Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 788226 - <media-video/vlc-3.0.13: Unspecified vulnerabilities
Summary: <media-video/vlc-3.0.13: Unspecified vulnerabilities
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ?? [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-04 21:48 UTC by Sam James
Modified: 2021-09-13 00:25 UTC (History)
1 user (show)

See Also:
Package list:
media-video/vlc-3.0.14 amd64 arm64 ppc ppc64 x86 media-libs/libbluray-1.3.0-r1 dev-libs/libudfread-1.1.2 media-libs/libdvdnav-6.1.1 media-libs/libdvdread-6.1.2
Runtime testing required: ---
nattka: sanity-check-


Attachments
vlc-3.0.13-srt-1.3.0+.patch (vlc-3.0.13-srt-1.3.0+.patch,472 bytes, patch)
2021-05-04 22:34 UTC, Lars Wendler (Polynomial-C)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-05-04 21:48:31 UTC
The release notes for 3.0.13 say:
"VLC media player 3.0.13 'Vetinari'

This is the fourteenth release of VLC 3.0 branch, named "Vetinari",
in reference to the Lord Patrician from Discworld.

This updates contains various fixes and improvements:
- Fix artifacts in HLS streams
- Fix MP4 audio support regressions
- Add SSA text scaling support
- Add NFSv4 support
- Improve SMB2 integration
- Improve Direct3D11 rendering smoothness
- Add mousewheel horizontal axis support
- Security fixes

And many more, check our NEWS file for more details!"
Comment 1 NATTkA bot gentoo-dev 2021-05-04 21:52:24 UTC Comment hidden (obsolete)
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2021-05-04 22:34:27 UTC
Created attachment 706062 [details, diff]
vlc-3.0.13-srt-1.3.0+.patch

Required patch to still build against >=net-libs/srt-1.3.0
Comment 3 Sam James archtester gentoo-dev Security 2021-05-04 22:44:06 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #2)
> Created attachment 706062 [details, diff] [details, diff]
> vlc-3.0.13-srt-1.3.0+.patch
> 
> Required patch to still build against >=net-libs/srt-1.3.0

Oh, of course. I'll commit it now just because it's faster, thank you
Comment 4 Larry the Git Cow gentoo-dev 2021-05-04 22:47:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c66c764661b65e66ebe69ef6d4cce3a544b6a85

commit 3c66c764661b65e66ebe69ef6d4cce3a544b6a85
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-05-04 22:46:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-05-04 22:46:13 +0000

    media-video/vlc: allow building against newer net-libs/srt
    
    Bug: https://bugs.gentoo.org/788226
    Thanks-to: Lars Wendler <polynomial-c@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/vlc/files/vlc-3.0.13-srt-1.3.0.patch | 11 +++++++++++
 media-video/vlc/vlc-3.0.13.ebuild                |  1 +
 2 files changed, 12 insertions(+)
Comment 5 NATTkA bot gentoo-dev 2021-05-04 23:00:21 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-05-04 23:04:24 UTC Comment hidden (obsolete)
Comment 7 Sam James archtester gentoo-dev Security 2021-05-25 03:14:19 UTC
https://www.videolan.org/security/sb-vlc3013.html

“ Details
A remote user could create a specifically crafted file that could trigger some various issues.
It is possible to trigger a remote code execution through a specifically crafted playlist, and tricking the user into interracting with that playlist elements.
This is explained in more details on the reporter's article
It is also possible to trigger read or write buffer overflows with some crafted files or by a MITM attack on the automatic updater
Impact
If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.
While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.
We have not seen exploits performing code execution through these vulnerability
”
Comment 8 Sam James archtester gentoo-dev Security 2021-05-25 11:56:33 UTC
arm done
Comment 9 Agostino Sarubbo gentoo-dev 2021-05-25 18:58:25 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2021-05-25 19:10:39 UTC
x86 stable
Comment 11 Rolf Eike Beer archtester 2021-05-28 15:46:54 UTC
sparc done
Comment 12 Agostino Sarubbo gentoo-dev 2021-05-28 19:39:15 UTC
ppc64 stable
Comment 13 Sam James archtester gentoo-dev Security 2021-06-02 10:38:15 UTC
ppc done
Comment 14 Sam James archtester gentoo-dev Security 2021-06-03 00:41:50 UTC
arm64 done

all arches done
Comment 15 John Helmert III gentoo-dev Security 2021-06-03 01:52:32 UTC
Please cleanup.
Comment 16 NATTkA bot gentoo-dev 2021-06-22 18:44:27 UTC
Unable to check for sanity:

> no match for package: media-video/vlc-3.0.14