Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 230692 (CVE-2008-2430) - media-video/vlc < 0.8.6i Integer overflow in WAV demuxer (CVE-2008-2430)
Summary: media-video/vlc < 0.8.6i Integer overflow in WAV demuxer (CVE-2008-2430)
Alias: CVE-2008-2430
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2008-07-03 23:59 UTC by Robert Buchholz (RETIRED)
Modified: 2008-07-31 18:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-07-03 23:59:59 UTC
Secunia writes:
Secunia Research has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an integer overflow error within the "Open()" function in "modules/demux/wav.c". This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large "fmt" chunk.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 0.8.6h on Windows. Prior versions may also be affected.

The vulnerability will be fixed in an upcoming version 0.8.6i.

Fixed in the GIT repository.;a=commitdiff_plain;h=3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1
Comment 1 Alexis Ballier gentoo-dev 2008-07-04 07:04:49 UTC
FYI: 0.9.0-test1 (_beta1 for us) isn't affected, but it is not really possible to stabilise it yet. Imho we should wait for 0.8.6i that should come with a couple of other bugfixes too.
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-07-04 09:50:22 UTC
As I understood it, this is a Windows-only problem. I already saw the advisory some days ago (well, maybe it was only yesteday) and didnt file a bug for this reason.

See -- it says
  Underlying OS:  Windows (Any)

Secunia ($URL) says:
  The vulnerability is confirmed in version 0.8.6h *on Windows*.

No idea whether this really means that only Windows is affected, the wording is a bit ambiguous, imo.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-07-04 17:49:06 UTC
The Secunia advisory stated that it is confirmed with version 0.8.6h on Windows, but that does not mean that only Windows versions are affected (neither does it mean that 0.8.6g is unaffected). The code path that is changed by the patch is not specific to Windows, so I would assume this issue affects Linux.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-07-09 20:45:31 UTC
Any news on the new version?
Comment 5 Alexis Ballier gentoo-dev 2008-07-13 11:00:58 UTC
0.8.6i is in the tree now.

Videolan SA:

Release notes:

Changes from current stable aslo contains:
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-07-13 11:11:53 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 ppc sparc x86"
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-07-14 10:48:53 UTC
sparc/x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2008-07-14 18:50:59 UTC
Stable on alpha.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-15 17:46:32 UTC
ppc stable
Comment 10 Dawid Węgliński (RETIRED) gentoo-dev 2008-07-19 07:08:45 UTC
amd64 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-20 19:00:18 UTC
GLSA request filed.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-31 18:25:26 UTC
GLSA 200807-13