Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 689974 (CVE-2019-13602, CVE-2019-13962, CVE-2019-14437, CVE-2019-14438, CVE-2019-14498, CVE-2019-14533, CVE-2019-14534, CVE-2019-14535, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14970) - <media-video/vlc-3.0.8: multiple vulnerabilities
Summary: <media-video/vlc-3.0.8: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-13602, CVE-2019-13962, CVE-2019-14437, CVE-2019-14438, CVE-2019-14498, CVE-2019-14533, CVE-2019-14534, CVE-2019-14535, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14970
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-16 14:19 UTC by Ulenrich
Modified: 2019-09-06 16:16 UTC (History)
2 users (show)

See Also:
Package list:
media-video/vlc-3.0.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments
mp4underflow.patch (vlc-3.0.7.1-mp4underflow.patch,1.19 KB, patch)
2019-07-17 14:01 UTC, Ulenrich
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ulenrich 2019-07-16 14:19:20 UTC
media-video/vlc-3.0.7.1 
maybe hit by security integer overflow bug of
CVE-2019-13602
Comment 1 Ulenrich 2019-07-16 14:20:26 UTC
see cve.mitre.org URL above
Comment 2 Ulenrich 2019-07-16 14:25:31 UTC
> Integer Underflow 
not is integer overflow ... never heard of underflow security issues though
Comment 3 Ulenrich 2019-07-17 14:01:00 UTC
Created attachment 583168 [details, diff]
mp4underflow.patch

The mp4underflow.patch out of two snippets from the references section
work, meaning it patches the file and builds successfully
I am not 100% sure if both snippets are needed ...
Comment 4 Ulenrich 2019-07-20 18:25:26 UTC
Another alert at
https://nvd.nist.gov/vuln/detail/CVE-2019-13615
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2019-07-25 10:05:38 UTC
CVE-2019-13615 is an issue in <dev-libs/libebml-1.3.6 and not media-video/vlc. Please see the following tweet from VideoLAN:

https://twitter.com/videolan/status/1153963312981389312


So we do not even ship the vulnerable versions anymore and thus CVE-2019-13615 does not affect us.
Comment 6 Ulenrich 2019-07-25 13:10:38 UTC
Debian has used the same patch to fix CVE-2019-13602 
here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932131
Comment 7 Ulenrich 2019-08-02 18:08:53 UTC
@Aaron
please give a hint, what this bug makes invalid?
Comment 8 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-02 22:08:09 UTC
(In reply to Ulenrich from comment #7)
> @Aaron
> please give a hint, what this bug makes invalid?

Please see Lars comments above as well.  The issue was falsely reported against VLC and actually resides in libebml which was fixed already.
Comment 9 Ulenrich 2019-08-02 22:24:13 UTC
CVE-2019-13615  Lars told me is invalid - and I rewrote the summary
CVE-2019-13602  was patched by videolan.org and Debian took it
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-03 00:43:25 UTC
(In reply to Ulenrich from comment #9)
> CVE-2019-13615  Lars told me is invalid - and I rewrote the summary
> CVE-2019-13602  was patched by videolan.org and Debian took it

You are correct, my apologies for not spotting the CVE difference.  

CVE-2019-13602 does apply here.
Comment 11 Ulenrich 2019-08-03 18:34:57 UTC
integer underflow
Comment 12 Frank Krömmelbein 2019-08-19 18:06:28 UTC
Version 3.0.8 is now available with the fixes for all the security issues mentioned before and a few more:

 * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970)
 * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962)
 * Fix a read buffer overflow in the FAAD decoder
 * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438)
 * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776)
 * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778)
 * Fix a use after free in the ASF demuxer (CVE-2019-14533)
 * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602)
 * Fix a null dereference in the dvdnav demuxer
 * Fix a null dereference in the ASF demuxer (CVE-2019-14534)
 * Fix a null dereference in the AVI demuxer
 * Fix a division by zero in the CAF demuxer (CVE-2019-14498)
 * Fix a division by zero in the ASF demuxer (CVE-2019-14535)

http://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob_plain;f=NEWS
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-21 16:30:36 UTC
summary does not get updated until a fixed version is in the tree.
Comment 14 Larry the Git Cow gentoo-dev 2019-08-25 08:10:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=621b74398ee71f0f6528bfdb4f976e66aaa4a967

commit 621b74398ee71f0f6528bfdb4f976e66aaa4a967
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-08-24 21:48:38 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-08-25 08:08:27 +0000

    media-video/vlc: 3.0.8 version bump
    
    Bug: https://bugs.gentoo.org/689974
    Package-Manager: Portage-2.3.73, Repoman-2.3.17
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-video/vlc/Manifest            |   1 +
 media-video/vlc/vlc-3.0.8.ebuild    | 494 ++++++++++++++++++++++++++++++++++++
 media-video/vlc/vlc-3.0.9999.ebuild |   4 +-
 media-video/vlc/vlc-9999.ebuild     |   4 +-
 4 files changed, 499 insertions(+), 4 deletions(-)
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-09-01 16:09:51 UTC
arm64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2019-09-02 09:33:05 UTC
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2019-09-02 10:12:00 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2019-09-02 10:15:53 UTC
x86 stable
Comment 19 Agostino Sarubbo gentoo-dev 2019-09-02 10:20:24 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Larry the Git Cow gentoo-dev 2019-09-04 08:46:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e0f9b51e48e2b964913db6c062842df4c3bb803

commit 3e0f9b51e48e2b964913db6c062842df4c3bb803
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-09-04 08:46:35 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-09-04 08:46:45 +0000

    media-video/vlc: Security cleanup
    
    Bug: https://bugs.gentoo.org/689974
    Package-Manager: Portage-2.3.75, Repoman-2.3.17
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-video/vlc/Manifest           |   1 -
 media-video/vlc/vlc-3.0.7.1.ebuild | 494 -------------------------------------
 2 files changed, 495 deletions(-)
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2019-09-06 16:16:42 UTC
This issue was resolved and addressed in
 GLSA 201909-02 at https://security.gentoo.org/glsa/201909-02
by GLSA coordinator Thomas Deutschmann (whissi).