211575 – (CVE-2008-0984) media-video/vlc < 0.8.6e MP4 demuxer Code execution (CVE-2008-0984)

Bug 211575 (CVE-2008-0984) - media-video/vlc < 0.8.6e MP4 demuxer Code execution (CVE-2008-0984)

Summary: media-video/vlc < 0.8.6e MP4 demuxer Code execution (CVE-2008-0984)

Status:	RESOLVED FIXED

Alias:	CVE-2008-0984

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:	http://www.videolan.org/security/sa08...
Whiteboard:	A2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-02-26 22:47 UTC by Robert Buchholz (RETIRED)
Modified:	2008-03-07 22:49 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-02-26 22:47:44 UTC

CVE-2008-0984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0984):
  The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier allows remote
  attackers to overwrite arbitrary memory and execute arbitrary code via a
  malformed MP4 file.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-02-26 22:52:46 UTC

Patch is here:
http://www.videolan.org/patches/vlc-0.8.6-CORE-2008-0130.patch

And this should be fixed in the "e" release, whenever that goes public. So I'd go for patching our 0.8.6d-r1. Media-video, what do you think?

Comment 2 Alexis Ballier gentoo-dev

2008-02-26 23:04:55 UTC

http://download.videolan.org/pub/videolan/vlc/0.8.6e/vlc-0.8.6e.tar.bz2 exists

it's been tagged a few days ago, but I didn't see an announcement yet.
lemme check what's up with this

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2008-02-28 11:28:53 UTC

0.8.6e is officially released.

Comment 4 Alexis Ballier gentoo-dev

2008-02-28 12:02:45 UTC

(In reply to comment #3)
> 0.8.6e is officially released.
> 

yeah but the build hadn't finished when I had to leave home ;)

I'll bump it most likely this evening

Comment 5 Alexis Ballier gentoo-dev

2008-02-28 18:10:41 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > 0.8.6e is officially released.
> > 
> 
> yeah but the build hadn't finished when I had to leave home ;)
> 
> I'll bump it most likely this evening
> 

its bumped now

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2008-02-29 07:49:01 UTC

Please arches do:

media-video/vlc-0.8.6e 
target keywords are "alpha amd64 ppc ~ppc64 sparc x86 ~x86-fbsd"

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2008-02-29 08:59:28 UTC

x86 stable

Comment 8 Ferris McCormick (RETIRED) gentoo-dev

2008-02-29 15:12:52 UTC

Initial test on sparc results in a BadAlloc error from X followed by a SegFault.  I'll investigate further on another system, but for now, I'm holding off on sparc.

Comment 9 Ferris McCormick (RETIRED) gentoo-dev

2008-02-29 16:18:42 UTC

(In reply to comment #8)
> Initial test on sparc results in a BadAlloc error from X followed by a
> SegFault.  I'll investigate further on another system, but for now, I'm holding
> off on sparc.
> 

This problem is specific to one out-of-date system.  On my reference system (whick is completely current) it does not occur.  Hence,

Stable for sparc.

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2008-03-02 14:45:37 UTC

alpha stable, thanks Tobias

Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev

2008-03-04 19:34:21 UTC

ppc stable

Comment 12 Santiago M. Mola (RETIRED) gentoo-dev

2008-03-07 12:47:53 UTC

amd64 stable, sorry for the delay.

Comment 13 Peter Volkov (RETIRED) gentoo-dev

2008-03-07 16:13:08 UTC

Fixed in release snapshot.

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-03-07 22:49:41 UTC

GLSA 200803-13