Summary: | <media-video/vlc-3.0.7: multiple vulnerabilities (CVE-2019-{5439,12874}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alexander Bezrukov <phmagic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | media-video, slyfox |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | https://www.videolan.org/security/sa1901.html | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=689856 | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
media-video/vlc-3.0.7.1
media-libs/dav1d-0.3.1
|
Runtime testing required: | --- |
Bug Depends on: | 688712 | ||
Bug Blocks: |
Description
Alexander Bezrukov
2019-06-24 19:28:44 UTC
@maintainer: 3.0.7.1 is already out. We can also go directly to 3.0.7.1 if you think is fine An automated check of this bug failed - repoman reported dependency errors (107 lines truncated):
> dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/x264-0.0.20190214:=']
> dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/x264-0.0.20190214:=']
> dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=media-libs/x264-0.0.20190214:=']
x86 stable amd64 stable ppc64 stable *** Bug 689856 has been marked as a duplicate of this bug. *** Looking good on ppc. # cat vlc-688642.report USE tests started on Mi 17. Jul 01:14:25 CEST 2019 FEATURES=' test' USE='' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec aom archive -aribsub bidi -bluray cddb -chromaprint chromecast -dbus dc1394 -dts -dvbpsi dvd encode faad -fdk ffmpeg -flac fluidsynth -fontconfig -gcrypt -gme gnome-keyring gstreamer -ieee1394 jack jpeg -kate -libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger linsys -live -lua -macosx-notifications -mad -matroska modplug -mp3 mpeg mtp -musepack ncurses -nfs ogg omxil opencv -optimisememory opus png postproc -projectm -pulseaudio -qt5 rdp -run-as-root -samba sdl-image sftp -shout -sid -skins soxr -speex srt -ssl -svg -taglib -theora -tremor -truetype twolame -udev upnp -v4l vnc -vorbis vpx -wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X a52 alsa altivec aom -archive aribsub bidi -bluray cddb -chromaprint chromecast -dbus dc1394 dts dvbpsi dvd encode faad -fdk ffmpeg flac -fluidsynth -fontconfig -gcrypt gme gnome-keyring -gstreamer ieee1394 jack -jpeg kate -libass -libav libcaca -libnotify libsamplerate -libtar libtiger linsys -live lua macosx-notifications mad -matroska modplug mp3 -mpeg -mtp musepack -ncurses nfs -ogg -omxil -opencv optimisememory -opus png -postproc projectm pulseaudio qt5 -rdp run-as-root samba sdl-image -sftp shout -sid -skins soxr -speex -srt -ssl svg taglib -theora tremor -truetype -twolame -udev upnp -v4l vnc vorbis -vpx wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X a52 alsa -altivec aom -archive aribsub bidi -bluray -cddb -chromaprint -chromecast -dbus -dc1394 -dts -dvbpsi -dvd encode -faad -fdk -ffmpeg flac -fluidsynth -fontconfig -gcrypt -gme -gnome-keyring -gstreamer -ieee1394 -jack jpeg kate libass -libav -libcaca libnotify libsamplerate -libtar libtiger linsys live lua -macosx-notifications -mad matroska -modplug -mp3 -mpeg -mtp musepack ncurses nfs ogg -omxil opencv -optimisememory -opus -png -postproc projectm pulseaudio qt5 -rdp -run-as-root -samba -sdl-image sftp -shout -sid -skins -soxr -speex srt -ssl -svg -taglib -theora tremor truetype twolame udev -upnp v4l vnc vorbis vpx wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast -dbus dc1394 dts -dvbpsi -dvd encode -faad fdk ffmpeg -flac -fluidsynth fontconfig -gcrypt -gme gnome-keyring -gstreamer ieee1394 -jack jpeg -kate libass -libav -libcaca libnotify -libsamplerate -libtar -libtiger -linsys -live -lua macosx-notifications mad -matroska modplug mp3 mpeg -mtp -musepack