Bug 24940

Summary: VLC 3.0.7 (and security issues in faad2)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, lists.jjorge, marja11, nicolas.salguero, shlomif, smelror, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: vlc-3.0.6-11.mga7.src.rpm, faad2-2.8.8-3.mga7.tainted.src.rpm CVE:
Status comment:

Description David Walser 2019-06-11 04:41:08 CEST 
VLC 3.0.7 has been released on June 6:
https://www.videolan.org/developers/vlc-branch/NEWS

As the NEWS shows, it fixes a ton of security issues, detailed more here:
http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

which points out that some of the issues are actually in faad2, a separate library package.  Someone on another distro security team highlighted these commits with changes to faad2:
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=a31ca516a02678579c312897e648c64135725867;hp=fc62b4d2827fdd79a91f008d50cb4d3e70123ca3
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=46ba007cac64adc21ec9ab390ccf8c3a14ed6a19;hp=10aa791068a39acc905ce25b3c13aad48d5c465c

and a PoC for a faad2 issue (presumably fixed above) given CVE-2019-6956:
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=46ba007cac64adc21ec9ab390ccf8c3a14ed6a19;hp=10aa791068a39acc905ce25b3c13aad48d5c465c
David Walser 2019-06-11 04:42:10 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-06-11 12:05:26 CEST 
Assigning to our registered VLC maintainer, CC'ing some submitters.

CC: (none) => geiger.david68210, lists.jjorge, marja11, nicolas.salguero, smelror
Assignee: bugsquad => shlomif

Comment 2 David Walser 2019-06-13 13:58:24 CEST 
VLC 3.0.7.1 has been released on June 12, fixing a couple of bugs, and updating the bundled (we'll have to update the system one) libbluray to 1.1.2.
Comment 3 Shlomi Fish 2019-06-13 14:05:52 CEST 
There are some updates in updates_testing.
Comment 4 David Walser 2019-06-13 14:10:52 CEST 
Yes, please update the two packages in Comment 2 and then ask for everything to be moved to release, otherwise we can't do anything with Mageia 6.
Comment 5 Thomas Backlund 2019-06-14 11:11:46 CEST 
Cauldron packages moved

CC: (none) => tmb
Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 6

Comment 6 Shlomi Fish 2019-07-15 11:47:21 CEST 
Assigning to qa for testing.

Assignee: shlomif => qa-bugs

Comment 7 Len Lawrence 2019-07-16 21:09:54 CEST 
Mageia 6, 
vlc is in madb but we need a package list.
As far as I can make out the POC test confirms that the faad2 issue has been fixed already.

Have installed all the tainted updates to vlc but now awaiting further information.  Shall test free version on another machine.

CC: (none) => tarazed25

Comment 8 David Walser 2019-07-18 22:20:25 CEST 
This isn't ready for QA.  vlc-3.0.7.1-1.mga6.src.rpm has been built, but neither the libbluray or faad2 updates are available.

Assignee: qa-bugs => shlomif
CC: (none) => qa-bugs

Comment 9 David Walser 2019-07-20 15:51:29 CEST 
faad2-2.8.8-1.mga6
libfaad2-2.8.8-1.mga6
libfaad_drm2-2.8.8-1.mga6
libfaad2-devel-2.8.8-1.mga6
libfaad2-static-devel-2.8.8-1.mga6
libbluray2-1.1.2-1.mga6
libbluray-java-1.1.2-1.mga6
libbluray-devel-1.1.2-1.mga6
libvlc-devel-3.0.7.1-1.mga6
libvlc5-3.0.7.1-1.mga6
libvlccore9-3.0.7.1-1.mga6
svlc-3.0.7.1-1.mga6
vlc-3.0.7.1-1.mga6
vlc-plugin-aa-3.0.7.1-1.mga6
vlc-plugin-chromaprint-3.0.7.1-1.mga6
vlc-plugin-common-3.0.7.1-1.mga6
vlc-plugin-dv-3.0.7.1-1.mga6
vlc-plugin-flac-3.0.7.1-1.mga6
vlc-plugin-fluidsynth-3.0.7.1-1.mga6
vlc-plugin-gme-3.0.7.1-1.mga6
vlc-plugin-gnutls-3.0.7.1-1.mga6
vlc-plugin-jack-3.0.7.1-1.mga6
vlc-plugin-kate-3.0.7.1-1.mga6
vlc-plugin-libass-3.0.7.1-1.mga6
vlc-plugin-libnotify-3.0.7.1-1.mga6
vlc-plugin-lirc-3.0.7.1-1.mga6
vlc-plugin-lua-3.0.7.1-1.mga6
vlc-plugin-mod-3.0.7.1-1.mga6
vlc-plugin-mpc-3.0.7.1-1.mga6
vlc-plugin-ncurses-3.0.7.1-1.mga6
vlc-plugin-opengl-3.0.7.1-1.mga6
vlc-plugin-projectm-3.0.7.1-1.mga6
vlc-plugin-pulse-3.0.7.1-1.mga6
vlc-plugin-schroedinger-3.0.7.1-1.mga6
vlc-plugin-sdl-3.0.7.1-1.mga6
vlc-plugin-shout-3.0.7.1-1.mga6
vlc-plugin-sid-3.0.7.1-1.mga6
vlc-plugin-speex-3.0.7.1-1.mga6
vlc-plugin-theora-3.0.7.1-1.mga6
vlc-plugin-twolame-3.0.7.1-1.mga6
vlc-plugin-upnp-3.0.7.1-1.mga6
vlc-plugin-vdpau-3.0.7.1-1.mga6
vlc-plugin-zvbi-3.0.7.1-1.mga6

