http://git.videolan.org/?p=vlc.git;a=commit;h=f9b664eac0e1a7bceed9d7b5854fd9fc351b4aab Fix heap overflows in CDG decoder This patch resolves two heap corruption vulnerabilities in the CDG decoder for VLC media player. In both cases, a failure to properly validate indexes into statically-sized arrays on the heap could allow a maliciously crafted CDG video to corrupt the heap in a controlled manner, potentially leading to code execution. The patch is against v1.1.5 from vlc git, but this decoder hasn't been touched in awhile, so I'd expect it to cleanly apply to older versions. I've tested it and confirmed it resolves the heap corruption issues and does not break functionality.
Per http://www.openwall.com/lists/oss-security/2011/01/20/3 this has been assigned CVE-2011-0021.
vlc-1.1.6 should fix this
Thank you. Arches, please stabilize =media-video/vlc-1.1.6
Created attachment 260588 [details] build.log Fails with USE=lirc Portage 2.1.9.25 (default/linux/x86/10.0/desktop, gcc-4.4.4, glibc-2.11.2-r3, 2.6.36-gentoo-r5 i686) ================================================================= System uname: Linux-2.6.36-gentoo-r5-i686-AMD_Athlon-tm-_X2_Dual_Core_Processor_BE-2400-with-gentoo-1.12.14 Timestamp of tree: Mon, 24 Jan 2011 13:00:22 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.6-r1, 3.1.2-r4 dev-util/ccache: 2.4-r9 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.4, 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe -msse3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/lib/fax /usr/share/config /usr/share/openvpn/easy-rsa /var/bind /var/lib/hsqldb /var/spool/fax/etc /var/spool/torque" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/games/angband/edit/ /etc/gconf /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=athlon-xp -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs ccache distlocks fixlafiles fixpackages metadata-transfer news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac aiglx alsa applet artworkextra asf astribank audiofile bash-completion berkdb bidi bluetooth bogofilter bootsplash branding bzip2 cairo ccache cdda cddb cdparanoia cdr cli compat console consolekit cracklib crypt css cups curl custom-cflags cxx dbus deskbar dga directfb divx4linux dri dts dvd dvdr dvdread dvi emacs emboss encode evince exif extensions fam fat fbcon fbcondecor fdftk ffmpeg fontconfig foomaticdb fortran ftp gb gcj gdbm gdu gif glitz gphoto2 gpm gsf gtk gtk2 gtkhtml hal howl iconv icq idn imagemagick imlib ipv6 java javascript jpeg jpeg2k kde kpathsea libnotify libotf lm_sensors mad matroska melt mikmod mime mjpeg mmx mmxext mng modules mp3 mp4 mpeg mpeg2 mudflap mule mysql ncurses networking nforce2 nls noaudio nocardbus novideo nowebdav nptl nptlonly nss objc objc++ objc-gc ocamlopt offensive ogg opengl openmp pam pango passwordsave pcre pdf perl plotutils pmu png policykit ppds pppd prediction preview-latex print publishers python qt-static qt3support qt4 readline reports run-as-root samba sdk sdl secure-delete semantic-desktop session slang smp spell sse ssl startup-notification static-analyzer svg svga sysfs t1lib tcpd theora threads thumbnailing tiff tk toolkit-scroll-bars totem truetype truetype-fonts type1-fonts udev unicode usb userlocales vcd videos vorbis win32codecs wmf wxwindows x264 x86 xcb xface xft xml xorg xosd xpm xulrunner xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="mouse keyboard evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" LIRC_DEVICES="atiusb" NGINX_MODULES_HTTP="perl" PHP_TARGETS="php5-3 php5-2" RUBY_TARGETS="jruby ruby18 ree18" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 ok ok also with +lirc
Doesn't build against app-misc/lirc-0.8.7 USE="X doc" make[5]: Entering directory `/var/tmp/portage/media-video/vlc-1.1.6/work/vlc-1.1.6/modules/control' CC libdbus_plugin_la-dbus.lo CC liblirc_plugin_la-lirc.lo CC libgestures_plugin_la-gestures.lo CC libnetsync_plugin_la-netsync.lo CC libhotkeys_plugin_la-hotkeys.lo CC liboldrc_plugin_la-rc.lo lirc.c: In function 'Open': lirc.c:102: warning: passing argument 1 of 'lirc_init' discards qualifiers from pointer target type lirc.c: In function 'Run': lirc.c:157: error: 'errno' undeclared (first use in this function) lirc.c:157: error: (Each undeclared identifier is reported only once lirc.c:157: error: for each function it appears in.) lirc.c:157: error: 'EINTR' undeclared (first use in this function) lirc.c:156: warning: suggest explicit braces to avoid ambiguous 'else' make[5]: *** [liblirc_plugin_la-lirc.lo] Error 1 make[5]: *** Waiting for unfinished jobs.... gestures.c: In function 'RunIntf': gestures.c:438: warning: call to 'harmful_delay' declared with attribute warning: use proper event handling instead of short delay rc.c: In function 'Run': rc.c:527: warning: comparison between signed and unsigned netsync.c: In function 'Slave': netsync.c:266: warning: call to 'harmful_delay' declared with attribute warning: use proper event handling instead of short delay dbus.c: In function 'Run': dbus.c:813: warning: call to 'harmful_delay' declared with