Bug 13705

Summary: live555 buffer overflow, mplayer playlist issue, vlc buffer overflow (CVE-2013-4388) and more
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: fundawang, mageia, shlomif, sysadmin-bugs, wilcal.int
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/604681/
Whiteboard: MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Source RPM: live, mplayer, vlc CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 10478    

Description David Walser 2014-07-08 19:20:23 CEST 
Debian has issued an advisory on July 7:
https://www.debian.org/security/2014/dsa-2973

The first 2 CVEs there are already fixed in both Mageia 3 and Mageia 4.

CVE-2013-4388 is fixed in Mageia 4, but for Mageia 3 it would need to be updated to at least 2.0.9, where that one was fixed upstream.

The NEWS file also lists a modplug issue fixed in 2.0.9, but we build against system modplug, so that'd be a non-issue:
http://www.videolan.org/developers/vlc-branch/NEWS

There is a 2.0.10 that we could possibly update to.  The only thing the NEWS file lists for that that looks security relevant is:
"Add protection against several potential heap buffer overflow in libebml"

However, the only commit in GIT I can find that seems to refer to that was in the 2.0.8 release (see "Check element size before reading it"):
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=shortlog

That GIT log for the 2.0 branch also mentions that updates the bundled live555 to 2013.11.26 for "security issues" for which it does not give any further information.  Our package is built against the system live, which is older than 2013.11.26 in both Mageia 3 and Mageia 4, so perhaps we need to update it.

The GIT log for 2.0 also lists "vlc_readdir: fix integer overflow on error."

For Mageia 4, looking at the NEWS file again, it lists this for 2.1.3:
"Fix integer overflow on error when using vlc_readdir"
"Avoid an infinite recursion in MKV tags parsing"

both of which could indicate security issues.

For 2.1.5 it lists fixes for bundled libpng and gnutls libraries.  We do have a BR for gnutls-devel.  We don't have one for png-devel, but perhaps it's getting pulled in by another BR, as vlc-plugin-common is linked to the system png library on both Mageia 3 and Mageia 4.

There does not appear to be anything else security relevant in the git logs for the 2.1 branch.

In summary, we should probably update to VLC 2.0.10 on Mageia 3 and VLC 2.1.5 on Mageia 4, as well as updating live555 (live package) to the current version (which I also need to update in Cauldron).  FWIW, VLC 2.0.10 bundles 2014.01.21 and VLC 2.1.5 bundles 2014.05.27.

Reproducible: 

Steps to Reproduce:
David Walser 2014-07-08 19:20:34 CEST

CC: (none) => fundawang
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-07-11 21:53:21 CEST 
The upstream changelog for live555 mentions the security issue:
http://live555.com/liveMedia/public/changelog.txt

See the entries under 2013.11.26 and 2013.11.29.

The live555 code is statically compiled into both mplayer and vlc, so after submitting an updated build for the live package (done), I need to submit rebuilds for mplayer and the updates for vlc.
Comment 2 David Walser 2014-07-11 23:24:23 CEST 
Updated live and vlc packages and rebuilt mplayer packages uploaded for Mageia 3 and Mageia 4.

Please note that there are core and tainted builds for vlc and mplayer.

Advisory:
========================

Updated live, mplayer, and vlc packages fix security vulnerabilities:

The live555 RTSP streaming server and client libraries before 2013.11.29 are
vulnerable to buffer overflows in RTSP command parsing that potentially allow
for arbitrary code execution when connected to a malicious client or server.

The RTSP client streaming code in the mplayer and vlc packages is built from
the live555 code in the live package.  They have been rebuilt with the updated
live packages.

The vlc packages have also been updated to 2.0.10 for Mageia 3 and 2.1.5 for
Mageia 4, fixing several other bugs and potential security issues.  The Mageia
3 update fixes a buffer overflow in the mp4a packetizer (CVE-2013-4388) that
was fixed upstream in 2.0.9.

Finally, the mplayer update for Mageia 3 includes two upstream patches; one
disables playlist parsing for security reasons and the other fixes mp3
decoding cutting out early (mga#10478).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4388
http://live555.com/liveMedia/public/changelog.txt
http://www.videolan.org/developers/vlc-branch/NEWS
http://lists.mplayerhq.hu/pipermail/mplayer-announce/2013-May/000070.html
https://www.debian.org/security/2014/dsa-2973
https://bugs.mageia.org/show_bug.cgi?id=10478
https://bugs.mageia.org/show_bug.cgi?id=13705
========================

Updated packages in core/updates_testing:
========================
live-2014.07.04-1.mga3
live-devel-2014.07.04-1.mga3
live-2014.07.04-1.mga4
live-devel-2014.07.04-1.mga4

