788226 – <media-video/vlc-3.0.13: Unspecified vulnerabilities

Bug 788226 - <media-video/vlc-3.0.13: Unspecified vulnerabilities

Summary: <media-video/vlc-3.0.13: Unspecified vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:
Blocks:

Reported:	2021-05-04 21:48 UTC by Sam James
Modified:	2024-09-22 07:59 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	media-video/vlc-3.0.14 amd64 arm64 ppc ppc64 x86 media-libs/libbluray-1.3.0-r1 dev-libs/libudfread-1.1.2 media-libs/libdvdnav-6.1.1 media-libs/libdvdread-6.1.2
Runtime testing required:	---

Attachments
vlc-3.0.13-srt-1.3.0+.patch (vlc-3.0.13-srt-1.3.0+.patch,472 bytes, patch) 2021-05-04 22:34 UTC, Lars Wendler (Polynomial-C) (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-05-04 21:48:31 UTC

The release notes for 3.0.13 say:
"VLC media player 3.0.13 'Vetinari'

This is the fourteenth release of VLC 3.0 branch, named "Vetinari",
in reference to the Lord Patrician from Discworld.

This updates contains various fixes and improvements:
- Fix artifacts in HLS streams
- Fix MP4 audio support regressions
- Add SSA text scaling support
- Add NFSv4 support
- Improve SMB2 integration
- Improve Direct3D11 rendering smoothness
- Add mousewheel horizontal axis support
- Security fixes

And many more, check our NEWS file for more details!"

Comment 1 NATTkA bot gentoo-dev

2021-05-04 21:52:24 UTC Comment hidden (obsolete)

Sanity check failed:

> media-video/vlc-3.0.13
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (3 total)
>     >=media-libs/libbluray-1.3.0:=
>     >=media-libs/libdvdnav-6.1.1:0=
>     >=media-libs/libdvdread-6.1.2:0=
>   depend amd64 stable profile default/linux/amd64/17.1 (45 total)
>     >=media-libs/libbluray-1.3.0:=
>     >=media-libs/libdvdnav-6.1.1:0=
>     >=media-libs/libdvdread-6.1.2:0=
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (3 total)
>     >=media-libs/libbluray-1.3.0:=
>     >=media-libs/libdvdnav-6.1.1:0=
>     >=media-libs/libdvdread-6.1.2:0=
>   rdepend amd64 stable profile default/linux/amd64/17.1 (45 total)
>     >=media-libs/libbluray-1.3.0:=
>     >=media-libs/libdvdnav-6.1.1:0=
>     >=media-libs/libdvdread-6.1.2:0=
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/libbluray-1.3.0:=
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/libbluray-1.3.0:=

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2021-05-04 22:34:27 UTC

Created attachment 706062 [details, diff]
vlc-3.0.13-srt-1.3.0+.patch

Required patch to still build against >=net-libs/srt-1.3.0

Comment 3 Sam James archtester

2021-05-04 22:44:06 UTC

(In reply to Lars Wendler (Polynomial-C) from comment #2)
> Created attachment 706062 [details, diff] [details, diff]
> vlc-3.0.13-srt-1.3.0+.patch
> 
> Required patch to still build against >=net-libs/srt-1.3.0

Oh, of course. I'll commit it now just because it's faster, thank you

Comment 4 Larry the Git Cow gentoo-dev

2021-05-04 22:47:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c66c764661b65e66ebe69ef6d4cce3a544b6a85

commit 3c66c764661b65e66ebe69ef6d4cce3a544b6a85
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-05-04 22:46:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-04 22:46:13 +0000

    media-video/vlc: allow building against newer net-libs/srt
    
    Bug: https://bugs.gentoo.org/788226
    Thanks-to: Lars Wendler <polynomial-c@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/vlc/files/vlc-3.0.13-srt-1.3.0.patch | 11 +++++++++++
 media-video/vlc/vlc-3.0.13.ebuild                |  1 +
 2 files changed, 12 insertions(+)

Comment 5 NATTkA bot gentoo-dev

2021-05-04 23:00:21 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-libs/libbluray-1.3.0