attribute warning: use proper event handling instead of short delay make[5]: Leaving directory `/var/tmp/portage/media-video/vlc-1.1.6/work/vlc-1.1.6/modules/control' Portage 2.2.0_alpha4 (default/linux/x86/2008.0/developer, gcc-4.3.5, glibc-2.11.2-r3, 2.6.36.3 i686) ================================================================= System uname: Linux-2.6.36.3-i686-Intel-R-_Core-TM-_i5_CPU_750_@_2.67GHz-with-gentoo-1.12.14 Timestamp of tree: Mon, 24 Jan 2011 18:15:03 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.6-r1 dev-util/cmake: 2.8.3-r1 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.5, 4.4.4-r2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.30-r1 (sys-kernel/linux-headers) Repositories: gentoo local ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=core2 -pipe -mfpmath=sse -msse4 -mcx16 -msahf -funit-at-a-time -D_FORTIFY_SOURCE=2 -fstack-protector" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=core2 -pipe -mfpmath=sse -msse4 -mcx16 -msahf -funit-at-a-time -D_FORTIFY_SOURCE=2 -fvisibility-inlines-hidden" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--noconfmem --jobs=4 --load-average=8 --oneshot --keep-going" FEATURES="assume-digests binpkg-logs collision-protect distlocks fixlafiles fixpackages metadata-transfer news noinfo parallel-fetch preserve-libs sandbox sfperms splitdebug strict stricter test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,--hash-style=both" LINGUAS="de" MAKEOPTS="-j 6 -l 10" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --contimeout=10 --exclude='/distfiles' --exclude='/local' --exclude='/packages' --exclude-from=/etc/portage/rsync_excludes" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acl acpi alsa apache2 audiofile berkdb boost bzip2 cairo caps cddb cdparanoia cdr chroot cli consolekit cracklib crypt css cups curl cxx dbus device-mapper dga djvu doc dts dvd dvdr emacs encode exif faad fam ffmpeg firefox flac fontconfig fortran gd gdu gif glut gphoto2 gpm graphviz hal hbci iconv idn imagemagick imap ipv6 java5 javascript jpeg jpeg2k kde kdehiddenvisibility kipi ladcca lame lcms ldap libffi lirc lm_sensors lzma lzo mad maildir matroska md5sum mmx mmxext mng modules mp3 mp4 mpeg mudflap musepack ncurses network nfs nls nptl nptlonly ofx ogg openexr opengl openmp openssl pam pango pcap pcre pdf perl png policykit postgres pppd python qt3 qt3support qt4 quicktime readline rtc samba sasl scanner sdl session slp snmp sox spell sse sse2 sse3 sse4 ssl ssse3 startup-notification subversion svg svga sysfs tcpd tetex theora threads tiff transcode truetype udev unicode usb vdpau vorbis vpx wmf x264 x86 xattr xcb xcomposite xerces xine xml xorg xulrunner xv xvid zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_alias authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation openssl proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite setenvif so speling status substitute unique_id userdir usertrack vhost_alias" CAMERAS="canon" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de" NGINX_MODULES_HTTP="access auth_basic autoindex browser cache_purge charset dav fastcgi gzip map limit_req proxy push referer rewrite xslt" NGINX_MODULES_MAIL="imap pop3 smtp" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev nouveau nvidia svga vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #6) > default/linux/x86/2008.0/developer, gcc-4.3.5, > CFLAGS="-O2 -march=core2 -pipe -mfpmath=sse -msse4 -mcx16 -msahf > -funit-at-a-time -D_FORTIFY_SOURCE=2 -fstack-protector" > LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,--hash-style=both" With all due respect ... but before testing a package, make sure you have: a stable system _updated_, and with the appropriate flag ;)
*** Bug 352634 has been marked as a duplicate of this bug. ***
(In reply to comment #4) > Created an attachment (id=260588) [details] > build.log > > Fails with USE=lirc indeed, its been fixed upstream right after the release, I backported the fix
(In reply to comment #9) > indeed, its been fixed upstream right after the release, I backported the fix > Is a special combination of USE? compile correctly here with +lirc
amd64 done
For USE="pulseaudio", pulseaudio needs to be compiled with USE="X". Otherwise, the following happens: checking for PULSE... no configure: error: Xlib is required for VLC PulseAudio support (see http://www.pulseaudio.org/ticket/799 for further reference). I don't think that this is a new issue, and i haven't seen any other things on x86 that would prevent the stabilization...
Thank you Andreas for spotting. Alexis, please fix it, x86 stable nonetheless.
ppc/ppc64 stable
Since we (alpha) have already stabilized 1.1.7, I see no point in 1.1.6.
sparc stable
Thanks everyone. Added to existing GLSA request.
CVE-2011-0021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0021): Multiple heap-based buffer overflows in cdg.c in the CDG decoder in VideoLAN VLC Media Player before 1.1.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted CDG video.
This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle).
