Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 721940 (CVE-2019-19721, VideoLAN-SB-VLC-309) - <media-video/vlc-3.0.10: out of bound read (VideoLAN-SB-VLC-309)
Summary: <media-video/vlc-3.0.10: out of bound read (VideoLAN-SB-VLC-309)
Status: RESOLVED FIXED
Alias: CVE-2019-19721, VideoLAN-SB-VLC-309
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.videolan.org/security/sb-...
Whiteboard: B2 [glsa+ cve cleanup]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-05-09 18:22 UTC by GLSAMaker/CVETool Bot
Modified: 2020-05-14 22:27 UTC (History)
1 user (show)

See Also:
Package list:
media-video/vlc-3.0.10-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-05-09 18:22:15 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-05-09 18:25:18 UTC
From $URL:

Details
=======
A remote user could:

- Create a specifically crafted image file that could trigger an out of bounds read

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.

We have not seen exploits performing code execution through these vulnerabilities

CVE-2019-19721 affects VLC 3.0.8 and earlier, and only reads 1 byte out of bound
Threat mitigation

Exploitation of those issues requires the user to explicitly open a specially crafted file or stream.

Workarounds
===========
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.
Comment 2 Sergei Trofimovich gentoo-dev 2020-05-09 23:18:59 UTC
ppc/ppc64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-05-11 11:29:26 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-05-12 06:40:35 UTC
x86 stable
Comment 5 Sam James (sec padawan) 2020-05-12 16:10:23 UTC
arm64 stable.

@maintainer(s), please cleanup
Comment 6 Sam James (sec padawan) 2020-05-13 00:29:53 UTC
Note that the microdns issues were handled in bug 714606.

For this bug, we have:
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=72afe7ebd8305bf4f5360293b8621cde52ec506b
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-05-14 22:25:58 UTC
This issue was resolved and addressed in
 GLSA 202005-11 at https://security.gentoo.org/glsa/202005-11
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 Larry the Git Cow gentoo-dev 2020-05-14 22:27:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4ebc3f825cadf3aafc60e70aec4f5952ebe8853

commit a4ebc3f825cadf3aafc60e70aec4f5952ebe8853
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-05-14 22:27:09 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-05-14 22:27:16 +0000

    media-video/vlc: security cleanup
    
    Bug: https://bugs.gentoo.org/721940
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-video/vlc/Manifest            |   1 -
 media-video/vlc/vlc-3.0.8-r1.ebuild | 489 ------------------------------------
 2 files changed, 490 deletions(-)