765040 – (CVE-2020-26664) <media-video/vlc-3.0.12.1: Buffer overread with crafted mkv file (CVE-2020-26664)

Bug 765040 (CVE-2020-26664) - <media-video/vlc-3.0.12.1: Buffer overread with crafted mkv file (CVE-2020-26664)

Summary: <media-video/vlc-3.0.12.1: Buffer overread with crafted mkv file (CVE-2020-26...

Status:	RESOLVED FIXED

Alias:	CVE-2020-26664

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://gist.githubusercontent.com/he...
Whiteboard:	A4 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-01-12 01:09 UTC by John Helmert III
Modified:	2021-01-29 00:04 UTC (History)
CC List:	1 user (show)

See Also:	761547
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-01-12 01:09:53 UTC

CVE-2020-26664:

A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file.


Fixed in 3.0.12. Please bump.

Comment 1 Larry the Git Cow gentoo-dev

2021-01-12 18:13:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=186788f2eba7c130e38cf6d86116124eb2f57363

commit 186788f2eba7c130e38cf6d86116124eb2f57363
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-12 17:43:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-12 18:13:46 +0000

    media-video/vlc: security bump to 3.0.12.1
    
    Bug: https://bugs.gentoo.org/765040
    Bug: https://bugs.gentoo.org/723006
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/vlc/Manifest                 |   1 +
 media-video/vlc/vlc-3.0.12.1-r1.ebuild   | 499 ++++++++++++++++++++++++++++++
 media-video/vlc/vlc-3.0.12.1-r101.ebuild | 505 +++++++++++++++++++++++++++++++
 3 files changed, 1005 insertions(+)

Comment 2 NATTkA bot gentoo-dev

2021-01-12 18:16:52 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-video/vlc-3.0.12.1

Comment 3 NATTkA bot gentoo-dev

2021-01-12 18:32:59 UTC Comment hidden (obsolete)

Sanity check failed:

> media-video/vlc-3.0.12.1
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (6 total)
>     >=net-libs/srt-1.4.2
>   depend amd64 stable profile default/linux/amd64/17.1 (53 total)
>     >=net-libs/srt-1.4.2
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (6 total)
>     >=net-libs/srt-1.4.2
>   rdepend amd64 stable profile default/linux/amd64/17.1 (53 total)
>     >=net-libs/srt-1.4.2

Comment 4 NATTkA bot gentoo-dev

2021-01-17 20:00:52 UTC Comment hidden (obsolete)

Unable to check for sanity:

> dependent bug #761547 is missing keywords

Comment 5 Agostino Sarubbo gentoo-dev

2021-01-20 07:55:13 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2021-01-24 12:11:29 UTC

x86 stable

Comment 7 Sam James archtester

2021-01-24 21:59:56 UTC

arm64 done

Comment 8 Sam James archtester

2021-01-27 23:31:32 UTC

- ppc, ppc64 both did -r100 as part of the Lua mega-stable bug, which works for us, as it's not vulnerable, and as the rest of slotted Lua is stable anyway, an unslotted version is undesirable.

- arm doesn't have stable VLC, just srt, so let's move it out of this bug.

Comment 9 Larry the Git Cow gentoo-dev

2021-01-27 23:33:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=076307567eebf29a50f49703a6b371cfb6f5efce

commit 076307567eebf29a50f49703a6b371cfb6f5efce
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-27 23:33:41 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-27 23:33:41 +0000

    media-video/vlc: security cleanup
    
    Bug: https://bugs.gentoo.org/765040
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/vlc/Manifest                 |   1 -
 media-video/vlc/vlc-3.0.11.1-r1.ebuild   | 492 ------------------------------
 media-video/vlc/vlc-3.0.11.1-r101.ebuild | 503 -------------------------------
 media-video/vlc/vlc-3.0.11.1.ebuild      | 491 ------------------------------
 media-video/vlc/vlc-3.0.12.1.ebuild      | 499 ------------------------------
 5 files changed, 1986 deletions(-)

Comment 10 NATTkA bot gentoo-dev

2021-01-27 23:36:55 UTC

Unable to check for sanity:

> no match for package: media-video/vlc-3.0.12.1

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2021-01-29 00:04:57 UTC

This issue was resolved and addressed in
 GLSA 202101-37 at https://security.gentoo.org/glsa/202101-37
by GLSA coordinator Aaron Bauman (b-man).