Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 620176 (CVE-2017-10699, CVE-2017-9300, CVE-2017-9301) - <media-video/vlc-2.2.8-r1: Multiple Vulnerabilities (CVE-2017-{9300,9301,10699})
Summary: <media-video/vlc-2.2.8-r1: Multiple Vulnerabilities (CVE-2017-{9300,9301,10699})
Status: RESOLVED FIXED
Alias: CVE-2017-10699, CVE-2017-9300, CVE-2017-9301
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://code610.blogspot.de/2017/04/m...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: qt4-removal 640398 642508
  Show dependency tree
 
Reported: 2017-05-30 02:02 UTC by Michael Boyle
Modified: 2019-11-03 11:43 UTC (History)
4 users (show)

See Also:
Package list:
media-video/vlc-2.2.8-r1 media-libs/speex-1.2.0-r1 media-libs/speexdsp-1.2_rc3-r2
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-05-30 02:02:32 UTC
plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly have unspecified other impact via a crafted FLAC file. 

plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media player 2.2.4 allows remote attackers to cause a denial of service (invalid read and application crash) or possibly have unspecified other impact via a crafted file.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-06-10 13:47:07 UTC
It is currently unknown if these vulnerabilities are addressed in 2.2.6.
Comment 2 Michael Palimaka (kensington) gentoo-dev 2017-06-11 09:08:04 UTC
Is upstream aware of this? I did a quick search and couldn't find any bugs about it.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-06-11 10:19:47 UTC
It was found on Windows, not sure if they have contacted upstream. Original reference is https://code610.blogspot.de/2017/04/multiple-crashes-in-vlc-224.html
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-06-11 10:48:55 UTC
CVE-2017-9300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9300):
  plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 allows
  remote attackers to cause a denial of service (heap corruption and
  application crash) or possibly have unspecified other impact via a crafted
  FLAC file.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-06-11 10:50:17 UTC
CVE-2017-9301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9301):
  plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media
  player 2.2.4 allows remote attackers to cause a denial of service (invalid
  read and application crash) or possibly have unspecified other impact via a
  crafted file.
Comment 6 Andreas Sturmlechner gentoo-dev 2017-08-29 20:59:54 UTC
2.2.4 was dropped in a0f1a0f598cd1506f2396f5b8ddfd466557e5303
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-30 00:48:25 UTC
From VLC's git log: (Sample #1)

>commit 83b646f1e8fb89f99064d9aaef3754ccc77bbeac
>Author: Francois Cartegnie <fcvlcdev@free.fr>
>Date:   Wed May 31 13:02:29 2017 +0200
>
>    codec: flac: fix heap write overflow on frame format change

which is one day after the public report from URL.

And changes between 2.2.4 and 2.2.5 in the NEWS file from vlc sources:(Sample #2)

>Windows:
> * The plugins loading will not load external DLLs by default.

I'd say that version 2.2.4 was the last affected by these bugs.

Gentoo Security Padawan
ChrisADR
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-12-19 16:37:21 UTC
Changes between 2.2.7 and 2.2.8:
--------------------------------

Demuxers:
 * Fix AVI invalid pointer dereferences

Translations updates


Changes between 2.2.6 and 2.2.7:
--------------------------------

Decoders:
 * Fix flac heap write overflow on format change
 * Fix crash in libavcodec module (heap write out-of band) (CVE-2017-10699)
 * Fix infinite loop in sami subtitle
 * Fix AAC 7.1 channels detection

Demuxers:
 * Fix potential crash in ASX parser
 * Fix AVI read/write overflow

Mac OS X:
 * Fix compatibility with macOS High Sierra
 * Fix regression in ASS subtitle decoding
 * Fix crash during automatic update. Some users might need to manually
   update to the newest version.

Video Output:
 * Fix Direct3D9 output with odd offsets

Misc:
 * Fix crash in MTP
 * Support libupnp 1.8

Translations updates
Comment 9 Andreas Sturmlechner gentoo-dev 2017-12-30 01:51:40 UTC
Bumping stabilisation to media-video/vlc-2.2.8-r1 for remaining arches.
Comment 10 Andreas Sturmlechner gentoo-dev 2018-01-08 00:34:11 UTC
arm has no revdeps, but ppc/ppc64 do have some via media-libs/phonon{,-vlc}...
Comment 11 Andreas Sturmlechner gentoo-dev 2018-02-11 17:16:48 UTC
ping remaining arches.......
Comment 12 Sergei Trofimovich gentoo-dev 2018-02-27 22:26:28 UTC
ppc/ppc64 stable
Comment 13 Larry the Git Cow gentoo-dev 2018-02-27 22:51:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01971664316881492a2982086b564112dc282ab2

commit 01971664316881492a2982086b564112dc282ab2
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-01-14 10:27:49 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-02-27 22:50:41 +0000

    media-video/vlc: Cleanup vulnerable 2.2.6
    
    arm security stabilisation timeout.
    
    Bug: https://bugs.gentoo.org/620176
    Package-Manager: Portage-2.3.19, Repoman-2.3.6

 media-video/vlc/Manifest                           |   1 -
 ...2.1.0-TomWij-bisected-PA-broken-underflow.patch |  23 -
 .../vlc/files/vlc-2.2.4-decoder-lock-scope.patch   |  47 --
 .../vlc/files/vlc-9999-libva-1.2.1-compat.patch    |  12 -
 media-video/vlc/vlc-2.2.6.ebuild                   | 511 ---------------------
 5 files changed, 594 deletions(-)}
Comment 14 Andreas Sturmlechner gentoo-dev 2018-02-27 22:59:42 UTC
Cleanup done. Security please proceed.
Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-03-05 23:42:28 UTC
Downgrading to B3 since all CVEs specify DoS and no PoC from RCE.

GLSA Vote: No.