke@gentoo.org> vlc-0.9.8a.ebuild:
  amd64 stable, bug #262708

(In reply to comment #6)
> > > Changes between 0.9.9a and 0.9.10-git:
> > > * Fix default ACL of http interface
> 
> I've added the relevant patch to 0.9.9a-r1's patchset


Fail? Ok, the bug summary is wrong.

Comment 12 Markus Meier 2009-07-08 20:25:55 UTC

amd64 stable

Comment 13 Tobias Klausmann (RETIRED) 2009-07-12 13:34:37 UTC

Stable on alpha.

Comment 14 Joe Jezak (RETIRED) 2009-07-13 18:16:53 UTC

Marked ppc stable.

Comment 15 Tobias Heinlein (RETIRED) 2009-07-13 21:21:48 UTC

Updated CVE (and the vlc-devel list too, according to Alex) says DoS only (no execution of arbitrary code), so sticking with B3.

Ready for vote, I vote NO.

Comment 16 Stefan Behte (RETIRED) 2009-07-13 22:31:47 UTC

Then I vote NO, too.
Closing NOGLSA.