Updated packages in {core,tainted}/updates_testing:
========================
vlc-2.0.10-1.mga3
libvlc5-2.0.10-1.mga3
libvlccore5-2.0.10-1.mga3
libvlc-devel-2.0.10-1.mga3
vlc-plugin-common-2.0.10-1.mga3
vlc-plugin-zvbi-2.0.10-1.mga3
vlc-plugin-kate-2.0.10-1.mga3
vlc-plugin-libass-2.0.10-1.mga3
vlc-plugin-lua-2.0.10-1.mga3
vlc-plugin-ncurses-2.0.10-1.mga3
vlc-plugin-lirc-2.0.10-1.mga3
svlc-2.0.10-1.mga3
vlc-plugin-aa-2.0.10-1.mga3
vlc-plugin-sdl-2.0.10-1.mga3
vlc-plugin-shout-2.0.10-1.mga3
vlc-plugin-opengl-2.0.10-1.mga3
vlc-plugin-projectm-2.0.10-1.mga3
vlc-plugin-theora-2.0.10-1.mga3
vlc-plugin-twolame-2.0.10-1.mga3
vlc-plugin-fluidsynth-2.0.10-1.mga3
vlc-plugin-gme-2.0.10-1.mga3
vlc-plugin-schroedinger-2.0.10-1.mga3
vlc-plugin-speex-2.0.10-1.mga3
vlc-plugin-flac-2.0.10-1.mga3
vlc-plugin-dv-2.0.10-1.mga3
vlc-plugin-mod-2.0.10-1.mga3
vlc-plugin-mpc-2.0.10-1.mga3
vlc-plugin-sid-2.0.10-1.mga3
vlc-plugin-pulse-2.0.10-1.mga3
vlc-plugin-jack-2.0.10-1.mga3
vlc-plugin-bonjour-2.0.10-1.mga3
vlc-plugin-upnp-2.0.10-1.mga3
vlc-plugin-gnutls-2.0.10-1.mga3
vlc-plugin-libnotify-2.0.10-1.mga3
mplayer-1.1-13.r35916.3.mga3
mplayer-doc-1.1-13.r35916.3.mga3
mplayer-gui-1.1-13.r35916.3.mga3
mencoder-1.1-13.r35916.3.mga3
vlc-2.1.5-1.mga4
libvlc5-2.1.5-1.mga4
libvlccore7-2.1.5-1.mga4
libvlc-devel-2.1.5-1.mga4
vlc-plugin-common-2.1.5-1.mga4
vlc-plugin-zvbi-2.1.5-1.mga4
vlc-plugin-kate-2.1.5-1.mga4
vlc-plugin-libass-2.1.5-1.mga4
vlc-plugin-lua-2.1.5-1.mga4
vlc-plugin-ncurses-2.1.5-1.mga4
vlc-plugin-lirc-2.1.5-1.mga4
svlc-2.1.5-1.mga4
vlc-plugin-aa-2.1.5-1.mga4
vlc-plugin-sdl-2.1.5-1.mga4
vlc-plugin-shout-2.1.5-1.mga4
vlc-plugin-opengl-2.1.5-1.mga4
vlc-plugin-projectm-2.1.5-1.mga4
vlc-plugin-theora-2.1.5-1.mga4
vlc-plugin-twolame-2.1.5-1.mga4
vlc-plugin-fluidsynth-2.1.5-1.mga4
vlc-plugin-gme-2.1.5-1.mga4
vlc-plugin-schroedinger-2.1.5-1.mga4
vlc-plugin-speex-2.1.5-1.mga4
vlc-plugin-flac-2.1.5-1.mga4
vlc-plugin-dv-2.1.5-1.mga4
vlc-plugin-mod-2.1.5-1.mga4
vlc-plugin-mpc-2.1.5-1.mga4
vlc-plugin-sid-2.1.5-1.mga4
vlc-plugin-pulse-2.1.5-1.mga4
vlc-plugin-jack-2.1.5-1.mga4
vlc-plugin-bonjour-2.1.5-1.mga4
vlc-plugin-upnp-2.1.5-1.mga4
vlc-plugin-gnutls-2.1.5-1.mga4
vlc-plugin-libnotify-2.1.5-1.mga4
mplayer-1.1.1-3.r36361.3.mga4
mplayer-doc-1.1.1-3.r36361.3.mga4
mplayer-gui-1.1.1-3.r36361.3.mga4
mencoder-1.1.1-3.r36361.3.mga4

from SRPMS:
live-2014.07.04-1.mga3.src.rpm
vlc-2.0.10-1.mga3.src.rpm
mplayer-1.1-13.r35916.3.mga3.src.rpm
live-2014.07.04-1.mga4.src.rpm
vlc-2.1.5-1.mga4.src.rpm
mplayer-1.1.1-3.r36361.3.mga4.src.rpm

