Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 537154 (CVE-2014-9625)

Summary: <media-video/vlc-2.1.5: Multiple vulnerabilities (CVE-2014-{9597,9598,9625,9626,9627,9628,9629,9630},CVE-2015-{1202,1203})
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: media-video, proxy-maint, SDNick484
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2015/q1/187
See Also: https://bugs.gentoo.org/show_bug.cgi?id=539840
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-20 17:30:06 UTC
From ${URL}:


Hi oss-security,

(please note, I'm not on the list.)

I recently discovered a couple of vulnerabilities in the latest stable
version of VLC (2.1.5), reported them to the developers and also
provided patches, most of which were applied. The most critical issues
are a buffer-overflow in the mp4-demuxer and another in the automatic
updater. For the last flaw, I also showed at 31C3 that it can indeed
be leveraged for arbitrary code execution.

Below you find links to the patches. Please note, that patches were
applied for the master-branch, so they may not all be immediately
applicable to 2.1.5. However, the attached original bug reports give
you all the details for 2.1.5.

* Buffer overflow in updater:

https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14

* Buffer overflow in mp4 demuxer:

https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39

* Potential buffer overflow in Schroedinger Encoder

https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5

* Invalid memory access in rtp code:

https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97

* Null-pointer dereference in dmo codec:

https://github.com/videolan/vlc/commit/229c385a79d48e41687fae8b4dfeaeef9c8c3eb7

I was wondering whether anybody could assign CVEs for these vulnerabilities.

Please note that the following problems were not fixed:

* The potential buffer overflow in the Dirac Encoder was not fixed as
  the Dirac encoder no longer exists in the master branch.
* The potential invalid writes in modules/services_discovery/sap.c and
  modules/access/ftp.c were not fixed as I did not provide a
  trigger. Note, that the code looks very similar to the confirmed bug
  in rtp_packetize_xiph_config, and so I leave it to you to decide
  whether you want to patch this.

I have not attached the triggers mentioned in the report. If anybody is
interested in these, please let me know.

Kind Regards,
Fabian Yamaguchi - University of Goettingen
Comment 1 Ben de Groot (RETIRED) gentoo-dev 2015-04-19 04:47:15 UTC
We should mark 2.2.0 stable. Comments?
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2015-04-19 14:24:30 UTC
Too soon. Nick on;y started on this 3 days ago. vlc was a neglected mess.  I still can't get it to build on my system which is why I have had to tread very carefully and bring in extra support for Nick.
Comment 3 jospezial 2015-05-05 00:27:12 UTC
This could help.:

https://bugs.gentoo.org/show_bug.cgi?id=548546

Changes between 2.1.5 and 2.1.6:
--------------------------------

Audio output:
 * Fix OSS stuttering

Security:
 * Fix heap overflow in decomp stream filter
 * Fix buffer overflow in updater
 * Fix potential buffer overflow in schroedinger encoder
 * Fix null-pointer dereference in DMO decoder
 * Fix buffer overflow in parsing of string boxes in mp4 demuxer
 * Fix SRTP integer overflow
 * Fix potential crash in zip access
 * Fix read overflow in Ogg demuxer
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-05-06 12:27:15 UTC
This confuses the issue all the more. Here we're talking about making 2.2.1 stable and purging the 2.1.x series and you add in a 2.1.6 to the mix. We need to know why the 2.1.x series should be kept at all.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-12 08:45:09 UTC
2.1.x series has been dropped for some time now.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-12 08:45:25 UTC
Added to existing GLSA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 12:07:57 UTC
This issue was resolved and addressed in
 GLSA 201603-08 at https://security.gentoo.org/glsa/201603-08
by GLSA coordinator Kristian Fiskerstrand (K_F).