media-video/vlc-3.0.7.1 maybe hit by security integer overflow bug of CVE-2019-13602
see cve.mitre.org URL above
> Integer Underflow not is integer overflow ... never heard of underflow security issues though
Created attachment 583168 [details, diff] mp4underflow.patch The mp4underflow.patch out of two snippets from the references section work, meaning it patches the file and builds successfully I am not 100% sure if both snippets are needed ...
Another alert at https://nvd.nist.gov/vuln/detail/CVE-2019-13615
CVE-2019-13615 is an issue in <dev-libs/libebml-1.3.6 and not media-video/vlc. Please see the following tweet from VideoLAN: https://twitter.com/videolan/status/1153963312981389312 So we do not even ship the vulnerable versions anymore and thus CVE-2019-13615 does not affect us.
Debian has used the same patch to fix CVE-2019-13602 here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932131
@Aaron please give a hint, what this bug makes invalid?
(In reply to Ulenrich from comment #7) > @Aaron > please give a hint, what this bug makes invalid? Please see Lars comments above as well. The issue was falsely reported against VLC and actually resides in libebml which was fixed already.
CVE-2019-13615 Lars told me is invalid - and I rewrote the summary CVE-2019-13602 was patched by videolan.org and Debian took it
(In reply to Ulenrich from comment #9) > CVE-2019-13615 Lars told me is invalid - and I rewrote the summary > CVE-2019-13602 was patched by videolan.org and Debian took it You are correct, my apologies for not spotting the CVE difference. CVE-2019-13602 does apply here.
integer underflow
Version 3.0.8 is now available with the fixes for all the security issues mentioned before and a few more: * Fix a buffer overflow in the MKV demuxer (CVE-2019-14970) * Fix a read buffer overflow in the avcodec decoder (CVE-2019-13962) * Fix a read buffer overflow in the FAAD decoder * Fix a read buffer overflow in the OGG demuxer (CVE-2019-14437, CVE-2019-14438) * Fix a read buffer overflow in the ASF demuxer (CVE-2019-14776) * Fix a use after free in the MKV demuxer (CVE-2019-14777, CVE-2019-14778) * Fix a use after free in the ASF demuxer (CVE-2019-14533) * Fix a couple of integer underflows in the MP4 demuxer (CVE-2019-13602) * Fix a null dereference in the dvdnav demuxer * Fix a null dereference in the ASF demuxer (CVE-2019-14534) * Fix a null dereference in the AVI demuxer * Fix a division by zero in the CAF demuxer (CVE-2019-14498) * Fix a division by zero in the ASF demuxer (CVE-2019-14535) http://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob_plain;f=NEWS
summary does not get updated until a fixed version is in the tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=621b74398ee71f0f6528bfdb4f976e66aaa4a967 commit 621b74398ee71f0f6528bfdb4f976e66aaa4a967 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-08-24 21:48:38 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-08-25 08:08:27 +0000 media-video/vlc: 3.0.8 version bump Bug: https://bugs.gentoo.org/689974 Package-Manager: Portage-2.3.73, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-video/vlc/Manifest | 1 + media-video/vlc/vlc-3.0.8.ebuild | 494 ++++++++++++++++++++++++++++++++++++ media-video/vlc/vlc-3.0.9999.ebuild | 4 +- media-video/vlc/vlc-9999.ebuild | 4 +- 4 files changed, 499 insertions(+), 4 deletions(-)
arm64 stable
ppc64 stable
ppc stable
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e0f9b51e48e2b964913db6c062842df4c3bb803 commit 3e0f9b51e48e2b964913db6c062842df4c3bb803 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-09-04 08:46:35 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-09-04 08:46:45 +0000 media-video/vlc: Security cleanup Bug: https://bugs.gentoo.org/689974 Package-Manager: Portage-2.3.75, Repoman-2.3.17 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> media-video/vlc/Manifest | 1 - media-video/vlc/vlc-3.0.7.1.ebuild | 494 ------------------------------------- 2 files changed, 495 deletions(-)
This issue was resolved and addressed in GLSA 201909-02 at https://security.gentoo.org/glsa/201909-02 by GLSA coordinator Thomas Deutschmann (whissi).