(please note, I'm not on the list.)
I recently discovered a couple of vulnerabilities in the latest stable
version of VLC (2.1.5), reported them to the developers and also
provided patches, most of which were applied. The most critical issues
are a buffer-overflow in the mp4-demuxer and another in the automatic
updater. For the last flaw, I also showed at 31C3 that it can indeed
be leveraged for arbitrary code execution.
Below you find links to the patches. Please note, that patches were
applied for the master-branch, so they may not all be immediately
applicable to 2.1.5. However, the attached original bug reports give
you all the details for 2.1.5.
* Buffer overflow in updater:
* Buffer overflow in mp4 demuxer:
* Potential buffer overflow in Schroedinger Encoder
* Invalid memory access in rtp code:
* Null-pointer dereference in dmo codec:
I was wondering whether anybody could assign CVEs for these vulnerabilities.
Please note that the following problems were not fixed:
* The potential buffer overflow in the Dirac Encoder was not fixed as
the Dirac encoder no longer exists in the master branch.
* The potential invalid writes in modules/services_discovery/sap.c and
modules/access/ftp.c were not fixed as I did not provide a
trigger. Note, that the code looks very similar to the confirmed bug
in rtp_packetize_xiph_config, and so I leave it to you to decide
whether you want to patch this.
I have not attached the triggers mentioned in the report. If anybody is
interested in these, please let me know.
Fabian Yamaguchi - University of Goettingen
We should mark 2.2.0 stable. Comments?
Too soon. Nick on;y started on this 3 days ago. vlc was a neglected mess. I still can't get it to build on my system which is why I have had to tread very carefully and bring in extra support for Nick.
This could help.:
Changes between 2.1.5 and 2.1.6:
* Fix OSS stuttering
* Fix heap overflow in decomp stream filter
* Fix buffer overflow in updater
* Fix potential buffer overflow in schroedinger encoder
* Fix null-pointer dereference in DMO decoder
* Fix buffer overflow in parsing of string boxes in mp4 demuxer
* Fix SRTP integer overflow
* Fix potential crash in zip access
* Fix read overflow in Ogg demuxer
This confuses the issue all the more. Here we're talking about making 2.2.1 stable and purging the 2.1.x series and you add in a 2.1.6 to the mix. We need to know why the 2.1.x series should be kept at all.
2.1.x series has been dropped for some time now.
Added to existing GLSA.
This issue was resolved and addressed in
GLSA 201603-08 at https://security.gentoo.org/glsa/201603-08
by GLSA coordinator Kristian Fiskerstrand (K_F).