Summary: | <media-video/vlc-2.2.4: crash and potential code execution when processing QuickTime IMA files (CVE-2016-5108) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video, proxy-maint, SDNick484 |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/05/27/3 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
=media-video/vlc-2.2.4
|
Runtime testing required: | --- |
Bug Depends on: | 585642 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2016-05-30 08:13:18 UTC
Thanks for submitting this ago; looks like the first attempt at a fix on vlc-devel was rejected, but I'll keep an eye on it. I expect stabilizing 2.2.4 should be doable, but 3.0 may be waiting on some external packages to hit stable. @Nick The adpcm bug was fixed two days later with upstream release vlc-2.2.4 https://bugs.gentoo.org/show_bug.cgi?id=585642 ... by the time I am learning to use bugzilla features: I hope to have correctly managed in the right direction blocks-depends (In reply to Ulenrich from comment #3) > ... by the time I am learning to use bugzilla features: I hope > to have correctly managed in the right direction blocks-depends better luck next time :) Thanks Ulenrich, yes, the new 2.2.4 release looks good. I'm testing a couple versions of FFmpeg for compatibility, but I expect it will be the same as 2.2.3 (i.e. FFmpeg < 2.9 is good, will need VLC-3.x for FFmpeg-3.x). @Nick
> need VLC-3.x for FFmpeg-3.x
Yes, indeed.
Arches please test and mark stable =media-video/vlc-2.2.4 with target KEYWORDS: amd64 ~arm ppc ppc64 -sparc x86 ~x86-fbsd CVE-2016-5108 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5108): Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted QuickTime IMA file. Stable for PPC64. amd64 stable x86 stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. New GLSA request filed. Cleanup PR: https://github.com/gentoo/gentoo/pull/3493 @ Proxy-Maintainer: Please ack. This issue was resolved and addressed in GLSA 201701-39 at https://security.gentoo.org/glsa/201701-39 by GLSA coordinator Aaron Bauman (b-man). This issue was resolved and addressed in GLSA 201701-39 at https://security.gentoo.org/glsa/201701-39 by GLSA coordinator Aaron Bauman (b-man). |