Bug 214627

Comment 1 Robert Buchholz (RETIRED) 2008-03-25 01:24:55 UTC

I'm opening this bug restricted. Since the patches are public, i'm rating it SEMI-PUBLIC. I enquired with Drew Yao about the publicity status.

IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a big bump. Alexis, what do you think?

Comment 2 Alexis Ballier 2008-03-25 07:51:32 UTC

(In reply to comment #1)
> I'm opening this bug restricted. Since the patches are public, i'm rating it
> SEMI-PUBLIC. I enquired with Drew Yao about the publicity status.

hmm damn; I had completely forgot about the mp4's ones for -r1. The other ones have been pushed only very recently.

> IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a
> big bump. Alexis, what do you think?

What I would prefer is waiting for 0.8.6f to be sure we do not forget anything, but as we have the patches, just ping me when you think its time.

Comment 3 Alexis Ballier 2008-03-26 08:01:23 UTC

(In reply to comment #0)

> * Integer overflow in Cinepak codec
> http://trac.videolan.org/vlc/changeset/18eb4fd5a75b6429d1d7058a8967696be701a00b


if we choose to patch we mustn't forget:

cinepak: do not access arrays beyond allocated size  0.8.6-bugfix
http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=cf489d7bff3c1b36b2d5501ecf21129c78104d98

Comment 4 Robert Buchholz (RETIRED) 2008-03-26 20:56:16 UTC

I heard the release should come out within a week, so we could wait.

Comment 5 Robert Buchholz (RETIRED) 2008-03-29 09:49:17 UTC

Public, as agreed by both Drew and VLC upstream.

Comment 6 Robert Buchholz (RETIRED) 2008-04-04 02:03:08 UTC

0.8.6f is out, I wonder how many of these changes were actually merged (judging from the changelog, not all) and what the xine bug 214270 status is.

Comment 7 Alexis Ballier 2008-04-06 13:21:51 UTC

(In reply to comment #6)
> 0.8.6f is out, I wonder how many of these changes were actually merged 

bumped; all the fixes should be there:

Changes between 0.8.6e and 0.8.6f:
----------------------------------

Security updates:
 * Really fixed subtitle buffer overflow (CVE-2007-6681)
 * Fixed Real RTSP code execution problem (CVE-2008-0073)
 * Fixed MP4 integer overflows (CVE-2008-1489)
 * Fixed cinepak integer overflow

Various bugfixes:
 * The Mozilla plugin registers a usable range of MIME-types on Mac OS X
 * Improved VLC's video output behavior on multi-screen setups running Mac OS X
 * Fixed crashes in H264 packetizer
 * Close MMS access on network timeout
 * Fix some problems with AAC decoder & packetizer

Comment 8 Robert Buchholz (RETIRED) 2008-04-06 17:12:36 UTC

Arches, please test and mark stable:
=media-video/vlc-0.8.6f
Target keywords : "alpha amd64 ppc release sparc x86"

Comment 9 Tobias Klausmann (RETIRED) 2008-04-06 20:47:43 UTC

Stable on alpha.

Comment 10 Markus Meier 2008-04-07 20:52:12 UTC

amd64/x86 stable

Comment 11 Raúl Porcel (RETIRED) 2008-04-08 16:52:35 UTC

sparc stable

Comment 12 Tobias Scherbaum (RETIRED) 2008-04-10 18:24:30 UTC

ppc stable

Comment 13 Peter Volkov (RETIRED) 2008-04-10 20:41:44 UTC

Fixed in release snapshot.

Comment 14 Robert Buchholz (RETIRED) 2008-04-18 00:24:00 UTC

CVE-2008-1768 covers the last four links of the initial posting (all integer overflows except for CVE-2008-1489).

CVE-2008-1769 covers the issue from comment 3.

Comment 15 Robert Buchholz (RETIRED) 2008-04-23 16:21:29 UTC

GLSA 200804-25