From upstream advisory: https://www.videolan.org/security/sa1201.html https://www.videolan.org/security/sa1202.html Heap overflows in VLC Real RTSP support and Stack overflow in VLC MMS support fixed in 2.0.1
CVE-2012-1776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1776): Multiple heap-based buffer overflows in VideoLAN VLC media player before 2.0.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real RTSP stream. CVE-2012-1775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1775): Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.
2.0.1 in tree, its a bit early for stabilising it so i'd like to ask arch teams to be particulary cautious with their tests
(In reply to comment #2) > 2.0.1 in tree, its a bit early for stabilising it so i'd like to ask arch > teams to be particulary cautious with their tests Ok, I'd say to wait few days if any user will report anything
(In reply to comment #3) > (In reply to comment #2) > > 2.0.1 in tree, its a bit early for stabilising it so i'd like to ask arch > > teams to be particulary cautious with their tests > > Ok, I'd say to wait few days if any user will report anything note I was including the whole 2.0.x serie in this statement :)
Alexis, that version uses unstable zlib that is not ready to go to stable. There is a way to force to use our stable zlib?
(In reply to comment #5) > Alexis, that version uses unstable zlib that is not ready to go to stable. > > There is a way to force to use our stable zlib? changed 2.0.1 to allow stable zlib too: 20 Mar 2012; Alexis Ballier <aballier@gentoo.org> vlc-2.0.1.ebuild: allow stable zlib too, vlc will build its bundled minizip version with it though, bug #408881
bug #409001 isnt a blocker with the current stable ffmpeg, or even stable candidate afaik
(In reply to comment #7) > bug #409001 isnt a blocker with the current stable ffmpeg, or even stable > candidate afaik i take that back, it seems due to ffmpeg git compatibility code added in 2.0.1 which breaks compatibility with older versions...
is it ready to go stable now?
OK'ed by aballier on IRC. Arches, please go ahead and mark stable =media-video/vlc-2.0.1
* QA Notice: Automake "maintainer mode" detected: * * cd ../../.. && /bin/sh /var/tmp/portage/media-video/vlc-2.0.1/work/vlc-2.0.1/autotools/missing --run automake-1.11 --gnu modules/gui/qt4/Makefile * * If you patch Makefile.am, configure.in, or configure.ac then you * should use autotools.eclass and eautomake or eautoreconf. Exceptions * are limited to system packages for which it is impossible to run * autotools during stage building. See * http://www.gentoo.org/proj/en/qa/autofailure.xml for more information. * QA Notice: command not found: * * /bin/sh: line 1: git: command not found * /bin/sh: line 1: git: command not found * /bin/sh: line 1: git: command not found for everything else amd64 is ok
amd64 stable, thanks Maurizio.
x86 stable, thanks.
ppc stable
alpha stable, marked -sparc on sparc as it sigbuses, you can remove the old 1.1.3 version when all is done
1) I stabled ppc64 2) I removed vulnerable version: vlc-1.1.13 Note to maintainer: media-video/vlc/metadata.xml: unused local USE-description: 'id3tag' media-video/vlc/metadata.xml: unused local USE-description: 'stream' media-video/vlc/metadata.xml: unused local USE-description: 'remoteosd' media-video/vlc/metadata.xml: unused local USE-description: 'libv4l2' media-video/vlc/metadata.xml: unused local USE-description: 'libv4l' 3) Its keyworded for ~arm. Is there any reason we should not stabilize it for arm? I can do that.
(In reply to comment #16) > 1) I stabled ppc64 > > 2) I removed vulnerable version: vlc-1.1.13 > > Note to maintainer: > > media-video/vlc/metadata.xml: unused local USE-description: 'id3tag' > media-video/vlc/metadata.xml: unused local USE-description: 'stream' > media-video/vlc/metadata.xml: unused local USE-description: 'remoteosd' > media-video/vlc/metadata.xml: unused local USE-description: 'libv4l2' > media-video/vlc/metadata.xml: unused local USE-description: 'libv4l' meaning you removed the old version poorly, please fix... > > 3) Its keyworded for ~arm. Is there any reason we should not stabilize it > for arm? I can do that. that's up to arm team (you?)
Thanks, everyone. Adding to existing GLSA request.
This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle).