Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214277 - media-video/vlc <0.8.6e-r1 Subtitle buffer overflow (CVE-2008-1881) and Xine CVE-2008-0073
Summary: media-video/vlc <0.8.6e-r1 Subtitle buffer overflow (CVE-2008-1881) and Xine ...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2008-03-22 16:25 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-23 16:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 16:25:51 UTC
Luigi Auriemma writes:
The old buffer-overflow in the subtitles handled by VLC has not been
fully patched in version 0.8.6e, in fact buffer_text2 in ParseSSA is
still unchecked:

    if( sscanf( s,
      "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%81920[^\r\n]",

The funny thing is that my old proof-of-concept was built just to test
this specific buffer-overflow and in fact it works on the new VLC version
too without modifications 8-)

Instead the SVN version was and is patched from 10 months as I wrote in
my old advisory:
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 16:26:53 UTC
We handled this issue back in bug 203345, but I could reproduce a segfault with the 0.8.6e release.
Comment 2 Alexis Ballier gentoo-dev 2008-03-22 16:50:06 UTC
yep I've had the patches for a few days;
basically it is:;h=94baded6eff88e39c98b6e3572826f16f21ceec3


I suppose I could just add them to the patchset and make a -r1 instead of waiting for 0.8.6f that has been tagged at the same time but for which I dont know when it'll be released.
Comment 3 Alexis Ballier gentoo-dev 2008-03-22 17:48:33 UTC
Those 2 patches are now in -r1
There is the subtitles stuff plus xine's CVE-2008-0073
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 18:20:43 UTC
Alexis, thanks for the fast fix. I hope you are also following bug 214270 for new xine vulnerabilities :-/

Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc release sparc x86"
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 18:21:05 UTC
second try
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-22 21:10:18 UTC
x86 stable
Comment 7 Friedrich Oslage (RETIRED) gentoo-dev 2008-03-22 21:51:25 UTC
Tested media-video/vlc-0.8.6e-r1 sparc

Installs fine and works without segfaults :)

# emerge --info
Portage (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r3 sparc64)
System uname: 2.6.24-gentoo-r3 sparc64 sun4u
Timestamp of tree: Sat, 22 Mar 2008 20:00:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-mcpu=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CPPFLAGS="-mcpu=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb"
CXXFLAGS="-mcpu=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb"
FEATURES="ccache collision-protect distlocks installsources metadata-transfer parallel-fetch sandbox splitdebug strict test userfetch userpriv usersandbox"
LINGUAS="en de"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/local/portage"
USE="64bit 7zip X a52 aac aalib ace agg alsa artworkextra audacious avahi blender-game bluetooth bzip2 c++ caps ccache clock-screen cups curl custom-cflags cvs cxx dbus devhelp dga disk-partition divx dri dts dv dvd dvdread encode evo exif fastcgi fat ffmpeg flac ftp fuse gd gif gimp gimpprint glade gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 imap ithreads javascript jpeg jpeg2k key-screen libsexy lyrics lzo mad memcache midi mikmod mjpeg mouse mp2 mp3 mpeg mpeg2 mplayer musepack musicbrainz nautilus ncurses network networking nls nptl nptlonly nsplugin offensive ogg openal opengl opera pam pcre pdf png pnm ppds quicktime raw realmedia regex ruby samba sasl sdl sdl-image search-screen slang smartcard smp sms sound soundex source sourceview sparc speex spell sqlite3 ssl subversion svg symlink taglib tagwriting theora threads tiff timidity truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf wmp x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="mach64 fbdev mga"
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-23 12:05:43 UTC
ppc stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-03-23 18:17:19 UTC
sparc stable, thanks Friedrich
Comment 10 Markus Meier gentoo-dev 2008-03-23 21:03:58 UTC
amd64 stable
Comment 11 Tobias Klausmann (RETIRED) gentoo-dev 2008-03-24 17:57:40 UTC
alpha stable.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 19:43:44 UTC
GLSA request filed. Please note that we will not send it right away, because of the unfixed new xine issues.
Comment 13 Hanno Böck gentoo-dev 2008-03-25 11:41:26 UTC
vlc seems to have another issue: CVE-2008-1489
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-03-25 18:55:18 UTC
(In reply to comment #13)
> vlc seems to have another issue: CVE-2008-1489

We're handling that one and other issues in bug 214627, which is currently restricted.
Comment 15 Peter Volkov (RETIRED) gentoo-dev 2008-03-26 10:14:22 UTC
Fixed in release snapshot.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-04-18 00:22:12 UTC
CVE-2008-1881 has been assigned to the incorrect fix for CVE-2007-6681.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 16:21:18 UTC
GLSA 200804-25