| Summary: | <media-video/vlc-2.2.1-r1: arbitrary pointer dereference (CVE-2015-5949) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | normal | CC: | jlec, media-video, proxy-maint, SDNick484 | ||||||
| Priority: | Normal | ||||||||
| Version: | unspecified | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| URL: | http://www.openwall.com/lists/oss-security/2015/08/20/3 | ||||||||
| Whiteboard: | B2 [glsa] | ||||||||
| Package list: | Runtime testing required: | --- | |||||||
| Bug Depends on: | 548964, 564136 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
Created attachment 415496 [details, diff]
vlc-2.2.1-libmp4.patch
This patch is from the commit referenced above. It works for VLC 2.2.1, but not for VLC 2.1.5-r1.
Created attachment 415498 [details, diff]
vlc-2.1.5-libmp4.patch
I was able to backport the previous patch to 2.1.5 by taking some additions from libmp4.c in 2.2.1. VLC 2.1.5-r1 built successfully with it and I believe it should address the vulnerability as well.
(In reply to Nick Andrade from comment #2) > Created attachment 415498 [details, diff] [details, diff] > vlc-2.1.5-libmp4.patch > > I was able to backport the previous patch to 2.1.5 by taking some additions > from libmp4.c in 2.2.1. VLC 2.1.5-r1 built successfully with it and I > believe it should address the vulnerability as well. You need address only the 2.2.1. The versions prior to it will be cleaned as a matter of course. Any effort invested on the 2.1.5-r1 is time better spent on reading devmanuals. Author: Ian Delaney <idella4@gentoo.org> Date: Wed Oct 28 09:40:00 2015 +0800 media-video/vlc: revbump -> -2.2.1-r1, sec patch CVE-2015-5949 patch submitted by proxy maintainer via the gentoo bug, also runtested by Amynka, removed initial vlc-2.2.1.ebuild Gentoo bug: #558418 A bug requesting stabilising of -2.2.1 was made long ago. It can have its title edited to request for vlc-2.2.1-r1 now. Did anyone test this one yet? Doesn't build for me on amd64...
-Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -c -o vlc_static-vlc.o `test -f 'vlc.c' || echo './'`vlc.c
x86_64-pc-linux-gnu-gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DHAVE_DBUS -I../include -I../include -DTOP_BUILDDIR=\"$(cd ".."; pwd)\" -DTOP_SRCDIR=\"$(cd ".."; pwd)\" -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -c -o vlc_static-override.o `test -f 'override.c' || echo './'`override.c
x86_64-pc-linux-gnu-gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DHAVE_DBUS -I../include -I../include -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -c -o cachegen.o cachegen.c
../doltlibtool --tag=CC --mode=link x86_64-pc-linux-gnu-gcc -std=gnu99 -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -Wl,-O1 -Wl,--as-needed -L/usr/lib64/sidplay/builders/ -o vlc-cache-gen cachegen.o ../compat/libcompat.la ../lib/libvlc.la
rootwrap.c: In function ‘main’:
rootwrap.c:245:5: warning: ignoring return value of ‘setuid’, declared with attribute warn_unused_result [-Wunused-result]
setuid (uid);
^
../doltlibtool --tag=CC --mode=link x86_64-pc-linux-gnu-gcc -std=gnu99 -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -Wl,-O1 -Wl,--as-needed -L/usr/lib64/sidplay/builders/ -o vlc-wrapper rootwrap.o
