| Summary: | <media-video/vlc-3.0.12.1: Buffer overread with crafted mkv file (CVE-2020-26664) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | media-video |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://gist.githubusercontent.com/henices/db11664dd45b9f322f8514d182aef5ea/raw/d56940c8bf211992bf4f3309a85bb2b69383e511/CVE-2020-26664.txt | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=761547 | ||
| Whiteboard: | A4 [glsa+ cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
John Helmert III
2021-01-12 01:09:53 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=186788f2eba7c130e38cf6d86116124eb2f57363 commit 186788f2eba7c130e38cf6d86116124eb2f57363 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-12 17:43:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-12 18:13:46 +0000 media-video/vlc: security bump to 3.0.12.1 Bug: https://bugs.gentoo.org/765040 Bug: https://bugs.gentoo.org/723006 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> media-video/vlc/Manifest | 1 + media-video/vlc/vlc-3.0.12.1-r1.ebuild | 499 ++++++++++++++++++++++++++++++ media-video/vlc/vlc-3.0.12.1-r101.ebuild | 505 +++++++++++++++++++++++++++++++ 3 files changed, 1005 insertions(+) Unable to check for sanity:
> no match for package: media-video/vlc-3.0.12.1
Sanity check failed:
> media-video/vlc-3.0.12.1
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (6 total)
> >=net-libs/srt-1.4.2
> depend amd64 stable profile default/linux/amd64/17.1 (53 total)
> >=net-libs/srt-1.4.2
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (6 total)
> >=net-libs/srt-1.4.2
> rdepend amd64 stable profile default/linux/amd64/17.1 (53 total)
> >=net-libs/srt-1.4.2
Unable to check for sanity:
> dependent bug #761547 is missing keywords
amd64 stable x86 stable arm64 done - ppc, ppc64 both did -r100 as part of the Lua mega-stable bug, which works for us, as it's not vulnerable, and as the rest of slotted Lua is stable anyway, an unslotted version is undesirable. - arm doesn't have stable VLC, just srt, so let's move it out of this bug. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=076307567eebf29a50f49703a6b371cfb6f5efce commit 076307567eebf29a50f49703a6b371cfb6f5efce Author: Sam James <sam@gentoo.org> AuthorDate: 2021-01-27 23:33:41 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-01-27 23:33:41 +0000 media-video/vlc: security cleanup Bug: https://bugs.gentoo.org/765040 Package-Manager: Portage-3.0.14, Repoman-3.0.2 Signed-off-by: Sam James <sam@gentoo.org> media-video/vlc/Manifest | 1 - media-video/vlc/vlc-3.0.11.1-r1.ebuild | 492 ------------------------------ media-video/vlc/vlc-3.0.11.1-r101.ebuild | 503 ------------------------------- media-video/vlc/vlc-3.0.11.1.ebuild | 491 ------------------------------ media-video/vlc/vlc-3.0.12.1.ebuild | 499 ------------------------------ 5 files changed, 1986 deletions(-) Unable to check for sanity:
> no match for package: media-video/vlc-3.0.12.1
This issue was resolved and addressed in GLSA 202101-37 at https://security.gentoo.org/glsa/202101-37 by GLSA coordinator Aaron Bauman (b-man). |