Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285370 (CVE-2011-3623) - <media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP4 demuxers (CVE-2011-3623)
Summary: <media-video/vlc-1.0.2: Multiple stack-based buffer overflows in ASF, AVI, MP...
Status: RESOLVED FIXED
Alias: CVE-2011-3623
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/36762/
Whiteboard: B2 [glsa]
Keywords:
: 282089 284780 (view as bug list)
Depends on: 276278 284776 287423
Blocks: CVE-2009-2462 284781
  Show dependency tree
 
Reported: 2009-09-17 23:15 UTC by Alex Legler (RETIRED)
Modified: 2014-11-05 22:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-17 23:15:33 UTC
From Secunia:
Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system.

1) A boundary error exists within the "ASF_ObjectDumpDebug()" function in modules/demux/asf/libasf.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted ASF file.
  Fixed in http://git.videolan.org/?p=vlc.git;a=commit;h=dfe7084e8cc64e9b7a87cd37065b59cba2064823

2) A boundary error exists within the "AVI_ChunkDumpDebug_level()" function in modules/demux/avi/libavi.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted AVI file.
  Fixed in http://git.videolan.org/?p=vlc.git;a=commit;h=861e374d03e6c60c7d3c98428c632fe3b9e371b2

3) A boundary error exists within the "__MP4_BoxDumpStructure()" function in modules/demux/mp4/libmp4.c. This can be exploited to cause a stack-based buffer overflow via a specially crafted MP4 file.
  Fixed in http://git.videolan.org/?p=vlc.git;a=commit;h=c5b02d011b8c634d041167f4d2936b55eca4d18d

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Vulnerability #2 is confirmed in version 1.0.1. Other versions may also be affected.
Comment 1 Alexis Ballier gentoo-dev 2009-09-18 09:16:26 UTC
all three will be fixed in 1.0.2 and these affect <1.0.2
Comment 2 Alexis Ballier gentoo-dev 2009-09-20 09:59:49 UTC
1.0.2 is in the tree, and you have:
http://www.videolan.org/security/sa0901.html
Comment 3 Alexis Ballier gentoo-dev 2009-09-20 10:10:07 UTC
*** Bug 284780 has been marked as a duplicate of this bug. ***
Comment 4 Alexis Ballier gentoo-dev 2009-09-20 10:12:20 UTC
go with 1.0.2 stable; arm still needs to rekeyword. now you latest ~arch is vulnerable to this.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-22 02:00:27 UTC
x86 stable
Comment 6 Alexis Ballier gentoo-dev 2009-09-22 03:42:59 UTC
  20 Sep 2009; Markus Meier <maekke@gentoo.org> vlc-1.0.2.ebuild:
  add ~arm, bug #276278
Comment 7 Markus Meier gentoo-dev 2009-09-22 07:51:10 UTC
amd64 stable
Comment 8 Tobias Klausmann gentoo-dev 2009-09-28 21:23:03 UTC
This triggers a whole slew of necessary updates:

'>=media-sound/pulseaudio-0.9.11', '>=media-libs/libdvbpsi-0.1.6', '>=media-libs/schroedinger-1.0.6', 'media-libs/libtiger'

You sure about those? 
Comment 9 Samuli Suominen (RETIRED) gentoo-dev 2009-09-28 22:09:52 UTC
(In reply to comment #8)
> This triggers a whole slew of necessary updates:
> 
> '>=media-sound/pulseaudio-0.9.11', '>=media-libs/libdvbpsi-0.1.6',
> '>=media-libs/schroedinger-1.0.6', 'media-libs/libtiger'
> 
> You sure about those? 
> 

Yes,

pulseaudio -> http://bugs.gentoo.org/284776 (alpha is CC'd)
for others, follow the lead of amd64/x86 wrt keywords
Comment 10 Tobias Klausmann gentoo-dev 2009-09-29 17:31:02 UTC
Stable on alpha.
Comment 11 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-02 21:16:10 UTC
kate module compilation failed on ppc, bug 287423
Comment 12 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-02 22:45:45 UTC
I've been caught by bug 282390.
Now, I need another ppc team member to confirm it's ppc-related... or stabilize vlc.
Every dependencies are stable.
Comment 13 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-03 15:25:07 UTC
Unfortunately, this bug has been confirmed by another ppc dev.
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2009-10-18 19:06:34 UTC
sparc stable
Comment 15 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-10-19 01:41:29 UTC
*** Bug 282089 has been marked as a duplicate of this bug. ***
Comment 16 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-11-11 20:01:18 UTC
Actually, the ffmpeg bug isn't related to vlc in any way (vlc-1.0.2 doesn't need a newer ffmpeg) so vlc-1.0.2 is now stable for ppc.

This was the last arch so, security team, you can fix the bug.
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:41:00 UTC
GLSA request was added to pending vlc GLSA by a3li.
Comment 18 Gef 2010-05-08 14:27:35 UTC
<media-video/vlc-1.0.2 is no longer in tree.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-10 19:12:29 UTC
Can one of our new scouts check if there is a CVE for this and request one if
there is none?
Comment 20 Michael Harrison 2011-10-10 20:42:33 UTC
CVE requested
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-11-05 22:07:36 UTC
This issue was resolved and addressed in
 GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml
by GLSA coordinator Sean Amoss (ackle).