Bug 16631

Summary: vlc new security issue CVE-2015-5949
Product: Mageia Reporter: Yann Cantin <yann.cantin>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, luigiwalser, qa-bugs, sysadmin-bugs, tmb, yann.cantin
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/655117/
Whiteboard: MGA4-32-OK MGA4-64-OK advisory
Source RPM: vlc-2.1.6-1.mga4.src.rpm CVE:
Status comment:

Description Yann Cantin 2015-08-21 23:13:50 CEST 
+++ This bug was initially created as a clone of Bug #16623 +++

An advisory has been issued today (August 20):
http://www.ocert.org/advisories/ocert-2015-009.html

The advisory contains a link to the upstream commit to fix the issue.  The fix will be included in VLC 2.2.2 (I'm not sure of the ETA on that release).

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:
Yann Cantin 2015-08-21 23:15:26 CEST

Assignee: bugsquad => yann.cantin
Source RPM: vlc-2.2.1-3.mga6.src.rpm => vlc-2.1.6-1.mga4.src.rpm

Comment 1 Yann Cantin 2015-08-22 22:26:31 CEST 
Updated packages for mga4.
The PoC (see bug #16623) is irrelevant for version 2.1.6 (doesn't segfault).
Patch applied anyway.

Advisory:
========================

Updated vlc packages fix security vulnerability :

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a
multimedia player and streamer, could dereference an arbitrary pointer
due to insufficient restrictions on a writable buffer. This could allow
remote attackers to execute arbitrary code via crafted 3GP files (CVE-2015-5949).

References:
http://www.ocert.org/advisories/ocert-2015-009.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5949
https://lists.debian.org/debian-security-announce/2015/msg00241.html

========================

Updated packages in core/updates_testing and tainted/updates_testing
========================
lib64vlc5-2.1.6-1.1.mga4
lib64vlccore7-2.1.6-1.1.mga4
lib64vlc-devel-2.1.6-1.1.mga4
svlc-2.1.6-1.1.mga4
vlc-2.1.6-1.1.mga4
vlc-debuginfo-2.1.6-1.1.mga4
vlc-plugin-aa-2.1.6-1.1.mga4
vlc-plugin-bonjour-2.1.6-1.1.mga4
vlc-plugin-common-2.1.6-1.1.mga4
vlc-plugin-dv-2.1.6-1.1.mga4
vlc-plugin-flac-2.1.6-1.1.mga4
vlc-plugin-fluidsynth-2.1.6-1.1.mga4
vlc-plugin-gme-2.1.6-1.1.mga4
vlc-plugin-gnutls-2.1.6-1.1.mga4
vlc-plugin-jack-2.1.6-1.1.mga4
vlc-plugin-kate-2.1.6-1.1.mga4
vlc-plugin-libass-2.1.6-1.1.mga4
vlc-plugin-libnotify-2.1.6-1.1.mga4
vlc-plugin-lirc-2.1.6-1.1.mga4
vlc-plugin-lua-2.1.6-1.1.mga4
vlc-plugin-mod-2.1.6-1.1.mga4
vlc-plugin-mpc-2.1.6-1.1.mga4
vlc-plugin-ncurses-2.1.6-1.1.mga4
vlc-plugin-opengl-2.1.6-1.1.mga4
vlc-plugin-projectm-2.1.6-1.1.mga4
vlc-plugin-pulse-2.1.6-1.1.mga4
vlc-plugin-schroedinger-2.1.6-1.1.mga4
vlc-plugin-sdl-2.1.6-1.1.mga4
vlc-plugin-shout-2.1.6-1.1.mga4
vlc-plugin-sid-2.1.6-1.1.mga4
vlc-plugin-speex-2.1.6-1.1.mga4
vlc-plugin-theora-2.1.6-1.1.mga4
vlc-plugin-twolame-2.1.6-1.1.mga4
vlc-plugin-upnp-2.1.6-1.1.mga4
vlc-plugin-zvbi-2.1.6-1.1.mga4

