Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 203345 (CVE-2007-6681)

Summary: media-video/vlc < 0.8.6d Multiple Vulnerabilities (CVE-2007-{6681,6682,6683,6684})
Product: Gentoo Security Reporter: Tobias Heinlein (RETIRED) <keytoaster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ismail, media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/28233/
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Tobias Heinlein (RETIRED) gentoo-dev 2007-12-26 00:05:27 UTC 
Secunia:

Some vulnerabilities have been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

1) Boundary errors in the "ParseMicroDvd()", "ParseSSA()", and "ParseVplayer()" functions when handling subtitles can be exploited to cause stack-based buffer overflows.

2) A format string error in the web interface listening on port 8080/tcp (disabled by default) can be exploited via a specially crafted HTTP request with a "Connection" header value containing format specifiers.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

The vulnerabilities have been confirmed in version 0.8.6d. Other versions may also be affected.

Solution:
Fixed in the SVN repository.

Provided and/or discovered by:
1) Originally reported by Michal Luczaj. Additional information provided by Luigi Auriemma.
2) Luigi Auriemma

Original Advisory:
Michal Luczaj:
http://mailman.videolan.org/pipermail/vlc-devel/2007-June/032672.html
http://mailman.videolan.org/pipermail/vlc-devel/2007-June/033394.html

Luigi Auriemma:
http://aluigi.altervista.org/adv/vlcboffs-adv.txt
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2007-12-26 00:12:11 UTC 
Media-video, please advise.

(Or is this already fixed in our ebuilds? The advisories are from June and I spotted other security bug reports from November.)
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2007-12-26 22:04:01 UTC 
had a quick look. One of the changes is:
http://trac.videolan.org/vlc/changeset/23839

From 3 days ago. Given this and the fact that Secunia confirmed the vulnerabilities in 0.8.6d and our latest stable is 0.8.6c + unstable SVN snapshot ebuilds are older than 3 days, we most likely need new ebuilds here.
Comment 3 Alexis Ballier gentoo-dev 2007-12-30 11:48:44 UTC 
hmm ok, after checking it:
1) => been fixed a while ago in trunk, so 0.9.0 snapshots should be ok in that regard. However, backport to 0.8.6 branch had been forgotten and committed only a few days ago.
2) => Discovered recently, fixed in trunk and in 0.8.6 branch.

A 0.8.6e release is in preparation that should fix both. I'd prefer waiting a few days more (as its expected at the very beginning of the year).
I also need to put a more recent trunk snapshot for ~arch users, this one should also fix 2)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-01-08 02:49:38 UTC 
Alexis, are there any news here? Can you ping the VLC guys if necessary?
Comment 5 Alexis Ballier gentoo-dev 2008-01-10 23:26:58 UTC 
(In reply to comment #4)
> Alexis, are there any news here? Can you ping the VLC guys if necessary?
> 

bah as 0.8.6e seems to be late, I've bumped 0.8.6d applying the two fixes.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-01-11 00:07:13 UTC 
Alexis, thanks. I assume vlc-0.9.0_alpha20080110 has the same patches included, so ~arch is unaffected now?

Arches, please test and mark stable media-video/vlc-0.8.6d.
Target keywords : "alpha amd64 ppc sparc x86"
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2008-01-11 02:43:03 UTC 
amd64 stable
Comment 8 Alexis Ballier gentoo-dev 2008-01-11 08:50:35 UTC 
(In reply to comment #6)
> Alexis, thanks. I assume vlc-0.9.0_alpha20080110 has the same patches included,
> so ~arch is unaffected now?

yes ~arch is unaffected now
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2008-01-11 12:47:31 UTC 
x86 stable
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2008-01-11 13:52:26 UTC 
Sparc stable, works as expected.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-01-11 21:42:00 UTC 
ppc stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-01-16 18:21:59 UTC 
alpha stable, thanks Tobias and sorry for the delay
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-01-17 01:10:08 UTC 
CVE-2007-6681:
  Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN
  VLC 0.8.6d allows remote attackers to execute arbitrary code via a
  long subtitle in a (1) MicroDvd, (2) SSA, and (3) Vplayer file.

CVE-2007-6682:
  Format string vulnerability in the httpd_FileCallBack function
  (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to
  execute arbitrary code via format string specifiers in the Connection
  parameter.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-01-29 03:46:34 UTC 
This also fixes:

* CVE-2007-6683
* CVE-2007-6684
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-07 22:47:38 UTC 
GLSA 200803-13