From ${URL}: Hi oss-security, (please note, I'm not on the list.) I recently discovered a couple of vulnerabilities in the latest stable version of VLC (2.1.5), reported them to the developers and also provided patches, most of which were applied. The most critical issues are a buffer-overflow in the mp4-demuxer and another in the automatic updater. For the last flaw, I also showed at 31C3 that it can indeed be leveraged for arbitrary code execution. Below you find links to the patches. Please note, that patches were applied for the master-branch, so they may not all be immediately applicable to 2.1.5. However, the attached original bug reports give you all the details for 2.1.5. * Buffer overflow in updater: https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14 * Buffer overflow in mp4 demuxer: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 * Potential buffer overflow in Schroedinger Encoder https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 * Invalid memory access in rtp code: https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97 * Null-pointer dereference in dmo codec: https://github.com/videolan/vlc/commit/229c385a79d48e41687fae8b4dfeaeef9c8c3eb7 I was wondering whether anybody could assign CVEs for these vulnerabilities. Please note that the following problems were not fixed: * The potential buffer overflow in the Dirac Encoder was not fixed as the Dirac encoder no longer exists in the master branch. * The potential invalid writes in modules/services_discovery/sap.c and modules/access/ftp.c were not fixed as I did not provide a trigger. Note, that the code looks very similar to the confirmed bug in rtp_packetize_xiph_config, and so I leave it to you to decide whether you want to patch this. I have not attached the triggers mentioned in the report. If anybody is interested in these, please let me know. Kind Regards, Fabian Yamaguchi - University of Goettingen
We should mark 2.2.0 stable. Comments?
Too soon. Nick on;y started on this 3 days ago. vlc was a neglected mess. I still can't get it to build on my system which is why I have had to tread very carefully and bring in extra support for Nick.
This could help.: https://bugs.gentoo.org/show_bug.cgi?id=548546 Changes between 2.1.5 and 2.1.6: -------------------------------- Audio output: * Fix OSS stuttering Security: * Fix heap overflow in decomp stream filter * Fix buffer overflow in updater * Fix potential buffer overflow in schroedinger encoder * Fix null-pointer dereference in DMO decoder * Fix buffer overflow in parsing of string boxes in mp4 demuxer * Fix SRTP integer overflow * Fix potential crash in zip access * Fix read overflow in Ogg demuxer
This confuses the issue all the more. Here we're talking about making 2.2.1 stable and purging the 2.1.x series and you add in a 2.1.6 to the mix. We need to know why the 2.1.x series should be kept at all.
2.1.x series has been dropped for some time now.
Added to existing GLSA.
This issue was resolved and addressed in GLSA 201603-08 at https://security.gentoo.org/glsa/201603-08 by GLSA coordinator Kristian Fiskerstrand (K_F).