../doltlibtool --tag=CC --mode=link x86_64-pc-linux-gnu-gcc -std=gnu99 -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -Wl,-O1 -Wl,--as-needed -L/usr/lib64/sidplay/builders/ -o vlc vlc.o override.o ../lib/libvlc.la -lpthread -ldl
libtool: link: x86_64-pc-linux-gnu-gcc -std=gnu99 -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -Wl,-O1 -o vlc-wrapper rootwrap.o -Wl,--as-needed -L/usr/lib64/sidplay/builders/
libtool: link: x86_64-pc-linux-gnu-gcc -std=gnu99 -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -Wl,-O1 -o .libs/vlc-cache-gen cachegen.o -Wl,--as-needed -L/usr/lib64/sidplay/builders/ ../compat/.libs/libcompat.a ../lib/.libs/libvlc.so /var/tmp/portage/media-video/vlc-2.2.1-r1/work/vlc-2.2.1/src/.libs/libvlccore.so -lrt -lidn -ldl -ldbus-1 -lpthread -lm
rm -f ../modules/plugins.dat
if test "x86_64-pc-linux-gnu" = "x86_64-pc-linux-gnu"; then \
./vlc-cache-gen ../modules ; \
else \
echo "Cross-compilation: cache generation skipped!" ; \
fi
libtool: link: x86_64-pc-linux-gnu-gcc -std=gnu99 -march=athlon64 -mtune=amdfam10 -O2 -pipe -Wall -Wextra -Wsign-compare -Wundef -Wpointer-arith -Wbad-function-cast -Wwrite-strings -Wmissing-prototypes -Wvolatile-register-var -Werror-implicit-function-declaration -pipe -fvisibility=hidden -Wl,-O1 -o .libs/vlc vlc.o override.o -Wl,--as-needed -L/usr/lib64/sidplay/builders/ ../lib/.libs/libvlc.so /var/tmp/portage/media-video/vlc-2.2.1-r1/work/vlc-2.2.1/src/.libs/libvlccore.so -lrt -lidn -ldbus-1 -lm -lpthread -ldl
/bin/sh: line 4: 27896 Illegal instruction ./vlc-cache-gen ../modules
Makefile:1524: recipe for target '../modules/plugins.dat' failed
make[2]: *** [../modules/plugins.dat] Error 132
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory '/var/tmp/portage/media-video/vlc-2.2.1-r1/work/vlc-2.2.1/bin'
Makefile:2262: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/var/tmp/portage/media-video/vlc-2.2.1-r1/work/vlc-2.2.1'
Makefile:2147: recipe for target 'all' failed
make: *** [all] Error 2
* ERROR: media-video/vlc-2.2.1-r1::gentoo failed (compile phase):
* emake failed
*
* If you need support, post the output of `emerge --info '=media-video/vlc-2.2.1-r1::gentoo'`,
* the complete build log and the output of `emerge -pqv '=media-video/vlc-2.2.1-r1::gentoo'`.
* The complete build log is located at '/var/log/portage/media-video:vlc-2.2.1-r1:20151030-184813.log'.
* For convenience, a symlink to the build log is located at '/var/tmp/portage/media-video/vlc-2.2.1-r1/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/media-video/vlc-2.2.1-r1/temp/environment'.
* Working directory: '/var/tmp/portage/media-video/vlc-2.2.1-r1/work/vlc-2.2.1'
* S: '/var/tmp/portage/media-video/vlc-2.2.1-r1/work/vlc-2.2.1'
>>> Failed to emerge media-video/vlc-2.2.1-r1, Log file:
Steve, can you upload your "emerge --info vlc"? It's working fine for me on ~amd64 and should also work stable as all of its deps are now stable. As you can see in the previous paste, I tried with optimized flags and plain flags. At least the latter *should* work...
