Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 788226

Summary: <media-video/vlc-3.0.13: Unspecified vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: media-video
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ?? [glsa?]
Package list:
media-video/vlc-3.0.14 amd64 arm64 ppc ppc64 x86 media-libs/libbluray-1.3.0-r1 dev-libs/libudfread-1.1.2 media-libs/libdvdnav-6.1.1 media-libs/libdvdread-6.1.2
Runtime testing required: ---
Attachments:
Description Flags
vlc-3.0.13-srt-1.3.0+.patch none

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-04 21:48:31 UTC
The release notes for 3.0.13 say:
"VLC media player 3.0.13 'Vetinari'

This is the fourteenth release of VLC 3.0 branch, named "Vetinari",
in reference to the Lord Patrician from Discworld.

This updates contains various fixes and improvements:
- Fix artifacts in HLS streams
- Fix MP4 audio support regressions
- Add SSA text scaling support
- Add NFSv4 support
- Improve SMB2 integration
- Improve Direct3D11 rendering smoothness
- Add mousewheel horizontal axis support
- Security fixes

And many more, check our NEWS file for more details!"
Comment 1 NATTkA bot gentoo-dev 2021-05-04 21:52:24 UTC Comment hidden (obsolete)
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2021-05-04 22:34:27 UTC
Created attachment 706062 [details, diff]
vlc-3.0.13-srt-1.3.0+.patch

Required patch to still build against >=net-libs/srt-1.3.0
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-04 22:44:06 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #2)
> Created attachment 706062 [details, diff] [details, diff]
> vlc-3.0.13-srt-1.3.0+.patch
> 
> Required patch to still build against >=net-libs/srt-1.3.0

Oh, of course. I'll commit it now just because it's faster, thank you
Comment 4 Larry the Git Cow gentoo-dev 2021-05-04 22:47:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c66c764661b65e66ebe69ef6d4cce3a544b6a85

commit 3c66c764661b65e66ebe69ef6d4cce3a544b6a85
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-05-04 22:46:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-04 22:46:13 +0000

    media-video/vlc: allow building against newer net-libs/srt
    
    Bug: https://bugs.gentoo.org/788226
    Thanks-to: Lars Wendler <polynomial-c@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/vlc/files/vlc-3.0.13-srt-1.3.0.patch | 11 +++++++++++
 media-video/vlc/vlc-3.0.13.ebuild                |  1 +
 2 files changed, 12 insertions(+)
Comment 5 NATTkA bot gentoo-dev 2021-05-04 23:00:21 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-05-04 23:04:24 UTC Comment hidden (obsolete)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-25 03:14:19 UTC
https://www.videolan.org/security/sb-vlc3013.html

“ Details
A remote user could create a specifically crafted file that could trigger some various issues.
It is possible to trigger a remote code execution through a specifically crafted playlist, and tricking the user into interracting with that playlist elements.
This is explained in more details on the reporter's article
It is also possible to trigger read or write buffer overflows with some crafted files or by a MITM attack on the automatic updater
Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerability
”
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-25 11:56:33 UTC
arm done
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-25 18:58:25 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-05-25 19:10:39 UTC
x86 stable
Comment 11 Rolf Eike Beer archtester 2021-05-28 15:46:54 UTC
sparc done
Comment 12 Agostino Sarubbo gentoo-dev 2021-05-28 19:39:15 UTC
ppc64 stable
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 10:38:15 UTC
ppc done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 00:41:50 UTC
arm64 done

all arches done
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-03 01:52:32 UTC
Please cleanup.
Comment 16 NATTkA bot gentoo-dev 2021-06-22 18:44:27 UTC
Unable to check for sanity:

> no match for package: media-video/vlc-3.0.14
Comment 17 Amel Hodzic 2022-06-05 16:11:54 UTC
This should be closed, as the referenced versions of vlc are not even in the repo anymore.  Comments indicate that the implementation was successful across all supported archs.
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-05 16:48:45 UTC
(In reply to Amel Hodzic from comment #17)
> This should be closed, as the referenced versions of vlc are not even in the
> repo anymore.  Comments indicate that the implementation was successful
> across all supported archs.

Ideally we'll GLSA it, but that's a bit hard given how opaque that changelog is. Remember, not everyone syncs as regularly as they should.