Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 688642 (CVE-2019-12874, CVE-2019-5439) - <media-video/vlc-3.0.7: multiple vulnerabilities (CVE-2019-{5439,12874})
Summary: <media-video/vlc-3.0.7: multiple vulnerabilities (CVE-2019-{5439,12874})
Status: RESOLVED FIXED
Alias: CVE-2019-12874, CVE-2019-5439
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.videolan.org/security/sa1...
Whiteboard: A2 [glsa+ cve]
Keywords:
Depends on: 688712
Blocks:
  Show dependency tree
 
Reported: 2019-06-24 19:28 UTC by Alexander Bezrukov
Modified: 2019-08-18 02:27 UTC (History)
2 users (show)

See Also:
Package list:
media-video/vlc-3.0.7.1 media-libs/dav1d-0.3.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bezrukov 2019-06-24 19:28:44 UTC
media-video/vlc-3.0.6-r1 is currently the only stable version.
It is reported to be affected by heap buffer overflow and double free bugs which can lead in worst case to arbitrary code execution when playing a specially crafted avi or mkv file. Given the fact that content is often distibuted through web, this creates potential for remote vector.

According to the SA, vlc-3.0.7 also fixes arbitrary code execution in AAC files (seems that no CVE assigned).

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2019-06-25 08:39:00 UTC
@maintainer:

3.0.7.1 is already out. We can also go directly to 3.0.7.1 if you think is fine
Comment 2 Stabilization helper bot gentoo-dev 2019-06-28 03:02:16 UTC
An automated check of this bug failed - repoman reported dependency errors (107 lines truncated): 

> dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/x264-0.0.20190214:=']
> dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=media-libs/x264-0.0.20190214:=']
> dependency.bad media-video/vlc/vlc-3.0.7.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=media-libs/x264-0.0.20190214:=']
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-07-01 19:24:19 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-07-02 11:19:22 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2019-07-02 14:22:27 UTC
ppc64 stable
Comment 6 Andreas Sturmlechner gentoo-dev 2019-07-14 22:19:55 UTC
*** Bug 689856 has been marked as a duplicate of this bug. ***
Comment 7 ernsteiswuerfel archtester 2019-07-21 22:55:56 UTC
Looking good on ppc.

