plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file. plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file.
It is currently unknown if these vulnerabilities are addressed in 2.2.6.
Is upstream aware of this? I did a quick search and couldn't find any bugs about it.
It was found on Windows, not sure if they have contacted upstream. Original reference is https://code610.blogspot.de/2017/04/multiple-crashes-in-vlc-224.html
CVE-2017-9300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9300): plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file.
CVE-2017-9301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9301): plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file.
2.2.4 was dropped in a0f1a0f598cd1506f2396f5b8ddfd466557e5303
From VLC's git log: (Sample #1) >commit 83b646f1e8fb89f99064d9aaef3754ccc77bbeac >Author: Francois Cartegnie <fcvlcdev@free.fr> >Date: Wed May 31 13:02:29 2017 +0200 > > codec: flac: fix heap write overflow on frame format change which is one day after the public report from URL. And changes between 2.2.4 and 2.2.5 in the NEWS file from vlc sources:(Sample #2) >Windows: > * The plugins loading will not load external DLLs by default. I'd say that version 2.2.4 was the last affected by these bugs. Gentoo Security Padawan ChrisADR
Changes between 2.2.7 and 2.2.8: -------------------------------- Demuxers: * Fix AVI invalid pointer dereferences Translations updates Changes between 2.2.6 and 2.2.7: -------------------------------- Decoders: * Fix flac heap write overflow on format change * Fix crash in libavcodec module (heap write out-of band) (CVE-2017-10699) * Fix infinite loop in sami subtitle * Fix AAC 7.1 channels detection Demuxers: * Fix potential crash in ASX parser * Fix AVI read/write overflow Mac OS X: * Fix compatibility with macOS High Sierra * Fix regression in ASS subtitle decoding * Fix crash during automatic update. Some users might need to manually update to the newest version. Video Output: * Fix Direct3D9 output with odd offsets Misc: * Fix crash in MTP * Support libupnp 1.8 Translations updates
Bumping stabilisation to media-video/vlc-2.2.8-r1 for remaining arches.
arm has no revdeps, but ppc/ppc64 do have some via media-libs/phonon{,-vlc}...
ping remaining arches.......
ppc/ppc64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01971664316881492a2982086b564112dc282ab2 commit 01971664316881492a2982086b564112dc282ab2 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2018-01-14 10:27:49 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2018-02-27 22:50:41 +0000 media-video/vlc: Cleanup vulnerable 2.2.6 arm security stabilisation timeout. Bug: https://bugs.gentoo.org/620176 Package-Manager: Portage-2.3.19, Repoman-2.3.6 media-video/vlc/Manifest | 1 - ...2.1.0-TomWij-bisected-PA-broken-underflow.patch | 23 - .../vlc/files/vlc-2.2.4-decoder-lock-scope.patch | 47 -- .../vlc/files/vlc-9999-libva-1.2.1-compat.patch | 12 - media-video/vlc/vlc-2.2.6.ebuild | 511 --------------------- 5 files changed, 594 deletions(-)}
Cleanup done. Security please proceed.
Downgrading to B3 since all CVEs specify DoS and no PoC from RCE. GLSA Vote: No.