from SRPMS:
faad2-2.8.8-1.mga6.src.rpm
libbluray-1.1.2-1.mga6.src.rpm
vlc-3.0.7.1-1.mga6.src.rpm

faad2 is only in tainted and vlc is in both core and tainted.

CC: qa-bugs => shlomif
Assignee: shlomif => qa-bugs

Comment 10 Len Lawrence 2019-07-22 02:02:12 CEST 
Testing tainted versions on mga6, x86_64.

*Before update*
$ rpm -qa | grep faad2
lib64faad2-2.7-10.mga6.tainted
faad2-2.7-10.mga6.tainted

CVE-2019-6956
https://github.com/TeamSeri0us/pocs/blob/master/faad/global-buffer-overflow%40ps_mix_phase.md

$ faad global-buffer-overflow@ps_mix_phase
global-buffer-overflow@ps_mix_phase file info:
ADTS, 12.416 sec, 37 kbps, 48000 Hz

  ---------------------
 | Config:  2 Ch       |
  ---------------------
 | Ch |    Position    |
  ---------------------
 | 00 | Left front     |
 | 01 | Right front    |
  ---------------------

Decoding global-buffer-overflow@ps_mix_phase took:  0.05 sec. 247.35x real-time.

The upstream test under the asan framework aborts which probably confirms that faad has
already been fixed.

*After update*
The PoC returned exactly the same result, which seems to confirm the earlier conclusion.

vlc worked fine with svlc for MP3, MP4, MOV, and container formats like M4V and MKV, also WMV, AVI, ts and m2t.  Tested it with a free-to-air TV feed and video streamed over the network.  Subtitles working.  No problems with sound or vision.  Fullscreen, positioning controls, track skipping, speed control, pause and continue, reversing, snapshots, playlists... everything working as
expected.  Played audio CD and commercial DVD.
No idea how to test the bluray libraries - no free bluray discs if such things exist.  There was some such project a while ago.  Ubuntu has bluray support for vlc which needs libaacs0 for older blurays, libbluray-bdj and libbluray1 but my drive is DVD only.

Tainted updates good for 64-bits.
Comment 11 Len Lawrence 2019-07-24 04:55:41 CEST 
Mga6, x86_64

Installed the free vlc packages and updated all of them.  Played various audio and audio/video files.  Checked the functions provided by the interface.  TV channels in SD and HD.  Audio CDs played fine and non-commercial DVDs (BBC).

Good for 64-bits.
Len Lawrence 2019-07-24 04:56:05 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 12 Thomas Andrews 2019-07-24 16:24:46 CEST 
Sounds like a thorough test to me, Len. I'm going to give it a 32-bit OK based on a clean install in a vbox guest.

Validating. Needs advisory information if that in Comment 0 is insufficient.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Keywords: (none) => validated_update

Dave Hodgins 2019-07-25 16:45:34 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 13 Mageia Robot 2019-07-25 21:54:26 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0215.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 David Walser 2019-08-12 01:18:00 CEST 
This update fixed CVE-2019-5439 in VLC:
https://usn.ubuntu.com/4074-1/
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5439.html
Comment 15 David Walser 2019-08-12 01:19:21 CEST 
This update also fixed CVE-2019-12874 in VLC:
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12874.html