| Summary: | VLC 3.0.4, including security issue(s) in MP4 demuxer | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, lists.jjorge, marja11, sysadmin-bugs, tarazed25, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | vlc-3.0.2-3.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-05-28 15:33:01 CEST
David Walser
2018-05-28 15:33:10 CEST
Whiteboard:
(none) =>
MGA6TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif Already updated in mga7/cauldron. Version:
Cauldron =>
6 Update built for mga6 too, but incorrectly built with a subrel (of 0, no less), which makes its release tag higher than in mga7. New versions should always be release tag 1 with no subrel. (In reply to David Walser from comment #3) > Update built for mga6 too, but incorrectly built with a subrel (of 0, no > less), which makes its release tag higher than in mga7. New versions should > always be release tag 1 with no subrel. Hi David! This comment of yours brought me into a nervous breakdown. Why can't I get the subrel/rel thing right for once? This is so confuzzling and confusing and errorprone. I hate it!!! Why isn't this bug reassigned to QA? Because it needs to be removed from updates_testing and rebuilt without a subrel. Shlomi, could you please resubmit VLC without the subrel, please? He can't. The sysadmins need to remove the bad build first. I have asked on their IRC channel for a month and they have ignored me. Debian has issued an advisory on July 18: https://www.debian.org/security/2018/dsa-4251 It fixes CVE-2018-11529 in the MP4 demuxer. I wonder if this is one of the many MP4 issues that have been posted about on oss-security lately: http://openwall.com/lists/oss-security/ Anyway, if we add the patch for this and any other MP4-related needed patches, we can get this update finally unstuck. Just change the subrel to 1 for the update. Summary:
VLC 3.0.3 =>
VLC 3.0.3, plus security issue(s) in MP4 demuxer VLC 3.0.4 is now out, so we should update to that (no subrel this time). Summary:
VLC 3.0.3, plus security issue(s) in MP4 demuxer =>
VLC 3.0.4, including security issue(s) in MP4 demuxer
José Jorge
2018-10-12 22:45:04 CEST
Assignee:
shlomif =>
qa-bugs RPMS : (core and tainted) vlc-3.0.4-1.mga6.tainted.x86_64.rpm lib64vlc5-3.0.4-1.mga6.tainted.x86_64.rpm lib64vlccore9-3.0.4-1.mga6.tainted.x86_64.rpm lib64vlc-devel-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-common-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-zvbi-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-kate-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-libass-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-lua-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-ncurses-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-lirc-3.0.4-1.mga6.tainted.x86_64.rpm svlc-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-aa-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-sdl-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-shout-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-opengl-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-vdpau-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-projectm-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-theora-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-twolame-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-fluidsynth-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-gme-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-schroedinger-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-speex-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-flac-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-dv-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-mod-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-mpc-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-sid-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-pulse-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-jack-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-upnp-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-gnutls-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-libnotify-3.0.4-1.mga6.tainted.x86_64.rpm vlc-plugin-chromaprint-3.0.4-1.mga6.tainted.x86_64.rpm Status:
NEW =>
ASSIGNED Core version of the packages are: vlc-3.0.4-1.mga6 libvlc5-3.0.4-1.mga6 libvlccore9-3.0.4-1.mga6 libvlc-devel-3.0.4-1.mga6 vlc-plugin-common-3.0.4-1.mga6 vlc-plugin-zvbi-3.0.4-1.mga6 vlc-plugin-kate-3.0.4-1.mga6 vlc-plugin-libass-3.0.4-1.mga6 vlc-plugin-lua-3.0.4-1.mga6 vlc-plugin-ncurses-3.0.4-1.mga6 vlc-plugin-lirc-3.0.4-1.mga6 svlc-3.0.4-1.mga6 vlc-plugin-aa-3.0.4-1.mga6 vlc-plugin-sdl-3.0.4-1.mga6 vlc-plugin-shout-3.0.4-1.mga6 vlc-plugin-opengl-3.0.4-1.mga6 vlc-plugin-vdpau-3.0.4-1.mga6 vlc-plugin-projectm-3.0.4-1.mga6 vlc-plugin-theora-3.0.4-1.mga6 vlc-plugin-twolame-3.0.4-1.mga6 vlc-plugin-fluidsynth-3.0.4-1.mga6 vlc-plugin-gme-3.0.4-1.mga6 vlc-plugin-schroedinger-3.0.4-1.mga6 vlc-plugin-speex-3.0.4-1.mga6 vlc-plugin-flac-3.0.4-1.mga6 vlc-plugin-dv-3.0.4-1.mga6 vlc-plugin-mod-3.0.4-1.mga6 vlc-plugin-mpc-3.0.4-1.mga6 vlc-plugin-sid-3.0.4-1.mga6 vlc-plugin-pulse-3.0.4-1.mga6 vlc-plugin-jack-3.0.4-1.mga6 vlc-plugin-upnp-3.0.4-1.mga6 vlc-plugin-gnutls-3.0.4-1.mga6 vlc-plugin-libnotify-3.0.4-1.mga6 vlc-plugin-chromaprint-3.0.4-1.mga6 from vlc-3.0.4-1.mga6.src.rpm Mageia 6, x86_64 vlc tainted already installed so went with that and updated 35 packages. Not familiar with the support provided by all of the plugins so testing is a bit random. svlc in use at every launch. DestroyVLC.vlt theme is working fine. Command-line operation mostly. No problems with audio or video. 'vlc file' and 'vlc playlist' work, and all the various controls. Files can also be located via the internal file manager. File formats tested: mp3, flac, ogg, wav, mp4/m4v/mkv + srt, mpg, m2t, mov, webm/wmv, swf and m3u for playlists. Also tried $ vlc channels.xspf to display free-to-air television. The xspf file translates into a playlist. SD and HD channels work very well. Looking good so far. Trying the core version later. CC:
(none) =>
tarazed25 On real 32-bit hardware, Dell Inspiron 5100, P4, 2GB RAM, radeon 7500 graphics (running under VESA driver), old Atheros wifi, 32-bit Plasma system. Running the tainted packages. I always update to the tainted packages of vlc when I make a new Mageia install, as in the past I have been unable to play certain videos unless I did. All packages updated cleanly. I too don't know much about the other functions of vlc, as all I do with it is play videos and/or DVDs. I tried playing four different videos, and all played normally. No regressions noted. I could not test the DVD function on this hardware, as the DVD drive is non-functional. As far as I can see, it looks good on this hardware. CC:
(none) =>
andrewsfarm Created a 64-bit Plasma system in VirtualBox, using the 6.1 LiveDVD iso. This system is to contain no tainted packages, and no packages were installed other than those from the 6.1 iso. After getting updates, played both mp4 and mkv videos from a shared folder using vlc. Each played, though the action was a bit "choppy," consistent with playing videos on virtual machines on this host hardware. Updated the vlc packages, and all packages installed cleanly. Played the videos again, and there was no change in the way they played. Non-tainted version seems OK in VirtualBox. Giving it OKs and verifying. Keywords:
(none) =>
validated_update
Thomas Backlund
2018-10-19 19:27:21 CEST
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0400.html Resolution:
(none) =>
FIXED |