Portage 2.2.23 (python 2.7.10-final-0, default/linux/amd64/13.0/desktop, gcc-4.9.3, glibc-2.22-r1, 4.1.1-gentoo-r1 x86_64)
=================================================================
System Settings
=================================================================
System uname: Linux-4.1.1-gentoo-r1-x86_64-Intel-R-_Core-TM-_i5_CPU_M_520_@_2.40GHz-with-gentoo-2.2
KiB Mem: 5966764 total, 750940 free
KiB Swap: 12572668 total, 12541800 free
Timestamp of repository gentoo: Wed, 28 Oct 2015 10:30:01 +0000
sh bash 4.3_p42
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
distcc 3.2rc1 x86_64-pc-linux-gnu [enabled]
ccache version 3.2.4 [enabled]
app-shells/bash: 4.3_p42::gentoo
dev-java/java-config: 2.2.0::gentoo
dev-lang/perl: 5.22.0::gentoo
dev-lang/python: 2.7.10::gentoo, 3.3.5-r2::gentoo, 3.4.3::gentoo, 3.5.0-r1::gentoo
dev-util/ccache: 3.2.4::gentoo
dev-util/cmake: 3.3.2-r1::gentoo
dev-util/pkgconfig: 0.29::gentoo
sys-apps/baselayout: 2.2::gentoo
sys-apps/openrc: 0.18.3::gentoo
sys-apps/sandbox: 2.9::gentoo
sys-devel/autoconf: 2.13::gentoo, 2.69-r1::gentoo
sys-devel/automake: 1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils: 2.25.1-r1::gentoo
sys-devel/gcc: 4.8.4::gentoo, 4.9.3::gentoo
sys-devel/gcc-config: 1.8::gentoo
sys-devel/libtool: 2.4.6-r1::gentoo
sys-devel/make: 4.1-r1::gentoo
sys-kernel/linux-headers: 4.2::gentoo (virtual/os-headers)
sys-libs/glibc: 2.22-r1::gentoo
Repositories:
gentoo
location: /usr/portage
sync-type: rsync
sync-uri: rsync://...
priority: -1000
eclass-overrides: nerdboy-local
nerdboy-local
location: /usr/local/portage
sync-type: git
sync-uri: https://github.com/sarnold/portage-overlay.git
masters: gentoo
priority: 0
arm_support
location: /usr/local/arm
sync-type: git
sync-uri: https://github.com/gentoo/arm.git
masters: gentoo
priority: 1
mozilla
location: /var/lib/layman/mozilla
sync-type: laymansync
sync-uri: git://anongit.gentoo.org/proj/mozilla.git
masters: gentoo
priority: 50
tlp
location: /var/lib/layman/tlp
sync-type: laymansync
sync-uri: git://github.com/dywisor/tlp-portage.git
masters: gentoo
priority: 50
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA @GPL-COMPATIBLE @OSI-APPROVED @EULA dlj-1.1 skype-eula googleearth AdobeFlash-10.1"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=corei7 -mtune=westmere -O2 -flto=5 -ftree-vectorize -ffat-lto-objects -pipe -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=corei7 -mtune=westmere -O2 -flto=5 -ftree-vectorize -ffat-lto-objects -pipe -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg ccache cgroup config-protect-if-modified distcc distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://..."
LANG="en_US.utf8"
LDFLAGS="-march=corei7 -mtune=westmere -O2 -flto=5 -ftree-vectorize -ffat-lto-objects -pipe -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block -fuse-linker-plugin"
MAKEOPTS="-j17"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi ada alsa amd64 amr aspell berkdb bindist bluetooth branding bzip2 bzlib cairo caps cdda cdr cli consolekit cracklib crypt cups cxx dbus dnotify dri dts dvd dvdr eds emboss encode exif fam firefox flac fortran gd gdbm gif glade glamor gmp gnome-keyring gnome-online-accounts gnutls gpm gstreamer gtk gtk3 iconv imagemagick inotify ipv6 jpeg json lcms ldap libav libnotify libsecret lua lz4 mad mmx mmxext mng modules mp3 mp4 mpeg multilib nautilus ncurses networkmanager nls nptl nptlonly ogg opengl openmp pam pango pcre pdf pic png policykit ppds pulseaudio python qt3support qt5 readline sdl seccomp session sip spell sse sse2 ssl startup-notification svg tcpd theora threads tiff truetype udev udisks unicode upower usb v4l vala vdpau vorbis webp wheel wifi wxwidgets x264 xa xattr xcb xml xv xvid xvmc zeroconf zlib" ABI_X86="64 32" ALSA_CARDS="hda-intel usb-audio" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2 agfa_cl20 canon casio_qv clicksmart310 digigr8 digita dimagev directory fuji hp215 iclick jamcam kodak_dc120 kodak_dc210 kodak_dc240 kodak_dc3200 kodak_ez200 spca50x" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 ssse3 sse3 sse4_1 sse4_2" CURL_SSL="openssl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-32 efi-64 pc" INPUT_DEVICES="keyboard mouse joystick evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-minimizer wiki-publisher" LINGUAS="en_US en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" QEMU_SOFTMMU_TARGETS="arm i386 mipsel ppc ppc64 x86_64" QEMU_USER_TARGETS="arm i386 mipsel ppc ppc64 x86_64" RUBY_TARGETS="ruby22 ruby21 ruby20" SANE_BACKENDS="net" USERLAND="GNU" VIDEO_CARDS="intel i915 i965 v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
(In reply to Steve Arnold from comment #7) > As you can see in the previous paste, I tried with optimized flags and plain > flags. At least the latter *should* work... Please file a different bug for this issue rather than using this security bug. Stabilization is done in bug 548964, the new bug should likely be a blocker of that. Steve, I don't believe your issue is related to this security patch; as Kristian suggested, please submit a new bug. The failure you're seeing doesn't seem to be in the part of the code that the patch touched, and quite frankly the change the patch is making is relatively small in scope and shouldn't impact anything else. I realize the timing of the failure may have coincided with this -r1 release, but I'm guessing even 2.2.1 without the patch added to -r1 would also fail (in fact, you building that would be a good test). Since you've reported your issue and provided some info, I've built vlc a half dozen times on amd64 with various combinations of [C|CXX|LD]FLAGS and have not encountered your issue. At this point I can tell you that the Graphite loop optimizations you're using (i.e. -floop-interchange -floop-strip-mine -floop-block) as well as the link time optimizer (i.e. -flto=5) will not work with VLC. Everything else in your optimized CFLAGS work fine both with and without the patch. So in summary, if you still are having issues, please submit a new bug with both "emerge --info =vlc-2.2.1-r1" and the full build log of a failed build attached (ideally using less aggressive *FLAGS). Sure, but you shouldn't see any "aggressive" flags in the paste (I don't). That's the failure with plain old default catalyst stage flags (which is what plain-flags.conf is). Not sure how it works for you, but the same version (without the patch) was already installed on the two machines it's failed on so far. It was actually built with the -fno versions of -flto, etc the last time and it worked; now it doesn't build even with plain. Something changed somewhere... Added to existing GLSA request. This issue was resolved and addressed in GLSA 201603-08 at https://security.gentoo.org/glsa/201603-08 by GLSA coordinator Kristian Fiskerstrand (K_F). |
From ${URL} : #2015-009 VLC arbitrary pointer dereference Description: The VLC media player is an open source media player and streaming media server. The stable VLC version suffers from an arbitrary pointer dereference vulnerability. The vulnerability affects the 3GP file format parser, insufficient restrictions on a writable buffer can be exploited to execute arbitrary code via the heap memory. A specific 3GP file can be crafted to trigger the vulnerability. Affected version: VLC <= 2.2.1 Fixed version: VLC, N/A (see References for patch committed to 2.2.2 branch) Credit: vulnerability reported by Loren Maggiore of Trail of Bits. CVE: CVE-2015-5949 Timeline: 2015-07-28: vulnerability report received 2015-07-29: contacted VLC security maintainer 2015-08-03: maintainer commits fix to stable branch 2015-08-06: assigned CVE 2015-08-17: contacted affected vendors 2015-08-20: advisory release References: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd Permalink: http://www.ocert.org/advisories/ocert-2015-009.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.