Bug 16623

Summary:	vlc new security issue CVE-2015-5949
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	brtians1, sysadmin-bugs, yann.cantin
Version:	5	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/655117/
Whiteboard:	MGA5-64-OK MGA5-32-OK advisory
Source RPM:	vlc-2.2.1-3.mga6.src.rpm	CVE:
Status comment:

Description David Walser 2015-08-20 20:08:36 CEST

An advisory has been issued today (August 20):
http://www.ocert.org/advisories/ocert-2015-009.html

The advisory contains a link to the upstream commit to fix the issue.  The fix will be included in VLC 2.2.2 (I'm not sure of the ETA on that release).

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2015-08-20 20:08:42 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-08-20 20:11:40 CEST

Debian has issued an advisory for this today:
https://lists.debian.org/debian-security-announce/2015/msg00241.html
https://www.debian.org/security/2015/dsa-3342

URL: (none) => http://lwn.net/Vulnerabilities/655117/

Comment 2 Yann Cantin 2015-08-20 23:26:33 CEST

Upstream patch can't be use for vlc-2.1.6 (mga4).

CC: (none) => yann.cantin

Comment 3 David Walser 2015-08-21 00:08:19 CEST

PoC: http://openwall.com/lists/oss-security/2015/08/20/8

Comment 4 Yann Cantin 2015-08-21 02:01:53 CEST

Upstream patch fix the issue, tested with the poc in mga5 x86_64.

Update ready in the svn for mga5 and Cauldron.

Comment 5 Yann Cantin 2015-08-21 21:19:01 CEST

Updated packages for mga5 and Cauldron. No fix for mga4 yet.

Advisory:
========================

Updated vlc packages fix security vulnerability (CVE-2015-5949) :

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a
multimedia player and streamer, could dereference an arbitrary pointer
due to insufficient restrictions on a writable buffer. This could allow
remote attackers to execute arbitrary code via crafted 3GP files.

References:
http://www.ocert.org/advisories/ocert-2015-009.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5949
https://lists.debian.org/debian-security-announce/2015/msg00241.html

PoC : http://openwall.com/lists/oss-security/2015/08/20/8

========================

Updated packages in core/updates_testing and tainted/updates_testing
========================
vlc-2.2.1-1.1.mga5
lib64vlc5-2.2.1-1.1.mga5
lib64vlccore8-2.2.1-1.1.mga5
lib64vlc-devel-2.2.1-1.1.mga5
vlc-plugin-common-2.2.1-1.1.mga5
vlc-plugin-zvbi-2.2.1-1.1.mga5
vlc-plugin-kate-2.2.1-1.1.mga5
vlc-plugin-libass-2.2.1-1.1.mga5
vlc-plugin-lua-2.2.1-1.1.mga5
vlc-plugin-ncurses-2.2.1-1.1.mga5
vlc-plugin-lirc-2.2.1-1.1.mga5
svlc-2.2.1-1.1.mga5
vlc-plugin-aa-2.2.1-1.1.mga5
vlc-plugin-sdl-2.2.1-1.1.mga5
vlc-plugin-shout-2.2.1-1.1.mga5
vlc-plugin-opengl-2.2.1-1.1.mga5
vlc-plugin-vdpau-2.2.1-1.1.mga5
vlc-plugin-projectm-2.2.1-1.1.mga5
vlc-plugin-theora-2.2.1-1.1.mga5
vlc-plugin-twolame-2.2.1-1.1.mga5
vlc-plugin-fluidsynth-2.2.1-1.1.mga5
vlc-plugin-gme-2.2.1-1.1.mga5
vlc-plugin-schroedinger-2.2.1-1.1.mga5
vlc-plugin-speex-2.2.1-1.1.mga5
vlc-plugin-flac-2.2.1-1.1.mga5
vlc-plugin-dv-2.2.1-1.1.mga5
vlc-plugin-mod-2.2.1-1.1.mga5
vlc-plugin-mpc-2.2.1-1.1.mga5
vlc-plugin-sid-2.2.1-1.1.mga5
vlc-plugin-pulse-2.2.1-1.1.mga5
vlc-plugin-jack-2.2.1-1.1.mga5
vlc-plugin-bonjour-2.2.1-1.1.mga5
vlc-plugin-upnp-2.2.1-1.1.mga5
vlc-plugin-gnutls-2.2.1-1.1.mga5
vlc-plugin-libnotify-2.2.1-1.1.mga5
vlc-plugin-chromaprint-2.2.1-1.1.mga5
vlc-debuginfo-2.2.1-1.1.mga5

vlc-2.2.1-1.1.mga5.tainted
lib64vlc5-2.2.1-1.1.mga5.tainted
lib64vlccore8-2.2.1-1.1.mga5.tainted
lib64vlc-devel-2.2.1-1.1.mga5.tainted
vlc-plugin-common-2.2.1-1.1.mga5.tainted
vlc-plugin-zvbi-2.2.1-1.1.mga5.tainted
vlc-plugin-kate-2.2.1-1.1.mga5.tainted
vlc-plugin-libass-2.2.1-1.1.mga5.tainted
vlc-plugin-lua-2.2.1-1.1.mga5.tainted
vlc-plugin-ncurses-2.2.1-1.1.mga5.tainted
vlc-plugin-lirc-2.2.1-1.1.mga5.tainted
svlc-2.2.1-1.1.mga5.tainted
vlc-plugin-aa-2.2.1-1.1.mga5.tainted
vlc-plugin-sdl-2.2.1-1.1.mga5.tainted
vlc-plugin-shout-2.2.1-1.1.mga5.tainted
vlc-plugin-opengl-2.2.1-1.1.mga5.tainted
vlc-plugin-vdpau-2.2.1-1.1.mga5.tainted
vlc-plugin-projectm-2.2.1-1.1.mga5.tainted
vlc-plugin-theora-2.2.1-1.1.mga5.tainted
vlc-plugin-twolame-2.2.1-1.1.mga5.tainted
vlc-plugin-fluidsynth-2.2.1-1.1.mga5.tainted
vlc-plugin-gme-2.2.1-1.1.mga5.tainted
vlc-plugin-schroedinger-2.2.1-1.1.mga5.tainted
vlc-plugin-speex-2.2.1-1.1.mga5.tainted
vlc-plugin-flac-2.2.1-1.1.mga5.tainted
vlc-plugin-dv-2.2.1-1.1.mga5.tainted
vlc-plugin-mod-2.2.1-1.1.mga5.tainted
vlc-plugin-mpc-2.2.1-1.1.mga5.tainted
vlc-plugin-sid-2.2.1-1.1.mga5.tainted
vlc-plugin-pulse-2.2.1-1.1.mga5.tainted
vlc-plugin-jack-2.2.1-1.1.mga5.tainted
vlc-plugin-bonjour-2.2.1-1.1.mga5.tainted
vlc-plugin-upnp-2.2.1-1.1.mga5.tainted
vlc-plugin-gnutls-2.2.1-1.1.mga5.tainted
vlc-plugin-libnotify-2.2.1-1.1.mga5.tainted
vlc-plugin-chromaprint-2.2.1-1.1.mga5.tainted
vlc-debuginfo-2.2.1-1.1.mga5.tainted

from SRPMS:
vlc-2.2.1-1.1.mga5.src.rpm
vlc-2.2.1-1.1.mga5.tainted.src.rpm

Assignee: shlomif => qa-bugs

Comment 6 David Walser 2015-08-21 21:31:26 CEST

Thanks, everything looks pretty good, other than the (CVE) should be at the end of the paragraph rather than the title in the advisory.  Thanks for this.  Mageia 4 should be fixed as well; the patch applies cleanly there too.  Assigning this back to Yann until Mageia 4's update is available.

CC: (none) => qa-bugs
Version: Cauldron => 5
Assignee: qa-bugs => yann.cantin
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Yann Cantin 2015-08-21 23:13:50 CEST

Blocks: (none) => 16631

Comment 7 David Walser 2015-08-22 01:12:10 CEST

Assigning this back to QA since the cloned Mageia 4 bug is now filed.

CC: qa-bugs => (none)
Assignee: yann.cantin => qa-bugs
Whiteboard: MGA4TOO => (none)

Comment 8 Brian Rockwell 2015-08-24 01:12:06 CEST

I've installed.

Tested Movie, flac and MP3 player.  All seems to be working properly.

CC: (none) => brtians1
Whiteboard: (none) => MGA5-64-OK

Comment 9 Brian Rockwell 2015-08-25 02:59:57 CEST

Installed on 32-bit VBox VM.   Audio seems to be working correctly.

All items installed as expected.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 10 James Kerr 2015-08-25 11:13:52 CEST

I think that this bug should depend on bug 16631 (the mga4 bug) which should block this one.

Can I just change these?

This update could then be validated and the dependency would prevent it from being released until 16631 is validated.

Comment 11 James Kerr 2015-08-25 11:18:40 CEST

Ignore comment #10 - I got it the wrong way round.

Comment 12 Rémi Verschelde 2015-08-25 11:20:14 CEST

Why should there be a dependency between the two bugs? IMO it's only required if the Mageia 4 updated version is higher than the Mageia 5 release version, but that's not the case as far as I know.

There is (a priori) no reason to make sure that both updates are pushed at the same time.

Comment 13 James Kerr 2015-08-25 11:28:37 CEST

Validated update

The advisory is in comment #5

A QA committer needs to upload the advisory to SVN

The packages can then be pushed to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 14 James Kerr 2015-08-25 11:46:15 CEST

(In reply to Rémi Verschelde from comment #12)
That's why I got confused. I had trouble identifying the purpose of the block.

I've removed the block.

Blocks: 16631 => (none)

Comment 15 Rémi Verschelde 2015-08-25 19:02:40 CEST

Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory

Comment 16 Mageia Robot 2015-08-25 20:18:39 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0324.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED