a vulnerability in VLC Media Player has been reported, which can potentially be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in within modules/access/rtsp/real_sdpplin.c when processing SDP data (Session Description Protocol) for RTSP sessions. This can be exploited to cause a heap-based buffer overflow e.g. when a user is enticed to connect to a malicious server.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 0.8.6d. Other versions may also be affected.
Solution: none avaible jet
is upstream aware of this ? I haven't seen anything related on the ML
Luigi usually seems to contac upstream, probably in a private mail. If you can, please ask for a status update.
Problem is fixed in r24246. Not sure if we should use CVE-2008-0238 or CVE-2008-0225 for the VLC issues, I'd have to look at the code.
Also, two new issues were reported via CVE -- both are fixed upstream. I don't know if the VLC team plans a new release, otherwise grabbing the patches for us would be the way to go. Alexis, what do you think?
Reference: MLIST:[vlc-devel] 20071226 Regarding "obscure" security problem
The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to
overwrite arbitrary files via (1) the :demuxdump-file option in a
filename in a playlist, or (2) a EXTVLCOPT statement in an MP3 file,
possibly an argument injection vulnerability.
Reference: MLIST:[vlc-devel] 20070915 vlc: svn commit r22023 (courmisch)
The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to
cause a denial of service (crash) via a request without a Transport
parameter, which triggers a NULL pointer dereference.
another issue is reported:
Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d
allows remote attackers to execute arbitrary code via a long subtitle in a (1)
MicroDvd, (2) SSA, and (3) Vplayer file.
Format string vulnerability in the httpd_FileCallBack function
(network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute
arbitrary code via format string specifiers in the Connection parameter.
Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine
library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows
user-assisted remote attackers to cause a denial of service (crash) or execute
arbitrary code via long Session Description Protocol (SDP) data.
Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC
Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to
cause a denial of service (application crash) or execute arbitrary code via a
I'm starting to be really confused there...
the initial vuln. is (as far as I know) not even fixed in trunk; perhaps I missed something.
some are bug #205197 that is fixed in trunk but not backported to -bugfix as far as I know.
some are bug #203345 that is already fixed and stable.
some others I don't know
could someone please help me sorting out what has been applied and what not ? and for sure adding all the CVE assigned to vlc since 1 year wont help.
(In reply to comment #3)
> Name: CVE-2007-6684
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6684
> Reference: MLIST:[vlc-devel] 20070915 vlc: svn commit r22023 (courmisch)
> Reference: CONFIRM:http://trac.videolan.org/vlc/changeset/22023
> The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to
> cause a denial of service (crash) via a request without a Transport
> parameter, which triggers a NULL pointer dereference.
doesnt seem to be in 0.8.6d
hint: check the date: http://download.videolan.org/pub/vlc/0.8.6d/
anything commited to -bugfix branch before that date is most likely to be in that realease.
this will probably help:
(In reply to comment #4)
> another issue is reported:
> Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d
> allows remote attackers to execute arbitrary code via a long subtitle in a (1)
> MicroDvd, (2) SSA, and (3) Vplayer file.
> Format string vulnerability in the httpd_FileCallBack function
> (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute
> arbitrary code via format string specifiers in the Connection parameter.
Please don't start a confusion here. We handled those issues in bug 203345.
CVE-2008-0296: Windows only, according to reporter.
* Is this http://trac.videolan.org/vlc/changeset/24246 ?
(In reply to comment #10)
> CVE-2007-6683: http://trac.videolan.org/vlc/changeset/23197
our 0.8.6d still has this one
> CVE-2007-6684: http://trac.videolan.org/vlc/changeset/22023
As far as I can tell, this one is included in 0.8.6d and can be handled in bug #203345
> CVE-2008-0295: *
> * Is this http://trac.videolan.org/vlc/changeset/24246 ?
Nope, as far as I can tell, if you have a look at trunk in modules/access/rtsp/real_sdpplin.c, you still have something in the fashion of:
buf = malloc(3200)
if (filter(data, "m=", &buf))
where filter does a memcopy of the size of data onto buf, where of course data is the input.
I'm not sure changeset 24246 fixes something security related. We could ask Diego as hg log tells me he's the one who fixed that in xine-lib :)
However, changeset 24247 is supposed to be bug #205197, aka CVE-2008-0225
> CVE-2008-0296: Windows only, according to reporter.
I fail to see how it is different from CVE-2008-0295
(In reply to comment #11)
> > CVE-2008-0295: *
> > * Is this http://trac.videolan.org/vlc/changeset/24246 ?
> Nope, as far as I can tell, if you have a look at trunk in
> modules/access/rtsp/real_sdpplin.c, you still have something in the fashion of:
> buf = malloc(3200)
> if (filter(data, "m=", &buf))
> where filter does a memcopy of the size of data onto buf, where of course data
> is the input.
> I'm not sure changeset 24246 fixes something security related. We could ask
> Diego as hg log tells me he's the one who fixed that in xine-lib :)
> However, changeset 24247 is supposed to be bug #205197, aka CVE-2008-0225
this is: http://trac.videolan.org/vlc/changeset/24440
(In reply to comment #11)
> (In reply to comment #10)
> > CVE-2007-6683: http://trac.videolan.org/vlc/changeset/23197
> our 0.8.6d still has this one
In fact it doesn't:
From NEWS file:
* You now need to append --m3u-extvlcopt to your command line to enable
EXTVLCOPT options parsing in m3u playlists.
So please move this one to bug #203345
0.8.6d-r1 in the tree, with changeset 24247 and 24440 in its patches. That should be all what is needed.
Now for the ranting, I'd really appreciate if you could at least check the changelog and that our version is affected before copying all the CVE you can find there, thanks.
I did not intend to paste "all the CVEs I could find". There were six CVE identifiers assigned within one day, four of which were unknown to me, and I tried to sort our their status on this bug.
I'm sorry, but I also have to deal with this mess and partial information, and to be honest, could not do so without your help. I don't know the people, code, and practices in VLC. So I'll do my best to give the info I find, but I hope you can understand I rely on your help there. So thanks for sorting this out.
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc sparc x86"
Tested media-video/vlc-0.8.6d-r1 USE="X a52 aalib alsa avahi dts dvd flac gnome hal mp3 mpeg musepack ncurses nsplugin ogg opengl png samba sdl speex svg theora truetype vcd vorbis x264 xinerama xv (-3dfx) (-altivec) -arts -bidi -cdda -cddb -corba -daap -dc1394 -debug (-directfb) (-dvb) -esd -fbcon -ggi -gnutls -httpd -jack -libcaca -libnotify (-lirc) -live -matroska (-modplug) -optimisememory -oss -rtsp -sdl-image -seamonkey -shout -skins -stream (-svga) -upnp -v4l -vlm (-win32codecs) -wxwindows -xml -xosd" on sparc.
- no test phase
- no collisions
# emerge --info
Portage 184.108.40.206 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r6 sparc64)
System uname: 2.6.23-gentoo-r6 sparc64 sun4u
Timestamp of tree: Tue, 29 Jan 2008 17:30:01 +0000
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CPPFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb"
CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb"
FEATURES="collision-protect distlocks installsources metadata-transfer parallel-fetch sanxbox splitdebug strict test userfetch userpriv usersandbox"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
alpha/sparc stable, thanks Tobias and Friedrich