Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214627 - media-video/vlc <0.8.6f Multiple Vulnerabilities (CVE-2008-{1489,1768,1769})
Summary: media-video/vlc <0.8.6f Multiple Vulnerabilities (CVE-2008-{1489,1768,1769})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-25 01:22 UTC by Robert Buchholz (RETIRED)
Modified: 2008-04-23 16:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-25 01:22:27 UTC
Drew Yao and Nico Golde reported (public):
Name: CVE-2008-1489

  Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC
  0.8.6e allows remote attackers to cause a denial of service (crash)
  and possibly execute arbitrary code via a crafted MP4 RDRF box that
  triggers a heap-based buffer overflow, a different vulnerability than
  CVE-2008-0984.

Fix:
http://trac.videolan.org/vlc/changeset/09572892df7e72c0d4e598c0b5e076cf330d8b0a

Drew Yao also reported these, which are SEMI-PUBLIC:
* Integer overflow in MP4 demuxer MP4_ReadBox_padb
http://trac.videolan.org/vlc/changeset/3a6282755277ba9321d405c635e50da935d258a6
http://trac.videolan.org/vlc/changeset/edca13e259472872fdfd456cf3ef4a21d1262c11

* Integer overflow in Real demuxer ReadCodecSpecificData()
http://trac.videolan.org/vlc/changeset/783ab03c7bd8ddedcd3dc5bad18efc70a4c57aaa

* Integer overflow in Cinepak codec
http://trac.videolan.org/vlc/changeset/18eb4fd5a75b6429d1d7058a8967696be701a00b
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-25 01:24:55 UTC
I'm opening this bug restricted. Since the patches are public, i'm rating it SEMI-PUBLIC. I enquired with Drew Yao about the publicity status.

IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a big bump. Alexis, what do you think?
Comment 2 Alexis Ballier gentoo-dev 2008-03-25 07:51:32 UTC
(In reply to comment #1)
> I'm opening this bug restricted. Since the patches are public, i'm rating it
> SEMI-PUBLIC. I enquired with Drew Yao about the publicity status.

hmm damn; I had completely forgot about the mp4's ones for -r1. The other ones have been pushed only very recently.

> IMHO we can wait until the xine issues from bug 214270 are fixed, and stable a
> big bump. Alexis, what do you think?

What I would prefer is waiting for 0.8.6f to be sure we do not forget anything, but as we have the patches, just ping me when you think its time.
Comment 3 Alexis Ballier gentoo-dev 2008-03-26 08:01:23 UTC
(In reply to comment #0)

> * Integer overflow in Cinepak codec
> http://trac.videolan.org/vlc/changeset/18eb4fd5a75b6429d1d7058a8967696be701a00b


if we choose to patch we mustn't forget:

cinepak: do not access arrays beyond allocated size  0.8.6-bugfix
http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=cf489d7bff3c1b36b2d5501ecf21129c78104d98
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-26 20:56:16 UTC
I heard the release should come out within a week, so we could wait.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 09:49:17 UTC
Public, as agreed by both Drew and VLC upstream.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-04-04 02:03:08 UTC
0.8.6f is out, I wonder how many of these changes were actually merged (judging from the changelog, not all) and what the xine bug 214270 status is.
Comment 7 Alexis Ballier gentoo-dev 2008-04-06 13:21:51 UTC
(In reply to comment #6)
> 0.8.6f is out, I wonder how many of these changes were actually merged 

bumped; all the fixes should be there:

Changes between 0.8.6e and 0.8.6f:
----------------------------------

Security updates:
 * Really fixed subtitle buffer overflow (CVE-2007-6681)
 * Fixed Real RTSP code execution problem (CVE-2008-0073)
 * Fixed MP4 integer overflows (CVE-2008-1489)
 * Fixed cinepak integer overflow

Various bugfixes:
 * The Mozilla plugin registers a usable range of MIME-types on Mac OS X
 * Improved VLC's video output behavior on multi-screen setups running Mac OS X
 * Fixed crashes in H264 packetizer
 * Close MMS access on network timeout
 * Fix some problems with AAC decoder & packetizer
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-04-06 17:12:36 UTC
Arches, please test and mark stable:
=media-video/vlc-0.8.6f
Target keywords : "alpha amd64 ppc release sparc x86"
Comment 9 Tobias Klausmann gentoo-dev 2008-04-06 20:47:43 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2008-04-07 20:52:12 UTC
amd64/x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-04-08 16:52:35 UTC
sparc stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-10 18:24:30 UTC
ppc stable
Comment 13 Peter Volkov (RETIRED) gentoo-dev 2008-04-10 20:41:44 UTC
Fixed in release snapshot.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-04-18 00:24:00 UTC
CVE-2008-1768 covers the last four links of the initial posting (all integer overflows except for CVE-2008-1489).

CVE-2008-1769 covers the issue from comment 3.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-04-23 16:21:29 UTC
GLSA 200804-25