media-video/vlc-3.0.6-r1 is currently the only stable version. It is reported to be affected by heap buffer overflow and double free bugs which can lead in worst case to arbitrary code execution when playing a specially crafted avi or mkv file. Given the fact that content is often distibuted through web, this creates potential for remote vector. According to the SA, vlc-3.0.7 also fixes arbitrary code execution in AAC files (seems that no CVE assigned). Reproducible: Always
@maintainer: 3.0.7.1 is already out. We can also go directly to 3.0.7.1 if you think is fine
An automated check of this bug failed - repoman reported dependency errors (107 lines truncated): > dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/x264-0.0.20190214:='] > dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/x264-0.0.20190214:='] > dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=media-libs/x264-0.0.20190214:=']
x86 stable
amd64 stable
ppc64 stable
*** Bug 689856 has been marked as a duplicate of this bug. ***
Looking good on ppc. # cat vlc-688642.report USE tests started on Mi 17. Jul 01:14:25 CEST 2019 FEATURES=' test' USE='' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec aom archive -aribsub bidi -bluray cddb -chromaprint chromecast -dbus dc1394 -dts -dvbpsi dvd encode faad -fdk ffmpeg -flac fluidsynth -fontconfig -gcrypt -gme gnome-keyring gstreamer -ieee1394 jack jpeg -kate -libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger linsys -live -lua -macosx-notifications -mad -matroska modplug -mp3 mpeg mtp -musepack ncurses -nfs ogg omxil opencv -optimisememory opus png postproc -projectm -pulseaudio -qt5 rdp -run-as-root -samba sdl-image sftp -shout -sid -skins soxr -speex srt -ssl -svg -taglib -theora -tremor -truetype twolame -udev upnp -v4l vnc -vorbis vpx -wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X a52 alsa altivec aom -archive aribsub bidi -bluray cddb -chromaprint chromecast -dbus dc1394 dts dvbpsi dvd encode faad -fdk ffmpeg flac -fluidsynth -fontconfig -gcrypt gme gnome-keyring -gstreamer ieee1394 jack -jpeg kate -libass -libav libcaca -libnotify libsamplerate -libtar libtiger linsys -live lua macosx-notifications mad -matroska modplug mp3 -mpeg -mtp musepack -ncurses nfs -ogg -omxil -opencv optimisememory -opus png -postproc projectm pulseaudio qt5 -rdp run-as-root samba sdl-image -sftp shout -sid -skins soxr -speex -srt -ssl svg taglib -theora tremor -truetype -twolame -udev upnp -v4l vnc vorbis -vpx wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X a52 alsa -altivec aom -archive aribsub bidi -bluray -cddb -chromaprint -chromecast -dbus -dc1394 -dts -dvbpsi -dvd encode -faad -fdk -ffmpeg flac -fluidsynth -fontconfig -gcrypt -gme -gnome-keyring -gstreamer -ieee1394 -jack jpeg kate libass -libav -libcaca libnotify libsamplerate -libtar libtiger linsys live lua -macosx-notifications -mad matroska -modplug -mp3 -mpeg -mtp musepack ncurses nfs ogg -omxil opencv -optimisememory -opus -png -postproc projectm pulseaudio qt5 -rdp -run-as-root -samba -sdl-image sftp -shout -sid -skins -soxr -speex srt -ssl -svg -taglib -theora tremor truetype twolame udev -upnp v4l vnc vorbis vpx wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast -dbus dc1394 dts -dvbpsi -dvd encode -faad fdk ffmpeg -flac -fluidsynth fontconfig -gcrypt -gme gnome-keyring -gstreamer ieee1394 -jack jpeg -kate libass -libav -libcaca libnotify -libsamplerate -libtar -libtiger -linsys -live -lua macosx-notifications mad -matroska modplug mp3 mpeg -mtp -musepack ncurses -nfs -ogg omxil opencv -optimisememory opus png postproc projectm -pulseaudio -qt5 rdp -run-as-root -samba -sdl-image -sftp