Summary: | media-video/vlc < 0.9.6: Buffer overflows in VLC RealText and CUE demuxers (CVE-2008-{5032,5036}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexis Ballier <aballier> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | aballier, fmccor, impulze |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.videolan.org/security/sa0810.html | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 245793 | ||
Bug Blocks: |
Description
Alexis Ballier
2008-11-06 00:15:34 UTC
Arches, please test and mark stable =media-video/vlc-0.9.6 Target keywords: amd64 ppc ppc64 sparc x86 This probably depends on bug 245793 being fixed (unable to reproduce here due to lack of a stable system). alpha: You need to rekeyword AND stable. ppc64: Apparently you never had VLC stable, so feel free to un-cc yourself. Sparc stable, works for me, but of course an exhaustive test of this package is almost impossible. Note, for sparc, this carries along a requirement to mark stable several other packages: =============== media-video/dirac-1.0.0 media-libs/libkate-0.2.5 media-libs/zvbi-0.2.33 media-libs/schroedinger-1.0.5 media-libs/libass-0.9.5 =========================== Of these, libkate, zvbi, and libass need to be marked stable on everything. There's a regression. Video is detached from the interface, which was fixed in media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was removed later. The patch can be applied cleanly to 0.9.6 and works. (In reply to comment #5) > There's a regression. Video is detached from the interface, which was fixed in > media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was > removed later. The regression was to patch it in order to make it available again... See bug #240714, my last comment there and the link I posted. amd64/x86 need the following packages stable, is this ok and which versions should we pick? Package Version Current Keywords Masks ============================= =================== ================= ========= media-libs/zvbi 0.2.31 ~x86 K media-libs/zvbi 0.2.32 ~x86 K media-libs/zvbi 0.2.33 ~x86 K media-libs/libv4l 0.5.1 ~x86 K media-libs/libv4l 0.5.3 ~x86 K media-libs/libass 0.9.5 ~x86 K media-libs/libkate 0.2.5 ~x86 K media-video/vlc 0.9.6 ~x86 K (In reply to comment #7) > amd64/x86 need the following packages stable, is this ok and which versions > should we pick? > media-libs/zvbi 0.2.33 ~x86 K this one should be ok > media-libs/libv4l 0.5.3 ~x86 K and this one > media-libs/libass 0.9.5 ~x86 K ditto > media-libs/libkate 0.2.5 ~x86 K ditto amd64/x86 stable Stable on alpha. (also stabled the four deps mentioned by maekke as well as fluidsynth (and two of its deps, lash and ladspa-cmt). ====================================================== Name: CVE-2008-5032 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032 Reference: MLIST:[oss-security] 20081105 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5 Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810 Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4 Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13 Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-012.txt Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d Reference: CONFIRM:http://www.videolan.org/security/sa0810.html Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue related to RealText, but that issue has been assigned a separate identifier, CVE-2008-5036. ====================================================== Name: CVE-2008-5036 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5036 Reference: MLIST:[oss-security] 20081105 CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5 Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810 Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4 Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13 Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-011.txt Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef651125701a2e33a8d75b815b3e39681a447 Reference: CONFIRM:http://www.videolan.org/security/sa0810.html Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110. I'll keep vlc ~ppc64 for now. 0.9.8a is stable for ppc GLSA 200812-24, thanks everyone, sorry about the delay. |