285370 – (CVE-2011-3623) <media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers (CVE-2011-3623)

Bug 285370 (CVE-2011-3623) - <media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers (CVE-2011-3623)

Summary: <media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP...

Status:	RESOLVED FIXED

Alias:	CVE-2011-3623

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/36762/
Whiteboard:	B2 [glsa]
Keywords:

Duplicates (2):	282089 284780 (view as bug list)
Depends on:	276278 284776 287423
Blocks:	CVE-2009-2462 284781
	Show dependency tree

Reported:	2009-09-17 23:15 UTC by Alex Legler (RETIRED)
Modified:	2014-11-05 22:07 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Legler (RETIRED) archtester

2009-09-17 23:15:33 UTC

From Secunia:
Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system.

1) A boundary error exists within the "ASF_ObjectDumpDebug()" function in modules/demux/asf/libasf.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted ASF file.
  Fixed in http://git.videolan.org/?p=vlc.git;a=commit;h=dfe7084e8cc64e9b7a87cd37065b59cba2064823

2) A boundary error exists within the "AVI_ChunkDumpDebug_level()" function in modules/demux/avi/libavi.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted AVI file.
  Fixed in http://git.videolan.org/?p=vlc.git;a=commit;h=861e374d03e6c60c7d3c98428c632fe3b9e371b2

3) A boundary error exists within the "__MP4_BoxDumpStructure()" function in modules/demux/mp4/libmp4.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted MP4 file.
  Fixed in http://git.videolan.org/?p=vlc.git;a=commit;h=c5b02d011b8c634d041167f4d2936b55eca4d18d

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Vulnerability #2 is confirmed in version 1.0.1. Other versions may also be affected.

Comment 1 Alexis Ballier gentoo-dev

2009-09-18 09:16:26 UTC

all three will be fixed in 1.0.2 and these affect <1.0.2

Comment 2 Alexis Ballier gentoo-dev

2009-09-20 09:59:49 UTC

1.0.2 is in the tree, and you have:
http://www.videolan.org/security/sa0901.html

Comment 3 Alexis Ballier gentoo-dev

2009-09-20 10:10:07 UTC

*** Bug 284780 has been marked as a duplicate of this bug. ***

Comment 4 Alexis Ballier gentoo-dev

2009-09-20 10:12:20 UTC

go with 1.0.2 stable; arm still needs to rekeyword. now you latest ~arch is vulnerable to this.

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2009-09-22 02:00:27 UTC

x86 stable

Comment 6 Alexis Ballier gentoo-dev

2009-09-22 03:42:59 UTC

  20 Sep 2009; Markus Meier <maekke@gentoo.org> vlc-1.0.2.ebuild:
  add ~arm, bug #276278

Comment 7 Markus Meier gentoo-dev

2009-09-22 07:51:10 UTC

amd64 stable

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2009-09-28 21:23:03 UTC

This triggers a whole slew of necessary updates:

'>=media-sound/pulseaudio-0.9.11', '>=media-libs/libdvbpsi-0.1.6', '>=media-libs/schroedinger-1.0.6', 'media-libs/libtiger'

You sure about those?

Comment 9 Samuli Suominen (RETIRED) gentoo-dev

2009-09-28 22:09:52 UTC

(In reply to comment #8)
> This triggers a whole slew of necessary updates:
> 
> '>=media-sound/pulseaudio-0.9.11', '>=media-libs/libdvbpsi-0.1.6',
> '>=media-libs/schroedinger-1.0.6', 'media-libs/libtiger'
> 
> You sure about those? 
> 

Yes,

pulseaudio -> http://bugs.gentoo.org/284776 (alpha is CC'd)
for others, follow the lead of amd64/x86 wrt keywords

Comment 10 Tobias Klausmann (RETIRED) gentoo-dev

2009-09-29 17:31:02 UTC

Stable on alpha.

Comment 11 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev

2009-10-02 21:16:10 UTC

kate module compilation failed on ppc, bug 287423

Comment 12 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev

2009-10-02 22:45:45 UTC

I've been caught by bug 282390.
Now, I need another ppc team member to confirm it's ppc-related... or stabilize vlc.
Every dependencies are stable.

Comment 13 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev

2009-10-03 15:25:07 UTC

Unfortunately, this bug has been confirmed by another ppc dev.

Comment 14 Raúl Porcel (RETIRED) gentoo-dev

2009-10-18 19:06:34 UTC

sparc stable

Comment 15 Nirbheek Chauhan (RETIRED) gentoo-dev

2009-10-19 01:41:29 UTC

*** Bug 282089 has been marked as a duplicate of this bug. ***

Comment 16 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev

2009-11-11 20:01:18 UTC

Actually, the ffmpeg bug isn't related to vlc in any way (vlc-1.0.2 doesn't need a newer ffmpeg) so vlc-1.0.2 is now stable for ppc.

This was the last arch so, security team, you can fix the bug.

Comment 17 Stefan Behte (RETIRED) gentoo-dev

2009-12-18 01:41:00 UTC

GLSA request was added to pending vlc GLSA by a3li.

Comment 18 Gef 2010-05-08 14:27:35 UTC

<media-video/vlc-1.0.2 is no longer in tree.

Comment 19 Stefan Behte (RETIRED) gentoo-dev

2011-10-10 19:12:29 UTC

Can one of our new scouts check if there is a CVE for this and request one if
there is none?

Comment 20 Michael Harrison 2011-10-10 20:42:33 UTC

CVE requested

Comment 21 GLSAMaker/CVETool Bot gentoo-dev

2014-11-05 22:07:36 UTC

This issue was resolved and addressed in
 GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml
by GLSA coordinator Sean Amoss (ackle).