Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 245774 (CVE-2008-5032) - media-video/vlc < 0.9.6: Buffer overflows in VLC RealText and CUE demuxers (CVE-2008-{5032,5036})
Summary: media-video/vlc < 0.9.6: Buffer overflows in VLC RealText and CUE demuxers (C...
Status: RESOLVED FIXED
Alias: CVE-2008-5032
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.videolan.org/security/sa08...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 245793
Blocks:
  Show dependency tree
 
Reported: 2008-11-06 00:15 UTC by Alexis Ballier
Modified: 2008-12-25 01:16 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexis Ballier gentoo-dev 2008-11-06 00:15:34 UTC
- Details -

When parsing the header of an invalid CUE image file or an invalid RealText 
subtitle file, stack-based buffer overflows might occur. 


- Impact -

If successful, a malicious third party could trigger execution of arbitrary 
code within the context of the VLC media player. 


- Threat mitigation -

Exploitation of this issue requires the user to explicitly open a specially 
crafted file. 


http://www.videolan.org/security/sa0810.html
http://www.trapkit.de/advisories/TKADV2008-011.txt
http://www.trapkit.de/advisories/TKADV2008-012.txt
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-06 10:27:53 UTC
Arches, please test and mark stable
=media-video/vlc-0.9.6

Target keywords:
amd64 ppc ppc64 sparc x86
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-06 11:51:09 UTC
This probably depends on bug 245793 being fixed (unable to reproduce here due to lack of a stable system).
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-11-06 12:23:01 UTC
alpha: You need to rekeyword AND stable.
ppc64: Apparently you never had VLC stable, so feel free to un-cc yourself.
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2008-11-06 14:49:12 UTC
Sparc stable, works for me, but of course an exhaustive test of this package is almost impossible.  Note, for sparc, this carries along a requirement to mark stable several other packages:
===============
media-video/dirac-1.0.0
media-libs/libkate-0.2.5
media-libs/zvbi-0.2.33
media-libs/schroedinger-1.0.5
media-libs/libass-0.9.5
===========================
Of these, libkate, zvbi, and libass need to be marked stable on everything.
Comment 5 Santiago M. Mola (RETIRED) gentoo-dev 2008-11-07 15:32:30 UTC
There's a regression. Video is detached from the interface, which was fixed in media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was removed later.

The patch can be applied cleanly to 0.9.6 and works.
Comment 6 Alexis Ballier gentoo-dev 2008-11-07 15:44:49 UTC
(In reply to comment #5)
> There's a regression. Video is detached from the interface, which was fixed in
> media-video/vlc-0.9.4-r1 with the patch 'embeddedvideo.patch', but it was
> removed later.

The regression was to patch it in order to make it available again...
See bug #240714, my last comment there and the link I posted.
Comment 7 Markus Meier gentoo-dev 2008-11-08 13:10:54 UTC
amd64/x86 need the following packages stable, is this ok and which versions should we pick?

Package                       Version             Current Keywords  Masks     
============================= =================== ================= =========
media-libs/zvbi               0.2.31              ~x86              K         
media-libs/zvbi               0.2.32              ~x86              K         
media-libs/zvbi               0.2.33              ~x86              K         
media-libs/libv4l             0.5.1               ~x86              K         
media-libs/libv4l             0.5.3               ~x86              K         
media-libs/libass             0.9.5               ~x86              K         
media-libs/libkate            0.2.5               ~x86              K         
media-video/vlc               0.9.6               ~x86              K
Comment 8 Alexis Ballier gentoo-dev 2008-11-09 02:21:33 UTC
(In reply to comment #7)
> amd64/x86 need the following packages stable, is this ok and which versions
> should we pick?
 
> media-libs/zvbi               0.2.33              ~x86              K         

this one should be ok

> media-libs/libv4l             0.5.3               ~x86              K         

and this one

> media-libs/libass             0.9.5               ~x86              K         

ditto

> media-libs/libkate            0.2.5               ~x86              K         

ditto
Comment 9 Markus Meier gentoo-dev 2008-11-09 13:44:56 UTC
amd64/x86 stable
Comment 10 Tobias Klausmann gentoo-dev 2008-11-09 14:53:33 UTC
Stable on alpha. (also stabled the four deps mentioned by maekke as well as fluidsynth (and two of its deps, lash and ladspa-cmt).
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-11 00:36:16 UTC
======================================================
Name: CVE-2008-5032
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032
Reference: MLIST:[oss-security] 20081105 CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5
Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4
Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13
Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-012.txt
Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562d43f32331006c2c1a61742de031b84d
Reference: CONFIRM:http://www.videolan.org/security/sa0810.html

Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through
0.9.5 might allow user-assisted attackers to execute arbitrary code
via the header of an invalid CUE image file, related to
modules/access/vcd/cdrom.c.  NOTE: this identifier originally included
an issue related to RealText, but that issue has been assigned a
separate identifier, CVE-2008-5036.


======================================================
Name: CVE-2008-5036
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5036
Reference: MLIST:[oss-security] 20081105 CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/5
Reference: MLIST:[oss-security] 20081105 VideoLAN security advisory 0810
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/05/4
Reference: MLIST:[oss-security] 20081110 Re: CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/11/10/13
Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-011.txt
Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef651125701a2e33a8d75b815b3e39681a447
Reference: CONFIRM:http://www.videolan.org/security/sa0810.html

Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before
0.9.6 might allow user-assisted attackers to execute arbitrary code
via an an invalid RealText (rt) subtitle file, related to the
ParseRealText function in modules/demux/subtitle.c.  NOTE: this issue
was SPLIT from CVE-2008-5032 on 20081110.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2008-11-12 18:30:17 UTC
I'll keep vlc ~ppc64 for now.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-13 13:46:37 UTC
0.9.8a is stable for ppc
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-25 01:16:20 UTC
GLSA 200812-24, thanks everyone, sorry about the delay.