Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 242410 (CVE-2008-4558)

Summary: media-video/vlc <0.9.4 XSPF index error (CVE-2008-4558)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.coresecurity.com/content/vlc-xspf-memory-corruption
Whiteboard: ~2? [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-16 21:36:43 UTC 
Array index error in VLC media player 0.9.2 allows remote attackers to overwrite arbitrary memory and execute arbitrary code via an XSPF playlist file with a negative identifier tag, which passes a signed comparison. 

http://www.coresecurity.com/content/vlc-xspf-memory-corruption

Please stabilize 0.9.4-r1 and mask/remove the older ones.
Comment 1 Alexis Ballier gentoo-dev 2008-10-16 21:52:39 UTC 
(In reply to comment #0)
> Array index error in VLC media player 0.9.2 allows remote attackers to
> overwrite arbitrary memory and execute arbitrary code via an XSPF playlist file
> with a negative identifier tag, which passes a signed comparison. 
> 
> http://www.coresecurity.com/content/vlc-xspf-memory-corruption

has this been confirmed on 0.8.6 ? i've asked around and it seems the vulnerable code wasn't in 0.8.6

> Please stabilize 0.9.4-r1 and mask/remove the older ones.

could be an idea too, but for other reasons :p
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-16 22:04:24 UTC 
I did not verify whether 0.8.6i was vulnerable or not, if you're sure that the vulnerable code isn't there, we can leave it in portage, of course - that's your decision. :)
Comment 3 Alexis Ballier gentoo-dev 2008-10-16 22:09:49 UTC 
(In reply to comment #2)
> I did not verify whether 0.8.6i was vulnerable or not, if you're sure that the
> vulnerable code isn't there, we can leave it in portage, of course - that's
> your decision. :)

i'm not sure, i'm just asking for confirmation; all the things i've read about this were talking only about 0.9.2

this might be interesting too:
http://mailman.videolan.org/pipermail/vlc/2008-October/016125.html
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-10-16 23:13:01 UTC 
I don't seem to be able to reproduce the issue in VLC 0.8.6i-r2 with CORE's reproducer.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-18 20:19:52 UTC 
CVE-2008-4558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4558):
  Array index error in VLC media player 0.9.2 allows remote attackers
  to overwrite arbitrary memory and execute arbitrary code via an XSPF
  playlist file with a negative identifier tag, which passes a signed
  comparison.
Comment 6 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-19 10:19:11 UTC 
So we've got no evidence that 0.8.x is affected, as such this is ~arch-only and we can close this bug.
I quickly talked to aballier on IRC and he had no evidence of 0.8.x being affected either.

Someone from security, please review this decision anyway, I don't want to be the only culprit. ;)

We'll be handling stabilization of vlc-0.9.x for security reasons in bug 242740.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-10-19 12:52:41 UTC 
(In reply to comment #6)
> Someone from security, please review this decision anyway, I don't want to be
> the only culprit. ;)

ACKed by Debian too, so I guess this is it for this bug.