lib64vlc5-2.1.6-1.1.mga4.tainted
lib64vlccore7-2.1.6-1.1.mga4.tainted
lib64vlc-devel-2.1.6-1.1.mga4.tainted
svlc-2.1.6-1.1.mga4.tainted
vlc-2.1.6-1.1.mga4.tainted
vlc-debuginfo-2.1.6-1.1.mga4.tainted
vlc-plugin-aa-2.1.6-1.1.mga4.tainted
vlc-plugin-bonjour-2.1.6-1.1.mga4.tainted
vlc-plugin-common-2.1.6-1.1.mga4.tainted
vlc-plugin-dv-2.1.6-1.1.mga4.tainted
vlc-plugin-flac-2.1.6-1.1.mga4.tainted
vlc-plugin-fluidsynth-2.1.6-1.1.mga4.tainted
vlc-plugin-gme-2.1.6-1.1.mga4.tainted
vlc-plugin-gnutls-2.1.6-1.1.mga4.tainted
vlc-plugin-jack-2.1.6-1.1.mga4.tainted
vlc-plugin-kate-2.1.6-1.1.mga4.tainted
vlc-plugin-libass-2.1.6-1.1.mga4.tainted
vlc-plugin-libnotify-2.1.6-1.1.mga4.tainted
vlc-plugin-lirc-2.1.6-1.1.mga4.tainted
vlc-plugin-lua-2.1.6-1.1.mga4.tainted
vlc-plugin-mod-2.1.6-1.1.mga4.tainted
vlc-plugin-mpc-2.1.6-1.1.mga4.tainted
vlc-plugin-ncurses-2.1.6-1.1.mga4.tainted
vlc-plugin-opengl-2.1.6-1.1.mga4.tainted
vlc-plugin-projectm-2.1.6-1.1.mga4.tainted
vlc-plugin-pulse-2.1.6-1.1.mga4.tainted
vlc-plugin-schroedinger-2.1.6-1.1.mga4.tainted
vlc-plugin-sdl-2.1.6-1.1.mga4.tainted
vlc-plugin-shout-2.1.6-1.1.mga4.tainted
vlc-plugin-sid-2.1.6-1.1.mga4.tainted
vlc-plugin-speex-2.1.6-1.1.mga4.tainted
vlc-plugin-theora-2.1.6-1.1.mga4.tainted
vlc-plugin-twolame-2.1.6-1.1.mga4.tainted
vlc-plugin-upnp-2.1.6-1.1.mga4.tainted
vlc-plugin-zvbi-2.1.6-1.1.mga4.tainted

from SRPMS:
vlc-2.1.6-1.1.mga4.src.rpm
vlc-2.1.6-1.1.mga4.tainted.src.rpm

Assignee: yann.cantin => qa-bugs

Comment 2 Herman Viaene 2015-08-24 11:46:03 CEST 
MGA4-32 on Acer D620 Xfce
No installation issues.
Plays mpg file (captured from DVB-T device) perfectly.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

James Kerr 2015-08-25 11:46:15 CEST

Depends on: 16623 => (none)

Comment 3 Samuel Verschelde 2015-08-27 16:52:37 CEST 
Seems to work OK on MGA4 64. Validating. Just needs advisory to be uploaded.

Keywords: (none) => validated_update
Status: NEW => RESOLVED
Resolution: (none) => WONTFIX
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2015-08-27 17:08:08 CEST 
Wontfix is not a good solution for a validation :)

Status: RESOLVED => REOPENED
CC: (none) => tmb
Resolution: WONTFIX => (none)

Comment 5 Samuel Verschelde 2015-08-27 17:14:36 CEST 
Oops, I wonder what happened.
Comment 6 RĂ©mi Verschelde 2015-08-27 20:20:48 CEST 
Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory

Comment 7 Mageia Robot 2015-08-27 22:50:48 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0329.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED