Bug 15381

Summary: VLC 2.2.0 update for Mageia 5
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: cjw, shlomif
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: vlc CVE:
Status comment:

Description David Walser 2015-02-27 18:12:55 CET 
VLC 2.1.6 and 2.2.0 have been released.

The NEWS for 2.1.6 says:
Changes between 2.1.5 and 2.1.6:
--------------------------------

Audio output:
 * Fix OSS stuttering

Security:
 * Fix heap overflow in decomp stream filter
 * Fix buffer overflow in updater
 * Fix potential buffer overflow in schroedinger encoder
 * Fix null-pointer dereference in DMO decoder
 * Fix buffer overflow in parsing of string boxes in mp4 demuxer
 * Fix SRTP integer overflow
 * Fix potential crash in zip access
 * Fix read overflow in Ogg demuxer

Win32 installer:
 * Update translations and greek encoding


I think we fixed most of those security issues in Bug 15195, but it doesn't look like the decomp stream filter, zip access, or Ogg demuxer fixes are there.  The SRTP thing might be different from the rtp streaming invalid memory access too, so we might also be missing that.

We should update Mageia 4 to 2.1.6.

We should update Mageia 5 to 2.2.0 final.  You can see the changes since our February 13th's snapshot in git here:
http://git.videolan.org/?p=vlc/vlc-2.2.git;a=summary

Not sure if we'll be able to get that in now or if we'll have to do it post-release.

Reproducible: 

Steps to Reproduce:
David Walser 2015-02-27 18:13:47 CET

CC: (none) => cjw, shlomif

David Walser 2015-02-27 18:14:03 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Shlomi Fish 2015-02-27 19:40:43 CET 
I'm working on the VLC-2.1.6 upgrade for Mageia 4 now.
Comment 2 Luc Menut 2015-02-27 19:52:46 CET 
I think that the packaging of plugins.dat should be fixed for mga4 in the same way that it was fixed in mga5 for bug 15311 (ghost plugins.dat + rpm file trigger to update it at install time).
https://trac.videolan.org/vlc/ticket/9807
Comment 3 David Walser 2015-02-27 20:22:27 CET 
(In reply to Luc Menut from comment #2)
> I think that the packaging of plugins.dat should be fixed for mga4 in the
> same way that it was fixed in mga5 for bug 15311 (ghost plugins.dat + rpm
> file trigger to update it at install time).
> https://trac.videolan.org/vlc/ticket/9807

That might be nice.  However, it's not that big of an issue on Mageia 4 since we aren't really using Qt5 things with it.  It became a critical problem on the way to Mageia 5.
Comment 4 Shlomi Fish 2015-02-27 20:48:50 CET 
OK VLC-2.1.6 was successfully submitted to "core/updates_testing" and "tainted/updates_testing" here: http://pkgsubmit.mageia.org/ . Do I need to prepare an advisory?
Comment 5 David Walser 2015-02-27 21:24:21 CET 
Just a note for later, if the 2.2.0 update has to go through QA, besides testing VLC itself, they could test phonon-vlc, miam-player, and tano, just to make sure there wasn't any ABI breakage in libvlccore.
Comment 6 David Walser 2015-02-27 21:25:48 CET 
(In reply to Shlomi Fish from comment #4)
> OK VLC-2.1.6 was successfully submitted to "core/updates_testing" and
> "tainted/updates_testing" here: http://pkgsubmit.mageia.org/ . Do I need to
> prepare an advisory?

Yes.  Since 2.2.0 and 2.1.6 need to be handed separately, you can clone this bug (see the link at the bottom right), make the new bug just for the 2.1.6 update, post the advisory and package list, and assign to QA.  Thanks.
Shlomi Fish 2015-02-28 10:44:40 CET

Blocks: (none) => 15384

David Walser 2015-02-28 15:05:21 CET

Blocks: 15384 => (none)

David Walser 2015-02-28 15:06:15 CET

Summary: VLC 2.1.6 and 2.2.0 => VLC 2.2.0 update for Mageia 5
Whiteboard: MGA4TOO => MGA5TOO

Comment 7 David Walser 2015-03-02 01:26:13 CET 
vlc-2.2.0-1.mga5 uploaded for Cauldron.  Thanks Christiaan!

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Whiteboard: MGA5TOO => (none)