Summary: | <media-video/vlc-0.9.9a-r1: DoS (CVE-2009-1045) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | aballier, media-video |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://milw0rm.com/exploits/8213 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-03-16 20:31:32 UTC
Interestingly, if a video is playing, playback just restarts, but if not, VLC hangs. In other words, the exploit works (0.9.8a, amd64) CVE-2009-1045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1045): Stack-based buffer overflow in requests/status.xml in VLC 0.9.8a allows remote attackers to cause a denial of service (crash) and possible execute arbitrary code via a long input argument in an in_play action. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522170#10 This bug is fixed in the latest version of vlc. The actual problem here is not DoS, ("because if you have access to the html interface and want to DoS vlc, you'd quicker to click on the "Close" button"), but possible execution of arbitrary code. (In reply to comment #3) > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522170#10 > This bug is fixed in the latest version of vlc. are you sure? it still crashed when I tried it. moreover there is this commit which i'm still unsure about the implications: http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=c5f355b77a5f11f7a75e7de2e485fab25ad638df The Debian resource is incorrect. This bug might be fixed in vlc 0.9.10. > Changes between 0.9.9a and 0.9.10-git: > * Fix default ACL of http interface http://git.videolan.org/gitweb.cgi?p=vlc.git;a=commit;h=8f621703c2c4d2a4a48a2bfe3c49548e57f74df5 (In reply to comment #5) > The Debian resource is incorrect. > > This bug might be fixed in vlc 0.9.10. > > > Changes between 0.9.9a and 0.9.10-git: > > * Fix default ACL of http interface I've added the relevant patch to 0.9.9a-r1's patchset arches, please go for media-video/vlc-0.9.9a-r1 Sparc stable, I was already using it. x86 stable amd64 stable (In reply to comment #10) > amd64 stable > 05 Jul 2009; Markus Meier <maekke@gentoo.org> vlc-0.9.8a.ebuild: amd64 stable, bug #262708 (In reply to comment #6) > > > Changes between 0.9.9a and 0.9.10-git: > > > * Fix default ACL of http interface > > I've added the relevant patch to 0.9.9a-r1's patchset Fail? Ok, the bug summary is wrong. amd64 stable Stable on alpha. Marked ppc stable. Updated CVE (and the vlc-devel list too, according to Alex) says DoS only (no execution of arbitrary code), so sticking with B3. Ready for vote, I vote NO. Then I vote NO, too. Closing NOGLSA. |