shout -sid -skins -soxr -speex -srt -ssl svg taglib theora tremor truetype -twolame udev upnp v4l -vnc vorbis vpx wayland -x264 xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X a52 alsa altivec -aom -archive aribsub -bidi -bluray cddb -chromaprint -chromecast -dbus dc1394 -dts dvbpsi dvd -encode faad -fdk ffmpeg -flac fluidsynth -fontconfig gcrypt gme -gnome-keyring gstreamer ieee1394 jack jpeg kate -libass -libav -libcaca libnotify libsamplerate -libtar libtiger -linsys -live lua -macosx-notifications -mad matroska -modplug mp3 mpeg mtp musepack -ncurses -nfs ogg omxil opencv -optimisememory -opus png postproc -projectm pulseaudio qt5 rdp run-as-root -samba -sdl-image -sftp -shout -sid -skins soxr -speex -srt -ssl svg taglib -theora tremor truetype twolame -udev -upnp v4l -vnc vorbis vpx -wayland -x264 -xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X -a52 -alsa -altivec aom -archive aribsub bidi bluray cddb -chromaprint -chromecast -dbus -dc1394 dts -dvbpsi -dvd -encode -faad fdk ffmpeg flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring gstreamer ieee1394 -jack -jpeg kate libass -libav -libcaca libnotify libsamplerate -libtar -libtiger linsys live -lua macosx-notifications -mad matroska -modplug mp3 mpeg mtp -musepack ncurses -nfs ogg omxil opencv optimisememory -opus png -postproc projectm -pulseaudio qt5 -rdp run-as-root -samba -sdl-image sftp -shout sid -skins soxr -speex srt -ssl svg -taglib theora -tremor -truetype twolame udev -upnp v4l vnc vorbis vpx wayland x264 -xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X -a52 -alsa altivec aom -archive -aribsub -bidi bluray -cddb chromaprint -chromecast dbus -dc1394 -dts -dvbpsi dvd encode -faad -fdk ffmpeg -flac fluidsynth fontconfig gcrypt gme -gnome-keyring gstreamer ieee1394 jack jpeg -kate -libass -libav -libcaca libnotify -libsamplerate -libtar -libtiger -linsys live lua macosx-notifications -mad -matroska -modplug mp3 -mpeg mtp -musepack ncurses -nfs ogg -omxil -opencv optimisememory opus png -postproc -projectm pulseaudio qt5 rdp -run-as-root samba -sdl-image -sftp shout sid -skins -soxr -speex srt ssl -svg -taglib -theora -tremor truetype twolame -udev upnp v4l -vnc vorbis vpx wayland -x264 xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec -aom archive -aribsub bidi bluray -cddb chromaprint -chromecast dbus dc1394 -dts -dvbpsi dvd -encode faad fdk ffmpeg -flac -fluidsynth -fontconfig -gcrypt gme gnome-keyring -gstreamer -ieee1394 jack -jpeg kate -libass -libav -libcaca libnotify -libsamplerate -libtar libtiger -linsys live lua macosx-notifications -mad -matroska modplug mp3 -mpeg mtp -musepack ncurses -nfs ogg omxil -opencv optimisememory -opus -png postproc -projectm pulseaudio -qt5 rdp -run-as-root -samba sdl-image -sftp shout sid -skins -soxr speex srt -ssl svg -taglib -theora -tremor -truetype twolame udev upnp v4l vnc -vorbis vpx -wayland x264 -xml -zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa -altivec aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast dbus -dc1394 -dts -dvbpsi dvd -encode -faad fdk ffmpeg -flac fluidsynth fontconfig gcrypt -gme gnome-keyring gstreamer -ieee1394 jack jpeg kate libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger -linsys live lua macosx-notifications mad -matroska modplug mp3 mpeg -mtp musepack ncurses nfs ogg omxil opencv -optimisememory -opus png -postproc projectm pulseaudio qt5 rdp run-as-root samba -sdl-image sftp -shout -sid -skins soxr -speex -srt -ssl -svg -taglib -theora -tremor truetype twolame udev -upnp v4l vnc -vorbis -vpx -wayland -x264 xml -zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='-X -a52 alsa -altivec -aom -archive aribsub -bidi bluray cddb -chromaprint -chromecast dbus dc1394 -dts dvbpsi -dvd encode faad fdk ffmpeg flac -fluidsynth fontconfig gcrypt -gme -gnome-keyring gstreamer ieee1394 jack jpeg kate -libass -libav -libcaca libnotify libsamplerate -libtar -libtiger -linsys -live -lua macosx-notifications mad matroska modplug -mp3 -mpeg -mtp -musepack ncurses nfs -ogg -omxil opencv -optimisememory opus png -postproc -projectm -pulseaudio qt5 rdp run-as-root samba -sdl-image sftp shout -sid -skins soxr speex srt ssl svg -taglib theora tremor truetype -twolame -udev upnp -v4l -vnc vorbis vpx -wayland -x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa altivec -aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast dbus dc1394 dts -dvbpsi -dvd -encode faad -fdk -ffmpeg flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring -gstreamer -ieee1394 -jack jpeg -kate libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger -linsys -live lua macosx-notifications mad -matroska -modplug -mp3 mpeg mtp musepack ncurses nfs ogg omxil -opencv optimisememory -opus png -postproc -projectm pulseaudio -qt5 rdp run-as-root samba -sdl-image sftp shout -sid -skins soxr -speex -srt ssl -svg taglib -theora -tremor truetype -twolame udev upnp -v4l vnc -vorbis -vpx wayland x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 USE='X -a52 alsa altivec -aom archive aribsub bidi bluray cddb chromaprint -chromecast -dbus dc1394 dts -dvbpsi -dvd encode faad fdk -ffmpeg -flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring gstreamer -ieee1394 -jack -jpeg -kate -libass libav -libcaca libnotify libsamplerate -libtar -libtiger linsys -live -lua macosx-notifications mad matroska modplug -mp3 -mpeg -mtp musepack -ncurses -nfs ogg omxil opencv -optimisememory -opus png -postproc -projectm pulseaudio -qt5 -rdp -run-as-root samba -sdl-image -sftp shout sid -skins -soxr speex srt ssl svg -taglib theora -tremor truetype -twolame -udev upnp -v4l -vnc vorbis vpx wayland x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1 FEATURES=' test' USE='' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit -8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit -8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit 8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit 8bit -asm' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit -8bit asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit -8bit asm' succeeded for =media-libs/dav1d-0.3.1 USE='-10bit 8bit asm' succeeded for =media-libs/dav1d-0.3.1 USE='10bit 8bit asm' succeeded for =media-libs/dav1d-0.3.1 revdep tests started on Mo 22. Jul 00:46:20 CEST 2019 FEATURES=' test' USE='dav1d' succeeded for media-video/ffmpeg FEATURES=' test' USE='dav1d' succeeded for media-video/vlc
arm64 stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=552671e74c9871abb81f1505e8f56b29f769be28 commit 552671e74c9871abb81f1505e8f56b29f769be28 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-08-01 15:34:07 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-08-01 15:34:37 +0000 media-video/vlc: Security cleanup Bug: https://bugs.gentoo.org/688642 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> media-video/vlc/Manifest | 1 - media-video/vlc/files/vlc-3.0.6-libav.patch | 12 - media-video/vlc/files/vlc-3.0.6-libvpx-1.8.0.patch | 35 -- media-video/vlc/files/vlc-3.0.6-sftp.patch | 24 - media-video/vlc/metadata.xml | 2 - media-video/vlc/vlc-3.0.6-r1.ebuild | 502 --------------------- 6 files changed, 576 deletions(-)
This issue was resolved and addressed in GLSA 201908-23 at https://security.gentoo.org/glsa/201908-23 by GLSA coordinator Aaron Bauman (b-man).