Comment 6 NATTkA bot gentoo-dev

2021-05-04 23:04:24 UTC Comment hidden (obsolete)

Sanity check failed:

> media-libs/libbluray-1.3.0-r1
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
>   depend amd64 stable profile default/linux/amd64/17.1 (12 total)
>     dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-)]
>   depend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
>     dev-libs/libudfread[abi_x86_64(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (12 total)
>     dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
>     dev-libs/libudfread[abi_x86_64(-)]
>   depend arm stable profile default/linux/arm/17.0 (28 total)
>     dev-libs/libudfread
>   depend arm dev profile default/linux/arm/17.0/armv4 (37 total)
>     dev-libs/libudfread
>   rdepend arm stable profile default/linux/arm/17.0 (28 total)
>     dev-libs/libudfread
>   rdepend arm dev profile default/linux/arm/17.0/armv4 (37 total)
>     dev-libs/libudfread
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     dev-libs/libudfread[abi_x86_32(-)]
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     dev-libs/libudfread[abi_x86_32(-)]

Comment 7 Sam James archtester

2021-05-25 03:14:19 UTC

https://www.videolan.org/security/sb-vlc3013.html

“ Details
A remote user could create a specifically crafted file that could trigger some various issues.
It is possible to trigger a remote code execution through a specifically crafted playlist, and tricking the user into interracting with that playlist elements.
This is explained in more details on the reporter's article
It is also possible to trigger read or write buffer overflows with some crafted files or by a MITM attack on the automatic updater
Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerability
”

Comment 8 Sam James archtester

2021-05-25 11:56:33 UTC

arm done

Comment 9 Agostino Sarubbo gentoo-dev

2021-05-25 18:58:25 UTC

amd64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2021-05-25 19:10:39 UTC

x86 stable

Comment 11 Rolf Eike Beer archtester

2021-05-28 15:46:54 UTC

sparc done

Comment 12 Agostino Sarubbo gentoo-dev

2021-05-28 19:39:15 UTC

ppc64 stable

Comment 13 Sam James archtester

2021-06-02 10:38:15 UTC

ppc done

Comment 14 Sam James archtester

2021-06-03 00:41:50 UTC

arm64 done

all arches done

Comment 15 John Helmert III archtester

2021-06-03 01:52:32 UTC

Please cleanup.

Comment 16 NATTkA bot gentoo-dev

2021-06-22 18:44:27 UTC

Unable to check for sanity:

> no match for package: media-video/vlc-3.0.14

Comment 17 Amel Hodzic 2022-06-05 16:11:54 UTC

This should be closed, as the referenced versions of vlc are not even in the repo anymore.  Comments indicate that the implementation was successful across all supported archs.

Comment 18 John Helmert III archtester

2022-06-05 16:48:45 UTC

(In reply to Amel Hodzic from comment #17)
> This should be closed, as the referenced versions of vlc are not even in the
> repo anymore.  Comments indicate that the implementation was successful
> across all supported archs.

Ideally we'll GLSA it, but that's a bit hard given how opaque that changelog is. Remember, not everyone syncs as regularly as they should.

Comment 19 Aliaksei Urbanski 2024-04-17 09:54:21 UTC

Hello everyone,

There is no <media-video/vlc-3.0.20 in the Portage tree already.
Shouldn't this bug be closed?

Comment 20 Hans de Graaff gentoo-dev

2024-05-11 08:44:53 UTC

(In reply to Aliaksei Urbanski from comment #19)
> Hello everyone,
> 
> There is no <media-video/vlc-3.0.20 in the Portage tree already.
> Shouldn't this bug be closed?

No, we still need to issue a GLSA for this issue.

Comment 21 Larry the Git Cow gentoo-dev

2024-09-22 07:58:22 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=adf654e272246b70c63a0f741e7f336f235d0fc8

commit adf654e272246b70c63a0f741e7f336f235d0fc8
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-22 07:58:11 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-22 07:58:21 +0000

    [ GLSA 202409-17 ] VLC: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/788226
    Bug: https://bugs.gentoo.org/883943
    Bug: https://bugs.gentoo.org/917274
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-17.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)