Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534532 (CVE-2014-1684) - <media-video/vlc-2.1.5-r1: DoS in ASF Demuxer (CVE-2014-1684)
Summary: <media-video/vlc-2.1.5-r1: DoS in ASF Demuxer (CVE-2014-1684)
Status: RESOLVED FIXED
Alias: CVE-2014-1684
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
: 541674 (view as bug list)
Depends on:
Blocks: CVE-2014-6440
  Show dependency tree
 
Reported: 2015-01-03 21:01 UTC by GLSAMaker/CVETool Bot
Modified: 2016-03-12 12:07 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 21:01:18 UTC
CVE-2014-1684 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1684):
  The ASF_ReadObject_file_properties function in modules/demux/asf/libasf.c in
  the ASF Demuxer in VideoLAN VLC Media Player before 2.1.3 allows remote
  attackers to cause a denial of service (divide-by-zero error and crash) via
  a zero minimum and maximum data packet size in an ASF file.


Maintainers, please advise which version we can begin stabilization on: 2.1.4 or 2.1.5
Comment 1 Paweł Stankowski 2015-01-04 15:32:29 UTC
=media-video/vlc-2.1.5 should be stabilized, as no new bug since 2.1.4 is known for that version.

This bug should depend on these two:
Bug 530254 : keyword request for vlc-2.1.5 on alpha architecture. It would also be nice if arch testers unmask some hard-masked use flags mentioned in this bug.
Bug 489436 : this one still blocks keywording vlc-2.1.5 on ppc64 and amd64-fbsd architectures. Alternatively it is possible to hardmask 'rdp' USE flag on ppc64 and 'chromaprint' USE flag on amd64-fbsd and keyword stripped version of vlc-2.1.5.
Comment 2 Paweł Stankowski 2015-02-21 00:58:32 UTC
Arch teams, could you please stabilize vlc-2.1.5-r1? If possible, you can also remove hard masks for your architecture mentioned in Bug 530254.

VLC 2.1.5 is still not keyworded on alpha,ppc64 and amd64-fbsd, so it is not possible to switch from 2.1.2 on these architectures. I was trying to contact with them few times, but only alpha team responds from time to time. We will have to drop support for these archs if nothing changes.
Comment 3 Paweł Stankowski 2015-02-28 20:07:39 UTC
*** Bug 541674 has been marked as a duplicate of this bug. ***
Comment 4 Agostino Sarubbo gentoo-dev 2015-02-28 20:28:50 UTC
Arches, please test and mark stable:
=media-video/vlc-2.1.5-r1
Target keywords : "alpha amd64 ppc ppc64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2015-02-28 23:37:18 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-28 23:37:34 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-03-01 09:31:40 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-03-01 09:31:55 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-03-01 11:05:43 UTC
I'm unable to go ahead for alpha because of bug 480718
Comment 10 Paweł Stankowski 2015-03-02 18:31:09 UTC
(In reply to Agostino Sarubbo from comment #9)
> I'm unable to go ahead for alpha because of bug 480718

What about "autogen-5.18.1" which is building correctly on aplha according to SpanKY?
Comment 11 Agostino Sarubbo gentoo-dev 2015-03-05 08:08:16 UTC
(In reply to Paweł Stankowski from comment #10)
> What about "autogen-5.18.1" which is building correctly on aplha according
> to SpanKY?

I reopened the bug.
Comment 12 Ian Delaney (RETIRED) gentoo-dev 2015-04-18 04:13:40 UTC
would purging vlc-2.1.2.ebuild cure this? It is the only version of vlc keyworded alpha
Comment 13 Agostino Sarubbo gentoo-dev 2015-05-04 14:51:15 UTC
alpha will pass for now..feel free to cleanup.
Comment 14 Ian Delaney (RETIRED) gentoo-dev 2015-05-06 12:10:01 UTC
from Comment 2;

VLC 2.1.5 is still not keyworded on alpha,ppc64 and amd64-fbsd,
From bug 530254, still awaiting alpha

The new proxy maintainer has also attempted contact with alpha team and is still waiting.

