- Details - When parsing the header of an invalid CUE image file or an invalid RealText subtitle file, stack-based buffer overflows might occur. - Impact - If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player. - Threat mitigation - Exploitation of this issue requires the user to explicitly open a specially crafted file. http://www.videolan.org/security/sa0810.html http://www.trapkit.de/advisories/TKADV2008-011.txt http://www.trapkit.de/advisories/TKADV2008-012.txt
Arches, please test and mark stable =media-video/vlc-0.9.6 Target keywords: amd64 ppc ppc64 sparc x86
This probably depends on bug 245793 being fixed (unable to reproduce here due to lack of a stable system).
alpha: You need to rekeyword AND stable. ppc64: Apparently you never had VLC stable, so feel free to un-cc yourself.
Sparc stable, works for me, but of course an exhaustive test of this package is almost impossible. Note, for sparc, this carries along a requirement to mark stable several other packages: =============== media-video/dirac-1.0.0 media-libs/libkate-0.2.5 media-libs/zvbi-0.2.33 media-libs/schroedinger-1.0.5 media-libs/libass-0.9.5 =========================== Of these, libkate, zvbi, and libass need to be marked stable on everything.
There's a regression. Video is detached from the interface, which was fixed in media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was removed later. The patch can be applied cleanly to 0.9.6 and works.
(In reply to comment #5) > There's a regression. Video is detached from the interface, which was fixed in > media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was > removed later. The regression was to patch it in order to make it available again... See bug #240714, my last comment there and the link I posted.
amd64/x86 need the following packages stable, is this ok and which versions should we pick? Package Version Current Keywords Masks ============================= =================== ================= ========= media-libs/zvbi 0.2.31 ~x86 K media-libs/zvbi 0.2.32 ~x86 K media-libs/zvbi 0.2.33 ~x86 K media-libs/libv4l 0.5.1 ~x86 K media-libs/libv4l 0.5.3 ~x86 K media-libs/libass 0.9.5 ~x86 K media-libs/libkate 0.2.5 ~x86 K media-video/vlc 0.9.6 ~x86 K
(In reply to comment #7) > amd64/x86 need the following packages stable, is this ok and which versions > should we pick? > media-libs/zvbi 0.2.33 ~x86 K this one should be ok > media-libs/libv4l 0.5.3 ~x86 K and this one > media-libs/libass 0.9.5 ~x86 K ditto > media-libs/libkate 0.2.5 ~x86 K ditto
amd64/x86 stable
Stable on alpha. (also stabled the four deps mentioned by maekke as well as fluidsynth (and two of its deps, lash and ladspa-cmt).
====================================================== Name: CVE-2008-5032 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032 Reference: MLIST:[oss-security] 20081105 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5 Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810 Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4 Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13 Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-012.txt Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d Reference: CONFIRM:http://www.videolan.org/security/sa0810.html Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue related to RealText, but that issue has been assigned a separate identifier, CVE-2008-5036. ====================================================== Name: CVE-2008-5036 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5036 Reference: MLIST:[oss-security] 20081105 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5 Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810 Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4 Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13 Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-011.txt Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef651125701a2e33a8d75b815b3e39681a447 Reference: CONFIRM:http://www.videolan.org/security/sa0810.html Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.
I'll keep vlc ~ppc64 for now.
0.9.8a is stable for ppc
GLSA 200812-24, thanks everyone, sorry about the delay.