Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 408881 (CVE-2012-1775) - <media-video/vlc-2.0.1 : Multiple vulnerabilities (CVE-2012-{1775,1776})
Summary: <media-video/vlc-2.0.1 : Multiple vulnerabilities (CVE-2012-{1775,1776})
Status: RESOLVED FIXED
Alias: CVE-2012-1775
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: 408983 409001 CVE-2012-2396
Blocks: qt4eclass
  Show dependency tree
 
Reported: 2012-03-19 16:16 UTC by Agostino Sarubbo
Modified: 2014-11-05 22:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-19 16:16:49 UTC
From upstream advisory:
https://www.videolan.org/security/sa1201.html
https://www.videolan.org/security/sa1202.html

Heap overflows in VLC Real RTSP support and Stack overflow in VLC MMS support fixed in 2.0.1
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-03-19 20:02:46 UTC
CVE-2012-1776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1776):
  Multiple heap-based buffer overflows in VideoLAN VLC media player before
  2.0.1 allow remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a crafted Real RTSP stream.

CVE-2012-1775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1775):
  Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows
  remote attackers to execute arbitrary code via a crafted MMS:// stream.
Comment 2 Alexis Ballier gentoo-dev 2012-03-20 09:21:44 UTC
2.0.1 in tree, its a bit early for stabilising it so i'd like to ask arch teams to be particulary cautious with their tests
Comment 3 Agostino Sarubbo gentoo-dev 2012-03-20 09:24:13 UTC
(In reply to comment #2)
> 2.0.1 in tree, its a bit early for stabilising it so i'd like to ask arch
> teams to be particulary cautious with their tests

Ok, I'd say to wait few days if any user will report anything
Comment 4 Alexis Ballier gentoo-dev 2012-03-20 09:32:54 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > 2.0.1 in tree, its a bit early for stabilising it so i'd like to ask arch
> > teams to be particulary cautious with their tests
> 
> Ok, I'd say to wait few days if any user will report anything

note I was including the whole 2.0.x serie in this statement :)
Comment 5 Agostino Sarubbo gentoo-dev 2012-03-20 10:32:18 UTC
Alexis, that version uses unstable zlib that is not ready to go to stable.

There is a way to force to use our stable zlib?
Comment 6 Alexis Ballier gentoo-dev 2012-03-20 10:43:28 UTC
(In reply to comment #5)
> Alexis, that version uses unstable zlib that is not ready to go to stable.
> 
> There is a way to force to use our stable zlib?

changed 2.0.1 to allow stable zlib too:

  20 Mar 2012; Alexis Ballier <aballier@gentoo.org> vlc-2.0.1.ebuild:
  allow stable zlib too, vlc will build its bundled minizip version with it
  though, bug #408881
Comment 7 Alexis Ballier gentoo-dev 2012-03-20 17:33:27 UTC
bug #409001 isnt a blocker with the current stable ffmpeg, or even stable candidate afaik
Comment 8 Alexis Ballier gentoo-dev 2012-03-21 12:45:53 UTC
(In reply to comment #7)
> bug #409001 isnt a blocker with the current stable ffmpeg, or even stable
> candidate afaik

i take that back, it seems due to ffmpeg git compatibility code added in 2.0.1 which breaks compatibility with older versions...
Comment 9 Davide Pesavento gentoo-dev 2012-05-02 16:59:31 UTC
is it ready to go stable now?
Comment 10 Ben de Groot (RETIRED) gentoo-dev 2012-06-12 04:23:39 UTC
OK'ed by aballier on IRC.

Arches, please go ahead and mark stable =media-video/vlc-2.0.1
Comment 11 Maurizio Camisaschi (amd64 AT) 2012-06-12 11:26:35 UTC
 * QA Notice: Automake "maintainer mode" detected:
 * 
 *       cd ../../.. && /bin/sh /var/tmp/portage/media-video/vlc-2.0.1/work/vlc-2.0.1/autotools/missing --run automake-1.11 --gnu modules/gui/qt4/Makefile
 * 
 * If you patch Makefile.am, configure.in,  or configure.ac then you
 * should use autotools.eclass and eautomake or eautoreconf. Exceptions
 * are limited to system packages for which it is impossible to run
 * autotools during stage building. See
 * http://www.gentoo.org/proj/en/qa/autofailure.xml for more information.
 * QA Notice: command not found:
 * 
 *      /bin/sh: line 1: git: command not found
 *      /bin/sh: line 1: git: command not found
 *      /bin/sh: line 1: git: command not found

for everything else amd64 is ok
Comment 12 Agostino Sarubbo gentoo-dev 2012-06-13 08:03:31 UTC
amd64 stable, thanks Maurizio.
Comment 13 Andreas Schürch gentoo-dev 2012-06-13 11:52:31 UTC
x86 stable, thanks.
Comment 14 Michael Weber (RETIRED) gentoo-dev 2012-06-14 21:35:13 UTC
ppc stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2012-09-11 15:35:12 UTC
alpha stable, marked -sparc on sparc as it sigbuses, you can remove the old 1.1.3 version when all is done
Comment 16 Anthony Basile gentoo-dev 2012-09-13 11:32:03 UTC
1) I stabled ppc64

2) I removed vulnerable version: vlc-1.1.13

Note to maintainer:

   media-video/vlc/metadata.xml: unused local USE-description: 'id3tag'
   media-video/vlc/metadata.xml: unused local USE-description: 'stream'
   media-video/vlc/metadata.xml: unused local USE-description: 'remoteosd'
   media-video/vlc/metadata.xml: unused local USE-description: 'libv4l2'
   media-video/vlc/metadata.xml: unused local USE-description: 'libv4l'


3) Its keyworded for ~arm.  Is there any reason we should not stabilize it for arm?  I can do that.
Comment 17 Alexis Ballier gentoo-dev 2012-09-13 14:12:14 UTC
(In reply to comment #16)
> 1) I stabled ppc64
> 
> 2) I removed vulnerable version: vlc-1.1.13
> 
> Note to maintainer:
> 
>    media-video/vlc/metadata.xml: unused local USE-description: 'id3tag'
>    media-video/vlc/metadata.xml: unused local USE-description: 'stream'
>    media-video/vlc/metadata.xml: unused local USE-description: 'remoteosd'
>    media-video/vlc/metadata.xml: unused local USE-description: 'libv4l2'
>    media-video/vlc/metadata.xml: unused local USE-description: 'libv4l'

meaning you removed the old version poorly, please fix...

> 
> 3) Its keyworded for ~arm.  Is there any reason we should not stabilize it
> for arm?  I can do that.

that's up to arm team (you?)
Comment 18 Sean Amoss gentoo-dev Security 2012-09-13 15:30:41 UTC
Thanks, everyone.

Adding to existing GLSA request.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2014-11-05 22:09:24 UTC
This issue was resolved and addressed in
 GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml
by GLSA coordinator Sean Amoss (ackle).