Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 619494 (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312, CVE-2017-8313)

Summary: <media-video/vlc-2.2.6: Multiple Vulnerabilities (CVE-2017-{8310,8311,8312,8313})
Product: Gentoo Security Reporter: Michael Boyle <boylemic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: krinpaus, kroemmelbein, luke, media-video, proxy-maint, SDNick484, throw_away_2002
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
media-video/vlc-2.2.6
Runtime testing required: ---

Description Michael Boyle 2017-05-24 02:22:39 UTC
Multiple Vulnerabilities
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-05-24 10:35:12 UTC
CVE-2017-8313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8313):
  Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to
  missing check of string termination allows attackers to read data beyond
  allocated memory and potentially crash the process via a crafted subtitles
  file.

CVE-2017-8312 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8312):
  Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of
  string length allows attackers to read heap uninitialized data via a crafted
  subtitles file.

CVE-2017-8311 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8311):
  Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before
  2.2.5 due to skipping NULL terminator in an input string allows attackers to
  execute arbitrary code via a crafted subtitles file.

CVE-2017-8310 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8310):
  Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to
  missing check of string termination allows attackers to read data beyond
  allocated memory and potentially crash the process (causing a denial of
  service) via a crafted subtitles file.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-05-24 10:36:07 UTC
CC'ing proxy maintainer
Comment 3 Michael Palimaka (kensington) gentoo-dev 2017-06-06 13:49:45 UTC
I checked the commits referenced in each of the CVE links, and they're all present in 2.2.6 which I've bumped.
Comment 4 Thomas Deutschmann gentoo-dev Security 2017-06-06 14:30:42 UTC
*** Bug 618308 has been marked as a duplicate of this bug. ***
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-06-06 14:34:02 UTC
(In reply to Michael Palimaka (kensington) from comment #3)
> I checked the commits referenced in each of the CVE links, and they're all
> present in 2.2.6 which I've bumped.

Thanks, I can confirm this!
Let's already start stabilization, vulnerabilities are allowing code execution and are already actively used.


@ Arches,

please test and mark stable: =media-video/vlc-2.2.6
Comment 6 Markus Meier gentoo-dev 2017-06-08 05:09:38 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-08 10:17:35 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-06-09 10:21:13 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-06-13 12:33:07 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-21 11:59:59 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Thomas Deutschmann gentoo-dev Security 2017-06-28 11:51:34 UTC
New GLSA request filed.

@ Maintainer(s): Please drop =media-video/vlc-2.2.4-r1!
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 20:20:22 UTC
This issue was resolved and addressed in
 GLSA 201707-10 at https://security.gentoo.org/glsa/201707-10
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-07-08 20:20:56 UTC
Re-opening for cleanup.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-09 01:56:03 UTC
@maintainers, please let us know if this can be cleaned.  Thanks.
Comment 15 Andreas Sturmlechner gentoo-dev 2017-08-29 15:29:54 UTC
Since apparently there is no one here to answer, and I've touched vlc at least more than once in the past, I'll say please go ahead and cleanup 2.2.4.
Comment 16 Andreas Sturmlechner gentoo-dev 2017-08-29 19:25:36 UTC
In fact I went ahead and cleaned up already.
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-31 22:42:22 UTC
(In reply to Andreas Sturmlechner from comment #16)
> In fact I went ahead and cleaned up already.

Thanks, Andreas!