Secunia: Some vulnerabilities have been discovered in VLC Media Player, which can be exploited by malicious people to compromise a user's system. 1) Boundary errors in the "ParseMicroDvd()", "ParseSSA()", and "ParseVplayer()" functions when handling subtitles can be exploited to cause stack-based buffer overflows. 2) A format string error in the web interface listening on port 8080/tcp (disabled by default) can be exploited via a specially crafted HTTP request with a "Connection" header value containing format specifiers. Successful exploitation of the vulnerabilities allows execution of arbitrary code. The vulnerabilities have been confirmed in version 0.8.6d. Other versions may also be affected. Solution: Fixed in the SVN repository. Provided and/or discovered by: 1) Originally reported by Michal Luczaj. Additional information provided by Luigi Auriemma. 2) Luigi Auriemma Original Advisory: Michal Luczaj: http://mailman.videolan.org/pipermail/vlc-devel/2007-June/032672.html http://mailman.videolan.org/pipermail/vlc-devel/2007-June/033394.html Luigi Auriemma: http://aluigi.altervista.org/adv/vlcboffs-adv.txt
Media-video, please advise. (Or is this already fixed in our ebuilds? The advisories are from June and I spotted other security bug reports from November.)
had a quick look. One of the changes is: http://trac.videolan.org/vlc/changeset/23839 From 3 days ago. Given this and the fact that Secunia confirmed the vulnerabilities in 0.8.6d and our latest stable is 0.8.6c + unstable SVN snapshot ebuilds are older than 3 days, we most likely need new ebuilds here.
hmm ok, after checking it: 1) => been fixed a while ago in trunk, so 0.9.0 snapshots should be ok in that regard. However, backport to 0.8.6 branch had been forgotten and committed only a few days ago. 2) => Discovered recently, fixed in trunk and in 0.8.6 branch. A 0.8.6e release is in preparation that should fix both. I'd prefer waiting a few days more (as its expected at the very beginning of the year). I also need to put a more recent trunk snapshot for ~arch users, this one should also fix 2)
Alexis, are there any news here? Can you ping the VLC guys if necessary?
(In reply to comment #4) > Alexis, are there any news here? Can you ping the VLC guys if necessary? > bah as 0.8.6e seems to be late, I've bumped 0.8.6d applying the two fixes.
Alexis, thanks. I assume vlc-0.9.0_alpha20080110 has the same patches included, so ~arch is unaffected now? Arches, please test and mark stable media-video/vlc-0.8.6d. Target keywords : "alpha amd64 ppc sparc x86"
amd64 stable
(In reply to comment #6) > Alexis, thanks. I assume vlc-0.9.0_alpha20080110 has the same patches included, > so ~arch is unaffected now? yes ~arch is unaffected now
x86 stable
Sparc stable, works as expected.
ppc stable
alpha stable, thanks Tobias and sorry for the delay
CVE-2007-6681: Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via a long subtitle in a (1) MicroDvd, (2) SSA, and (3) Vplayer file. CVE-2007-6682: Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via format string specifiers in the Connection parameter.
This also fixes: * CVE-2007-6683 * CVE-2007-6684
GLSA 200803-13