Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 262708 (CVE-2009-1045)

Summary: <media-video/vlc-0.9.9a-r1: DoS (CVE-2009-1045)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: aballier, media-video
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://milw0rm.com/exploits/8213
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-16 20:31:32 UTC
From milw0rm:

VLC 0.9.8a Web UI (input) Remote Denial of Service Exploit
(See URL for exploit code)
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-16 20:34:25 UTC
Interestingly, if a video is playing, playback just restarts, but if not, VLC hangs. In other words, the exploit works (0.9.8a, amd64)
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-23 22:02:19 UTC
CVE-2009-1045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1045):
  Stack-based buffer overflow in requests/status.xml in VLC 0.9.8a
  allows remote attackers to cause a denial of service (crash) and
  possible execute arbitrary code via a long input argument in an
  in_play action.

Comment 3 Bjoern Tropf (RETIRED) gentoo-dev 2009-04-15 07:29:38 UTC
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522170#10
This bug is fixed in the latest version of vlc.

The actual problem here is not DoS, ("because if you have access to the html interface and want to DoS vlc, you'd quicker to click on the "Close"
button"), but possible execution of arbitrary code.
Comment 4 Alexis Ballier gentoo-dev 2009-04-15 07:39:25 UTC
(In reply to comment #3)
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522170#10
> This bug is fixed in the latest version of vlc.

are you sure? it still crashed when I tried it.

moreover there is this commit which i'm still unsure about the implications:

http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=c5f355b77a5f11f7a75e7de2e485fab25ad638df
Comment 5 Bjoern Tropf (RETIRED) gentoo-dev 2009-04-16 07:08:59 UTC
The Debian resource is incorrect.

This bug might be fixed in vlc 0.9.10.

> Changes between 0.9.9a and 0.9.10-git:
> * Fix default ACL of http interface

http://git.videolan.org/gitweb.cgi?p=vlc.git;a=commit;h=8f621703c2c4d2a4a48a2bfe3c49548e57f74df5
Comment 6 Alexis Ballier gentoo-dev 2009-05-10 13:55:35 UTC
(In reply to comment #5)
> The Debian resource is incorrect.
> 
> This bug might be fixed in vlc 0.9.10.
> 
> > Changes between 0.9.9a and 0.9.10-git:
> > * Fix default ACL of http interface

I've added the relevant patch to 0.9.9a-r1's patchset
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-02 20:02:58 UTC
arches, please go for media-video/vlc-0.9.9a-r1
Comment 8 Ferris McCormick (RETIRED) gentoo-dev 2009-07-02 20:42:19 UTC
Sparc stable, I was already using it.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-02 21:26:13 UTC
x86 stable
Comment 10 Markus Meier gentoo-dev 2009-07-05 12:48:51 UTC
amd64 stable
Comment 11 Alexis Ballier gentoo-dev 2009-07-07 08:21:11 UTC
(In reply to comment #10)
> amd64 stable
> 

 05 Jul 2009; Markus Meier <maekke@gentoo.org> vlc-0.9.8a.ebuild:
  amd64 stable, bug #262708

(In reply to comment #6)
> > > Changes between 0.9.9a and 0.9.10-git:
> > > * Fix default ACL of http interface
> 
> I've added the relevant patch to 0.9.9a-r1's patchset


Fail? Ok, the bug summary is wrong.
Comment 12 Markus Meier gentoo-dev 2009-07-08 20:25:55 UTC
amd64 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2009-07-12 13:34:37 UTC
Stable on alpha.
Comment 14 Joe Jezak (RETIRED) gentoo-dev 2009-07-13 18:16:53 UTC
Marked ppc stable.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-13 21:21:48 UTC
Updated CVE (and the vlc-devel list too, according to Alex) says DoS only (no execution of arbitrary code), so sticking with B3.

Ready for vote, I vote NO.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-13 22:31:47 UTC
Then I vote NO, too.
Closing NOGLSA.