ncurses -nfs -ogg omxil opencv -optimisememory opus png postproc projectm -pulseaudio -qt5 rdp -run-as-root -samba -sdl-image -sftp shout -sid -skins -soxr -speex -srt -ssl svg taglib theora tremor truetype -twolame udev upnp v4l -vnc vorbis vpx wayland -x264 xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X a52 alsa altivec -aom -archive aribsub -bidi -bluray cddb -chromaprint -chromecast -dbus dc1394 -dts dvbpsi dvd -encode faad -fdk ffmpeg -flac fluidsynth -fontconfig gcrypt gme -gnome-keyring gstreamer ieee1394 jack jpeg kate -libass -libav -libcaca libnotify libsamplerate -libtar libtiger -linsys -live lua -macosx-notifications -mad matroska -modplug mp3 mpeg mtp musepack -ncurses -nfs ogg omxil opencv -optimisememory -opus png postproc -projectm pulseaudio qt5 rdp run-as-root -samba -sdl-image -sftp -shout -sid -skins soxr -speex -srt -ssl svg taglib -theora tremor truetype twolame -udev -upnp v4l -vnc vorbis vpx -wayland -x264 -xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X -a52 -alsa -altivec aom -archive aribsub bidi bluray cddb -chromaprint -chromecast -dbus -dc1394 dts -dvbpsi -dvd -encode -faad fdk ffmpeg flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring gstreamer ieee1394 -jack -jpeg kate libass -libav -libcaca libnotify libsamplerate -libtar -libtiger linsys live -lua macosx-notifications -mad matroska -modplug mp3 mpeg mtp -musepack ncurses -nfs ogg omxil opencv optimisememory -opus png -postproc projectm -pulseaudio qt5 -rdp run-as-root -samba -sdl-image sftp -shout sid -skins soxr -speex srt -ssl svg -taglib theora -tremor -truetype twolame udev -upnp v4l vnc vorbis vpx wayland x264 -xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X -a52 -alsa altivec aom -archive -aribsub -bidi bluray -cddb chromaprint -chromecast dbus -dc1394 -dts -dvbpsi dvd encode -faad -fdk ffmpeg -flac fluidsynth fontconfig gcrypt gme -gnome-keyring gstreamer ieee1394 jack jpeg -kate -libass -libav -libcaca libnotify -libsamplerate -libtar -libtiger -linsys live lua macosx-notifications -mad -matroska -modplug mp3 -mpeg mtp -musepack ncurses -nfs ogg -omxil -opencv optimisememory opus png -postproc -projectm pulseaudio qt5 rdp -run-as-root samba -sdl-image -sftp shout sid -skins -soxr -speex srt ssl -svg -taglib -theora -tremor truetype twolame -udev upnp v4l -vnc vorbis vpx wayland -x264 xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec -aom archive -aribsub bidi bluray -cddb chromaprint -chromecast dbus dc1394 -dts -dvbpsi dvd -encode faad fdk ffmpeg -flac -fluidsynth -fontconfig -gcrypt gme gnome-keyring -gstreamer -ieee1394 jack -jpeg kate -libass -libav -libcaca libnotify -libsamplerate -libtar libtiger -linsys live lua macosx-notifications -mad -matroska modplug mp3 -mpeg mtp -musepack ncurses -nfs ogg omxil -opencv optimisememory -opus -png postproc -projectm pulseaudio -qt5 rdp -run-as-root -samba sdl-image -sftp shout sid -skins -soxr speex srt -ssl svg -taglib -theora -tremor -truetype twolame udev upnp v4l vnc -vorbis vpx -wayland x264 -xml -zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast dbus -dc1394 -dts -dvbpsi dvd -encode -faad fdk ffmpeg -flac fluidsynth fontconfig gcrypt -gme gnome-keyring gstreamer -ieee1394 jack jpeg kate libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger -linsys live lua macosx-notifications mad -matroska modplug mp3 mpeg -mtp musepack ncurses nfs ogg omxil opencv -optimisememory -opus png -postproc projectm pulseaudio qt5 rdp run-as-root samba -sdl-image sftp -shout -sid -skins soxr -speex -srt -ssl -svg -taglib -theora -tremor truetype twolame udev -upnp v4l vnc -vorbis -vpx -wayland -x264 xml -zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X -a52 alsa -altivec -aom -archive aribsub -bidi bluray cddb -chromaprint -chromecast dbus dc1394 -dts dvbpsi -dvd encode faad fdk ffmpeg flac -fluidsynth fontconfig gcrypt -gme -gnome-keyring gstreamer ieee1394 jack jpeg kate -libass -libav -libcaca libnotify libsamplerate -libtar -libtiger -linsys -live -lua macosx-notifications mad matroska modplug -mp3 -mpeg -mtp -musepack ncurses nfs -ogg -omxil opencv -optimisememory opus png -postproc -projectm -pulseaudio qt5 rdp run-as-root samba -sdl-image sftp shout -sid -skins soxr speex srt ssl svg -taglib theora tremor truetype -twolame -udev upnp -v4l -vnc vorbis vpx -wayland -x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa altivec -aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast dbus dc1394 dts -dvbpsi -dvd -encode faad -fdk -ffmpeg flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring -gstreamer -ieee1394 -jack jpeg -kate libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger -linsys -live lua macosx-notifications mad -matroska -modplug -mp3 mpeg mtp musepack ncurses nfs ogg omxil -opencv optimisememory -opus png -postproc -projectm pulseaudio -qt5 rdp run-as-root samba -sdl-image sftp shout -sid -skins soxr -speex -srt ssl -svg taglib -theora -tremor truetype -twolame udev upnp -v4l vnc -vorbis -vpx wayland x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa altivec -aom archive aribsub bidi bluray cddb chromaprint -chromecast -dbus dc1394 dts -dvbpsi -dvd encode faad fdk -ffmpeg -flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring gstreamer -ieee1394 -jack -jpeg -kate -libass libav -libcaca libnotify libsamplerate -libtar -libtiger linsys -live -lua macosx-notifications mad matroska modplug -mp3 -mpeg -mtp musepack -ncurses -nfs ogg omxil opencv -optimisememory -opus png -postproc -projectm pulseaudio -qt5 -rdp -run-as-root samba -sdl-image -sftp shout sid -skins -soxr speex srt ssl svg -taglib theora -tremor truetype -twolame -udev upnp -v4l -vnc vorbis vpx wayland x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 FEATURES=' test' USE='' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit -8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit -8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit 8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit 8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit -8bit asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit -8bit asm' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit 8bit asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit 8bit asm' succeeded for =media-libs/dav1d-0.3.1 revdep tests started on Mo 22. Jul 00:46:20 CEST 2019 FEATURES=' test' USE='dav1d' succeeded for media-video/ffmpeg FEATURES=' test' USE='dav1d' succeeded for media-video/vlc arm64 stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=552671e74c9871abb81f1505e8f56b29f769be28 commit 552671e74c9871abb81f1505e8f56b29f769be28 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-08-01 15:34:07 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-08-01 15:34:37 +0000 media-video/vlc: Security cleanup Bug: https://bugs.gentoo.org/688642 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-video/vlc/Manifest | 1 - media-video/vlc/files/vlc-3.0.6-libav.patch | 12 - media-video/vlc/files/vlc-3.0.6-libvpx-1.8.0.patch | 35 -- media-video/vlc/files/vlc-3.0.6-sftp.patch | 24 - media-video/vlc/metadata.xml | 2 - media-video/vlc/vlc-3.0.6-r1.ebuild | 502 --------------------- 6 files changed, 576 deletions(-) This issue was resolved and addressed in GLSA 201908-23 at https://security.gentoo.org/glsa/201908-23 by GLSA coordinator Aaron Bauman (b-man). |