Summary: | <media-video/vlc-3.0.13: Unspecified vulnerabilities | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | IN_PROGRESS --- | ||||||
Severity: | normal | CC: | media-video | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | ?? [glsa?] | ||||||
Package list: |
media-video/vlc-3.0.14 amd64 arm64 ppc ppc64 x86
media-libs/libbluray-1.3.0-r1
dev-libs/libudfread-1.1.2
media-libs/libdvdnav-6.1.1
media-libs/libdvdread-6.1.2
|
Runtime testing required: | --- | ||||
Attachments: |
|
Description
Sam James
2021-05-04 21:48:31 UTC
Sanity check failed:
> media-video/vlc-3.0.13
> depend amd64 dev profile default/linux/amd64/17.0/x32 (3 total)
> >=media-libs/libbluray-1.3.0:=
> >=media-libs/libdvdnav-6.1.1:0=
> >=media-libs/libdvdread-6.1.2:0=
> depend amd64 stable profile default/linux/amd64/17.1 (45 total)
> >=media-libs/libbluray-1.3.0:=
> >=media-libs/libdvdnav-6.1.1:0=
> >=media-libs/libdvdread-6.1.2:0=
> rdepend amd64 dev profile default/linux/amd64/17.0/x32 (3 total)
> >=media-libs/libbluray-1.3.0:=
> >=media-libs/libdvdnav-6.1.1:0=
> >=media-libs/libdvdread-6.1.2:0=
> rdepend amd64 stable profile default/linux/amd64/17.1 (45 total)
> >=media-libs/libbluray-1.3.0:=
> >=media-libs/libdvdnav-6.1.1:0=
> >=media-libs/libdvdread-6.1.2:0=
> depend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/libbluray-1.3.0:=
> rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/libbluray-1.3.0:=
Created attachment 706062 [details, diff]
vlc-3.0.13-srt-1.3.0+.patch
Required patch to still build against >=net-libs/srt-1.3.0
(In reply to Lars Wendler (Polynomial-C) from comment #2) > Created attachment 706062 [details, diff] [details, diff] > vlc-3.0.13-srt-1.3.0+.patch > > Required patch to still build against >=net-libs/srt-1.3.0 Oh, of course. I'll commit it now just because it's faster, thank you The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c66c764661b65e66ebe69ef6d4cce3a544b6a85 commit 3c66c764661b65e66ebe69ef6d4cce3a544b6a85 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-05-04 22:46:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-05-04 22:46:13 +0000 media-video/vlc: allow building against newer net-libs/srt Bug: https://bugs.gentoo.org/788226 Thanks-to: Lars Wendler <polynomial-c@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> media-video/vlc/files/vlc-3.0.13-srt-1.3.0.patch | 11 +++++++++++ media-video/vlc/vlc-3.0.13.ebuild | 1 + 2 files changed, 12 insertions(+) Unable to check for sanity:
> no match for package: media-libs/libbluray-1.3.0
Sanity check failed:
> media-libs/libbluray-1.3.0-r1
> depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
> depend amd64 stable profile default/linux/amd64/17.1 (12 total)
> dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-)]
> depend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
> dev-libs/libudfread[abi_x86_64(-)]
> rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
> dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
> rdepend amd64 stable profile default/linux/amd64/17.1 (12 total)
> dev-libs/libudfread[abi_x86_32(-),abi_x86_64(-)]
> rdepend amd64 stable profile default/linux/amd64/17.1/no-multilib (3 total)
> dev-libs/libudfread[abi_x86_64(-)]
> depend arm stable profile default/linux/arm/17.0 (28 total)
> dev-libs/libudfread
> depend arm dev profile default/linux/arm/17.0/armv4 (37 total)
> dev-libs/libudfread
> rdepend arm stable profile default/linux/arm/17.0 (28 total)
> dev-libs/libudfread
> rdepend arm dev profile default/linux/arm/17.0/armv4 (37 total)
> dev-libs/libudfread
> depend x86 stable profile default/linux/x86/17.0 (11 total)
> dev-libs/libudfread[abi_x86_32(-)]
> rdepend x86 stable profile default/linux/x86/17.0 (11 total)
> dev-libs/libudfread[abi_x86_32(-)]
https://www.videolan.org/security/sb-vlc3013.html “ Details A remote user could create a specifically crafted file that could trigger some various issues. It is possible to trigger a remote code execution through a specifically crafted playlist, and tricking the user into interracting with that playlist elements. This is explained in more details on the reporter's article It is also possible to trigger read or write buffer overflows with some crafted files or by a MITM attack on the automatic updater Impact If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed. We have not seen exploits performing code execution through these vulnerability ” arm done amd64 stable x86 stable sparc done ppc64 stable ppc done arm64 done all arches done Please cleanup. Unable to check for sanity:
> no match for package: media-video/vlc-3.0.14
This should be closed, as the referenced versions of vlc are not even in the repo anymore. Comments indicate that the implementation was successful across all supported archs. (In reply to Amel Hodzic from comment #17) > This should be closed, as the referenced versions of vlc are not even in the > repo anymore. Comments indicate that the implementation was successful > across all supported archs. Ideally we'll GLSA it, but that's a bit hard given how opaque that changelog is. Remember, not everyone syncs as regularly as they should. |