Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 242740 (CVE-2008-4654) - media-video/vlc < 0.9.5: TiVo demuxer buffer overflow (CVE-2008-4654,CVE-2008-4686)
Summary: media-video/vlc < 0.9.5: TiVo demuxer buffer overflow (CVE-2008-4654,CVE-2008...
Status: RESOLVED FIXED
Alias: CVE-2008-4654
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High trivial (vote)
Assignee: Gentoo Security
URL: http://mailman.videolan.org/pipermail...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-19 10:17 UTC by Christian Hoffmann (RETIRED)
Modified: 2008-11-09 16:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Hoffmann (RETIRED) gentoo-dev 2008-10-19 10:17:04 UTC
Upstream wants 0.9.x stable (see $URL and [1] ) as they consider 0.8.x unsupported even from a security point of view.

Also, there is a fix for an overflow issue [2] which is not in any released version.

According to aballier, we're going to wait at least for 0.9.5. media-video, please approve, once 0.9.5 is released, in the tree and you consider it ready to be marked stable.

Using this bug just for tracking 0.9.x stabilization atm.

[1] http://mailman.videolan.org/pipermail/vlc/2008-October/016125.html
[2] http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=fde9e1cc1fe1ec9635169fa071e42b3aa6436033
Comment 1 Alexis Ballier gentoo-dev 2008-10-19 13:12:45 UTC
http://www.videolan.org/security/sa0809.html

maybe better than "unknown security issues" :)
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-10-19 20:25:00 UTC
Code paths in ty.c are different in VLC 0.8.6i, so it does not seem affected.
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-10-21 08:35:57 UTC
http://secunia.com/advisories/32339/
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2008-10-23 08:38:34 UTC
This can also be handled here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4686
Comment 5 Alexis Ballier gentoo-dev 2008-10-25 00:15:13 UTC
vlc 0.9.5 is in the tree; I had to drop alpha, ppc and ppc64 keywords due to the new dep: libv4l. I dunno if you want to handle rekeywording here.

(In reply to comment #0)
> [1] http://mailman.videolan.org/pipermail/vlc/2008-October/016125.html

The tivo bug doesn't affect current stable it seems, and since this is open source I tend to consider "unknown security issues" as FUD.
However, Rémi is probably right there: there have been lots of bugfixes in 0.9 since 0.8.6, and if analysed correctly may probably lead to exploitable code. I don't have the courage to dig into two years of changes. As such, I'd like to have 0.9.5 stable asap, be it done for/by security or not. Maybe we could have a compromise: wait a couple of weeks just in case and then move it to stable? 0.9.x are just bugfixes releases of 0.9.0.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-10-25 13:01:46 UTC
All the issues we are currently aware of only affect ~arch ebuils (>0.9.0 <0.9.5) of VLC. Given the warning by upstream and you (Alexis), I agree we should push 0.9.5 to our stable users sooner than later.

Let's get the ~arch keywords back now, and target a stabling on this bug in one week, Oct. 31.

== Arches: alpha, ppc, ppc64 ==
Please readd your ~arch keywords to
=media-video/vlc-0.9.5
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-10-28 01:16:52 UTC
~ppc64 done
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-10-30 20:40:47 UTC
Added ~ppc
Comment 9 Alexis Ballier gentoo-dev 2008-11-02 21:50:22 UTC
(In reply to comment #6)
> Let's get the ~arch keywords back now, and target a stabling on this bug in one
> week, Oct. 31.

So it seems we'll need this for stabling a new ffmpeg...
Comment 10 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-06 12:20:27 UTC
Stable date is due, stabling will be handled on bug 245774 after all issues are ironed out.
Moving the blocker against bug 245285 to bug 245774...
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-11-09 13:02:23 UTC
alpha's ~arch on >=0.9.5 is still needed for this but to be FIXED
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2008-11-09 16:50:35 UTC
  09 Nov 2008; Tobias Klausmann <klausman@gentoo.org> vlc-0.9.6.ebuild:
  Stable on alpha, bug #245774