Source RPM: vlc => live, mplayer, vlc
CC: (none) => shlomif
Assignee: shlomif => qa-bugs
Summary: vlc new security issues CVE-2013-4388 and more => live555 buffer overflow, mplayer playlist issue, vlc buffer overflow (CVE-2013-4388) and more

Comment 3 William Kenney 2014-07-14 17:36:33 CEST 
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
live vlc mplayer mplayer-gui

default install of live vlc mplayer mplayer-gui

[root@localhost wilcal]# urpmi live
Package live-2013.01.04-2.mga3.i586 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-2.mga3.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1-12.r35916.4.mga3.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1-12.r35916.4.mga3.tainted.i586 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

install live vlc mplayer mplayer-gui from updates_testing

[root@localhost wilcal]# urpmi live
Package live-2014.07.04-1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.10-1.mga3.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1-13.r35916.3.mga3.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1-13.r35916.3.mga3.tainted.i586 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int

Comment 4 William Kenney 2014-07-14 18:06:44 CEST 
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
live vlc mplayer mplayer-gui

default install of live vlc mplayer mplayer-gui

[root@localhost wilcal]# urpmi live
Package live-2013.01.04-2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-2.mga3.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

install live vlc mplayer mplayer-gui from updates_testing

[root@localhost wilcal]# urpmi live
Package live-2014.07.04-1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.10-1.mga3.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1-13.r35916.3.mga3.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1-13.r35916.3.mga3.tainted.x86_64 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 5 William Kenney 2014-07-14 18:07:18 CEST 
M4 later today
Comment 6 William Kenney 2014-07-15 04:39:39 CEST 
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
live vlc mplayer mplayer-gui

default install of live vlc mplayer mplayer-gui

[root@localhost wilcal]# urpmi live
Package live-2013.09.27-2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.1.2-1.mga4.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1.1-3.r36361.1.mga4.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1.1-3.r36361.1.mga4.tainted.i586 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

install live vlc mplayer mplayer-gui from updates_testing

[root@localhost wilcal]# urpmi live
Package live-2014.07.04-1.mga4.i586 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.1.5-1.mga4.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1.1-3.r36361.3.mga4.tainted.i586 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1.1-3.r36361.3.mga4.tainted.i586 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 7 William Kenney 2014-07-15 05:09:48 CEST 
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
live vlc mplayer mplayer-gui

default install of live vlc mplayer mplayer-gui

[root@localhost wilcal]# urpmi live
Package live-2013.01.04-2.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-2.mga3.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

install live vlc mplayer mplayer-gui from updates_testing

[root@localhost wilcal]# urpmi live
Package live-2014.07.04-1.mga4.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc
Package vlc-2.1.5-1.mga4.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer
Package mplayer-1.1.1-3.r36361.3.mga4.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi mplayer-gui
Package mplayer-gui-1.1.1-3.r36361.3.mga4.tainted.x86_64 is already installed

mplayer-gui plays an mp4 stream from:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL:
http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4
mplayer-gui plays mov mp4 dvd flv local files
vlc plays mov mp4 dvd flv local files

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Comment 8 William Kenney 2014-07-15 05:10:50 CEST 
Looks good to me David. Anything else otherwise lets push it?
Comment 9 William Kenney 2014-07-15 18:03:26 CEST 
I'm gonna turn this one loose.

Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 10 William Kenney 2014-07-15 18:04:07 CEST 
For me this update works fine.
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 claire robinson 2014-07-15 18:40:52 CEST 
Advisory uploaded with srpms below..

src:
  3:
   core:
     - live-2014.07.04-1.mga3
     - vlc-2.0.10-1.mga3
     - mplayer-1.1-13.r35916.3.mga3
   tainted:
     - vlc-2.0.10-1.mga3.tainted
     - mplayer-1.1-13.r35916.3.mga3.tainted
  4:
   core:
     - live-2014.07.04-1.mga4
     - vlc-2.1.5-1.mga4
     - mplayer-1.1.1-3.r36361.3.mga4
   tainted:
     - vlc-2.1.5-1.mga4.tainted
     - mplayer-1.1.1-3.r36361.3.mga4.tainted

Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 12 Colin Guthrie 2014-07-26 14:07:20 CEST 
Update pushed.

http://advisories.mageia.org/MGASA-2014-0296.html

CC: (none) => mageia

Comment 13 Colin Guthrie 2014-07-26 14:07:46 CEST 
Closing

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 David Walser 2014-07-31 19:58:03 CEST 
LWN reference for the live issue:
http://lwn.net/Vulnerabilities/607284/
David Walser 2014-08-05 12:44:46 CEST

Blocks: (none) => 10478

Comment 15 David Walser 2015-02-09 20:50:21 CET 
(In reply to David Walser from comment #14)
> LWN reference for the live issue:
> http://lwn.net/Vulnerabilities/607284/

This is apparently now CVE-2013-6933, currently listed here:
http://lwn.net/Vulnerabilities/632569/