Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537154 (CVE-2014-9625) - <media-video/vlc-2.1.5: Multiple vulnerabilities (CVE-2014-{9597,9598,9625,9626,9627,9628,9629,9630},CVE-2015-{1202,1203})
Summary: <media-video/vlc-2.1.5: Multiple vulnerabilities (CVE-2014-{9597,9598,9625,96...
Alias: CVE-2014-9625
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2015-01-20 17:30 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-03-12 12:07 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-01-20 17:30:06 UTC
From ${URL}:

Hi oss-security,

(please note, I'm not on the list.)

I recently discovered a couple of vulnerabilities in the latest stable
version of VLC (2.1.5), reported them to the developers and also
provided patches, most of which were applied. The most critical issues
are a buffer-overflow in the mp4-demuxer and another in the automatic
updater. For the last flaw, I also showed at 31C3 that it can indeed
be leveraged for arbitrary code execution.

Below you find links to the patches. Please note, that patches were
applied for the master-branch, so they may not all be immediately
applicable to 2.1.5. However, the attached original bug reports give
you all the details for 2.1.5.

* Buffer overflow in updater:

* Buffer overflow in mp4 demuxer:

* Potential buffer overflow in Schroedinger Encoder

* Invalid memory access in rtp code:

* Null-pointer dereference in dmo codec:

I was wondering whether anybody could assign CVEs for these vulnerabilities.

Please note that the following problems were not fixed:

* The potential buffer overflow in the Dirac Encoder was not fixed as
  the Dirac encoder no longer exists in the master branch.
* The potential invalid writes in modules/services_discovery/sap.c and
  modules/access/ftp.c were not fixed as I did not provide a
  trigger. Note, that the code looks very similar to the confirmed bug
  in rtp_packetize_xiph_config, and so I leave it to you to decide
  whether you want to patch this.

I have not attached the triggers mentioned in the report. If anybody is
interested in these, please let me know.

Kind Regards,
Fabian Yamaguchi - University of Goettingen
Comment 1 Ben de Groot (RETIRED) gentoo-dev 2015-04-19 04:47:15 UTC
We should mark 2.2.0 stable. Comments?
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2015-04-19 14:24:30 UTC
Too soon. Nick on;y started on this 3 days ago. vlc was a neglected mess.  I still can't get it to build on my system which is why I have had to tread very carefully and bring in extra support for Nick.
Comment 3 jospezial 2015-05-05 00:27:12 UTC
This could help.:

Changes between 2.1.5 and 2.1.6:

Audio output:
 * Fix OSS stuttering

 * Fix heap overflow in decomp stream filter
 * Fix buffer overflow in updater
 * Fix potential buffer overflow in schroedinger encoder
 * Fix null-pointer dereference in DMO decoder
 * Fix buffer overflow in parsing of string boxes in mp4 demuxer
 * Fix SRTP integer overflow
 * Fix potential crash in zip access
 * Fix read overflow in Ogg demuxer
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-05-06 12:27:15 UTC
This confuses the issue all the more. Here we're talking about making 2.2.1 stable and purging the 2.1.x series and you add in a 2.1.6 to the mix. We need to know why the 2.1.x series should be kept at all.
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-12 08:45:09 UTC
2.1.x series has been dropped for some time now.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-12 08:45:25 UTC
Added to existing GLSA.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 12:07:57 UTC
This issue was resolved and addressed in
 GLSA 201603-08 at
by GLSA coordinator Kristian Fiskerstrand (K_F).