# cat vlc-688642.report 
USE tests started on Mi 17. Jul 01:14:25 CEST 2019

FEATURES=' test' USE='' succeeded for =media-video/vlc-3.0.7.1
USE='X -a52 alsa -altivec aom archive -aribsub bidi -bluray cddb -chromaprint chromecast -dbus dc1394 -dts -dvbpsi dvd encode faad -fdk ffmpeg -flac fluidsynth -fontconfig -gcrypt -gme gnome-keyring gstreamer -ieee1394 jack jpeg -kate -libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger linsys -live -lua -macosx-notifications -mad -matroska modplug -mp3 mpeg mtp -musepack ncurses -nfs ogg omxil opencv -optimisememory opus png postproc -projectm -pulseaudio -qt5 rdp -run-as-root -samba sdl-image sftp -shout -sid -skins soxr -speex srt -ssl -svg -taglib -theora -tremor -truetype twolame -udev upnp -v4l vnc -vorbis vpx -wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='X a52 alsa altivec aom -archive aribsub bidi -bluray cddb -chromaprint chromecast -dbus dc1394 dts dvbpsi dvd encode faad -fdk ffmpeg flac -fluidsynth -fontconfig -gcrypt gme gnome-keyring -gstreamer ieee1394 jack -jpeg kate -libass -libav libcaca -libnotify libsamplerate -libtar libtiger linsys -live lua macosx-notifications mad -matroska modplug mp3 -mpeg -mtp musepack -ncurses nfs -ogg -omxil -opencv optimisememory -opus png -postproc projectm pulseaudio qt5 -rdp run-as-root samba sdl-image -sftp shout -sid -skins soxr -speex -srt -ssl svg taglib -theora tremor -truetype -twolame -udev upnp -v4l vnc vorbis -vpx wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='-X a52 alsa -altivec aom -archive aribsub bidi -bluray -cddb -chromaprint -chromecast -dbus -dc1394 -dts -dvbpsi -dvd encode -faad -fdk -ffmpeg flac -fluidsynth -fontconfig -gcrypt -gme -gnome-keyring -gstreamer -ieee1394 -jack jpeg kate libass -libav -libcaca libnotify libsamplerate -libtar libtiger linsys live lua -macosx-notifications -mad matroska -modplug -mp3 -mpeg -mtp musepack ncurses nfs ogg -omxil opencv -optimisememory -opus -png -postproc projectm pulseaudio qt5 -rdp -run-as-root -samba -sdl-image sftp -shout -sid -skins -soxr -speex srt -ssl -svg -taglib -theora tremor truetype twolame udev -upnp v4l vnc vorbis vpx wayland x264 -xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='X -a52 alsa -altivec aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast -dbus dc1394 dts -dvbpsi -dvd encode -faad fdk ffmpeg -flac -fluidsynth fontconfig -gcrypt -gme gnome-keyring -gstreamer ieee1394 -jack jpeg -kate libass -libav -libcaca libnotify -libsamplerate -libtar -libtiger -linsys -live -lua macosx-notifications mad -matroska modplug mp3 mpeg -mtp -musepack ncurses -nfs -ogg omxil opencv -optimisememory opus png postproc projectm -pulseaudio -qt5 rdp -run-as-root -samba -sdl-image -sftp shout -sid -skins -soxr -speex -srt -ssl svg taglib theora tremor truetype -twolame udev upnp v4l -vnc vorbis vpx wayland -x264 xml -zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='X a52 alsa altivec -aom -archive aribsub -bidi -bluray cddb -chromaprint -chromecast -dbus dc1394 -dts dvbpsi dvd -encode faad -fdk ffmpeg -flac fluidsynth -fontconfig gcrypt gme -gnome-keyring gstreamer ieee1394 jack jpeg kate -libass -libav -libcaca libnotify libsamplerate -libtar libtiger -linsys -live lua -macosx-notifications -mad matroska -modplug mp3 mpeg mtp musepack -ncurses -nfs ogg omxil opencv -optimisememory -opus png postproc -projectm pulseaudio qt5 rdp run-as-root -samba -sdl-image -sftp -shout -sid -skins soxr -speex -srt -ssl svg taglib -theora tremor truetype twolame -udev -upnp v4l -vnc vorbis vpx -wayland -x264 -xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='-X -a52 -alsa -altivec aom -archive aribsub bidi bluray cddb -chromaprint -chromecast -dbus -dc1394 dts -dvbpsi -dvd -encode -faad fdk ffmpeg flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring gstreamer ieee1394 -jack -jpeg kate libass -libav -libcaca libnotify libsamplerate -libtar -libtiger linsys live -lua macosx-notifications -mad matroska -modplug mp3 mpeg mtp -musepack ncurses -nfs ogg omxil opencv optimisememory -opus png -postproc projectm -pulseaudio qt5 -rdp run-as-root -samba -sdl-image sftp -shout sid -skins soxr -speex srt -ssl svg -taglib theora -tremor -truetype twolame udev -upnp v4l vnc vorbis vpx wayland x264 -xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='-X -a52 -alsa altivec aom -archive -aribsub -bidi bluray -cddb chromaprint -chromecast dbus -dc1394 -dts -dvbpsi dvd encode -faad -fdk ffmpeg -flac fluidsynth fontconfig gcrypt gme -gnome-keyring gstreamer ieee1394 jack jpeg -kate -libass -libav -libcaca libnotify -libsamplerate -libtar -libtiger -linsys live lua macosx-notifications -mad -matroska -modplug mp3 -mpeg mtp -musepack ncurses -nfs ogg -omxil -opencv optimisememory opus png -postproc -projectm pulseaudio qt5 rdp -run-as-root samba -sdl-image -sftp shout sid -skins -soxr -speex srt ssl -svg -taglib -theora -tremor truetype twolame -udev upnp v4l -vnc vorbis vpx wayland -x264 xml zeroconf -zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='X -a52 alsa -altivec -aom archive -aribsub bidi bluray -cddb chromaprint -chromecast dbus dc1394 -dts -dvbpsi dvd -encode faad fdk ffmpeg -flac -fluidsynth -fontconfig -gcrypt gme gnome-keyring -gstreamer -ieee1394 jack -jpeg kate -libass -libav -libcaca libnotify -libsamplerate -libtar libtiger -linsys live lua macosx-notifications -mad -matroska modplug mp3 -mpeg mtp -musepack ncurses -nfs ogg omxil -opencv optimisememory -opus -png postproc -projectm pulseaudio -qt5 rdp -run-as-root -samba sdl-image -sftp shout sid -skins -soxr speex srt -ssl svg -taglib -theora -tremor -truetype twolame udev upnp v4l vnc -vorbis vpx -wayland x264 -xml -zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='X -a52 alsa -altivec aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast dbus -dc1394 -dts -dvbpsi dvd -encode -faad fdk ffmpeg -flac fluidsynth fontconfig gcrypt -gme gnome-keyring gstreamer -ieee1394 jack jpeg kate libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger -linsys live lua macosx-notifications mad -matroska modplug mp3 mpeg -mtp musepack ncurses nfs ogg omxil opencv -optimisememory -opus png -postproc projectm pulseaudio qt5 rdp run-as-root samba -sdl-image sftp -shout -sid -skins soxr -speex -srt -ssl -svg -taglib -theora -tremor truetype twolame udev -upnp v4l vnc -vorbis -vpx -wayland -x264 xml -zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='-X -a52 alsa -altivec -aom -archive aribsub -bidi bluray cddb -chromaprint -chromecast dbus dc1394 -dts dvbpsi -dvd encode faad fdk ffmpeg flac -fluidsynth fontconfig gcrypt -gme -gnome-keyring gstreamer ieee1394 jack jpeg kate -libass -libav -libcaca libnotify libsamplerate -libtar -libtiger -linsys -live -lua macosx-notifications mad matroska modplug -mp3 -mpeg -mtp -musepack ncurses nfs -ogg -omxil opencv -optimisememory opus png -postproc -projectm -pulseaudio qt5 rdp run-as-root samba -sdl-image sftp shout -sid -skins soxr speex srt ssl svg -taglib theora tremor truetype -twolame -udev upnp -v4l -vnc vorbis vpx -wayland -x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='X -a52 alsa altivec -aom -archive -aribsub -bidi -bluray -cddb -chromaprint -chromecast dbus dc1394 dts -dvbpsi -dvd -encode faad -fdk -ffmpeg flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring -gstreamer -ieee1394 -jack jpeg -kate libass -libav -libcaca -libnotify -libsamplerate -libtar -libtiger -linsys -live lua macosx-notifications mad -matroska -modplug -mp3 mpeg mtp musepack ncurses nfs ogg omxil -opencv optimisememory -opus png -postproc -projectm pulseaudio -qt5 rdp run-as-root samba -sdl-image sftp shout -sid -skins soxr -speex -srt ssl -svg taglib -theora -tremor truetype -twolame udev upnp -v4l vnc -vorbis -vpx wayland x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1
USE='X -a52 alsa altivec -aom archive aribsub bidi bluray cddb chromaprint -chromecast -dbus dc1394 dts -dvbpsi -dvd encode faad fdk -ffmpeg -flac -fluidsynth -fontconfig gcrypt -gme -gnome-keyring gstreamer -ieee1394 -jack -jpeg -kate -libass libav -libcaca libnotify libsamplerate -libtar -libtiger linsys -live -lua macosx-notifications mad matroska modplug -mp3 -mpeg -mtp musepack -ncurses -nfs ogg omxil opencv -optimisememory -opus png -postproc -projectm pulseaudio -qt5 -rdp -run-as-root samba -sdl-image -sftp shout sid -skins -soxr speex srt ssl svg -taglib theora -tremor truetype -twolame -udev upnp -v4l -vnc vorbis vpx wayland x264 xml zeroconf zvbi' succeeded for =media-video/vlc-3.0.7.1

FEATURES=' test' USE='' succeeded for =media-libs/dav1d-0.3.1
USE='-10bit -8bit -asm' succeeded for =media-libs/dav1d-0.3.1
USE='10bit -8bit -asm' succeeded for =media-libs/dav1d-0.3.1
USE='-10bit 8bit -asm' succeeded for =media-libs/dav1d-0.3.1
USE='10bit 8bit -asm' succeeded for =media-libs/dav1d-0.3.1
USE='-10bit -8bit asm' succeeded for =media-libs/dav1d-0.3.1
USE='10bit -8bit asm' succeeded for =media-libs/dav1d-0.3.1
USE='-10bit 8bit asm' succeeded for =media-libs/dav1d-0.3.1
USE='10bit 8bit asm' succeeded for =media-libs/dav1d-0.3.1

revdep tests started on Mo 22. Jul 00:46:20 CEST 2019

FEATURES=' test' USE='dav1d' succeeded for media-video/ffmpeg
FEATURES=' test' USE='dav1d' succeeded for media-video/vlc
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2019-07-22 00:03:00 UTC
arm64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2019-07-26 09:16:20 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Larry the Git Cow gentoo-dev 2019-08-01 15:34:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=552671e74c9871abb81f1505e8f56b29f769be28

commit 552671e74c9871abb81f1505e8f56b29f769be28
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2019-08-01 15:34:07 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2019-08-01 15:34:37 +0000

    media-video/vlc: Security cleanup
    
    Bug: https://bugs.gentoo.org/688642
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 media-video/vlc/Manifest                           |   1 -
 media-video/vlc/files/vlc-3.0.6-libav.patch        |  12 -
 media-video/vlc/files/vlc-3.0.6-libvpx-1.8.0.patch |  35 --
 media-video/vlc/files/vlc-3.0.6-sftp.patch         |  24 -
 media-video/vlc/metadata.xml                       |   2 -
 media-video/vlc/vlc-3.0.6-r1.ebuild                | 502 ---------------------
 6 files changed, 576 deletions(-)
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2019-08-18 02:27:22 UTC
This issue was resolved and addressed in
 GLSA 201908-23 at https://security.gentoo.org/glsa/201908-23
by GLSA coordinator Aaron Bauman (b-man).