(In reply to Agostino Sarubbo from comment #13)
> alpha will pass for now..feel free to cleanup.

I have NO idea what this means.

   2.1.2    | + o o o o o o o o o o o o o | o 0/5-7 | gentoo
   2.1.5-r1 | o + ~ o o o o o + + o o - + | o       | gentoo
2.1.9999    | o o o o o o o o o o o o o o | o       | gentoo
------------+-----------------------------+---------+-------
   2.2.0    | o ~ ~ o o o o o o o o o - ~ | # 0/5-8 | gentoo
   2.2.1    | o ~ ~ o o o o o o ~ o o - ~ | o       | gentoo

From here we are all wondering how and why vlc was ever keyworded alpha. I attempted purging of 2.1.2 in initial stages of managing vlc only to have the legacy of the mask of the use flag pertaining to 2.1.2 rule everything in the present day. I cannot cleanup  anything. 2.1.2 is the only version keyworded alpha and 2.1.5-r1 is the only stabled. So, cleanup what??

The 2.2.1 is planned for stable request but its dependencies are not yet ready.
Comment 15 Agostino Sarubbo gentoo-dev 2015-05-06 12:22:52 UTC
(In reply to Ian Delaney from comment #14)
> VLC 2.1.5 is still not keyworded on alpha,ppc64 and amd64-fbsd,

vlc-2.1.5-r1 is stable on PPC64. I don't see where you retrieve this info.

> From bug 530254, still awaiting alpha

Bug 530254 as absolutely nothing to do with this SECURITY bug.


> I have NO idea what this means.

This means you can cleanup the older vlc and alpha will lose the stable keyword.
Vlc on alpha will be ~
Comment 16 Ian Delaney (RETIRED) gentoo-dev 2015-05-07 00:06:44 UTC
(In reply to Agostino Sarubbo from comment #15)
> (In reply to Ian Delaney from comment #14)
> > VLC 2.1.5 is still not keyworded on alpha,ppc64 and amd64-fbsd,
> 
> vlc-2.1.5-r1 is stable on PPC64. I don't see where you retrieve this info.
> 
ok. I copy pasted too much.  delete ",ppc64 and amd64-fbsd,", leaving alpha. This was intended to illustrate alpha is outstanding, forget the others.
> > From bug 530254, still awaiting alpha
> 
> Bug 530254 as absolutely nothing to do with this SECURITY bug.
> 

This security bug would normally proceed to stabilising a version that cures to deficit contained in the security bug. So the security bug serves to 'house' a stable request status, then proceed to cleanup. vlc is still awaiting action from the alpha team to either purge the masking of the use flag or to re-keyword alpha. And you say Bug 530254 as absolutely nothing to do it!? Your comment is valid viewing ONLY the security aspect, but in reality, this bug cannot move until Bug 530254 is addressed, though there is an out. I could put forward the request to make 2.2.1 stable without ~alpha, but in light of the impact, I elect not to.
Note Comment 3 of that bug. It was re-opened by a member of the security team.

> > I have NO idea what this means.
> 
> This means you can cleanup the older vlc and alpha will lose the stable
> keyword.
> Vlc on alpha will be ~
vlc will be ~ on alpha when and not before it is re-keyworded.
current status is
KEYWORDS="~amd64 ~arm ~ppc64 -sparc ~x86 ~x86-fbsd"\
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 04:49:13 UTC
GLSA Vote: No
Thank you all. Closing as noglsa.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 04:50:50 UTC
The other VLC bug required a GLSA, so adding this one to it as well. Re-Opening
Comment 19 Nick Andrade 2016-02-22 05:10:27 UTC
There are no longer vulnerable versions of VLC in Portage; I recommend closing this bug.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 12:07:48 UTC
This issue was resolved and addressed in
 GLSA 201603-08 at https://security.gentoo.org/glsa/201603-08
by GLSA coordinator Kristian Fiskerstrand (K_F).