| Summary: | vlc new security issue CVE-2020-13428 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Marc Krämer <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, mageia, mageia, rolfpedersen, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | vlc-3.0.10-1.mga7.src.rpm | CVE: | CVE-2020-13428 |
| Status comment: | |||
|
Description
Marc Krämer
2020-06-17 23:57:58 CEST
version 3.0.11 released.
Marc Krämer
2020-06-17 23:59:12 CEST
CVE:
(none) =>
CVE-2020-13428
David Walser
2020-06-18 02:17:46 CEST
Assignee:
bugsquad =>
shlomif NEWS file: https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=5a61ba26cec611bbc045fb235d40eba9e0a88ccf;hb=dc0c5ced7230e5660142302c7c1aef6cc14f3564 https://www.videolan.org/developers/vlc-branch/NEWS Debian has issued an advisory for this on June 16: https://www.debian.org/security/2020/dsa-4704 Fixed in mga7 updates_testing vlc-3.0.10-1.1.mga7 Assignee:
shlomif =>
qa-bugs Still needs fixed in Cauldron and really should be updated to 3.0.11. Whiteboard:
(none) =>
MGA7TOO update to 3.0.11 in mga7 ? Yes. new vlc available in mga7 vlc-3.0.11-1.mga7 Currently building in Cauldron, as well as mga7 tainted. If all builds succeed, it can be assigned to QA. Note that there are core and tainted builds. Advisory: ======================== Updated vlc packages fixes security vulnerability: A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file (CVE-2020-13428). The vlc package has been updated to version 3.0.11, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13428 https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=5a61ba26cec611bbc045fb235d40eba9e0a88ccf;hb=dc0c5ced7230e5660142302c7c1aef6cc14f3564 ======================== Updated packages in {core,tainted}/updates_testing: ======================== vlc-3.0.11-1.mga7 libvlc5-3.0.11-1.mga7 libvlccore9-3.0.11-1.mga7 libvlc-devel-3.0.11-1.mga7 vlc-plugin-common-3.0.11-1.mga7 vlc-plugin-zvbi-3.0.11-1.mga7 vlc-plugin-kate-3.0.11-1.mga7 vlc-plugin-libass-3.0.11-1.mga7 vlc-plugin-lua-3.0.11-1.mga7 vlc-plugin-ncurses-3.0.11-1.mga7 vlc-plugin-lirc-3.0.11-1.mga7 svlc-3.0.11-1.mga7 vlc-plugin-aa-3.0.11-1.mga7 vlc-plugin-sdl-3.0.11-1.mga7 vlc-plugin-shout-3.0.11-1.mga7 vlc-plugin-opengl-3.0.11-1.mga7 vlc-plugin-vdpau-3.0.11-1.mga7 vlc-plugin-projectm-3.0.11-1.mga7 vlc-plugin-theora-3.0.11-1.mga7 vlc-plugin-twolame-3.0.11-1.mga7 vlc-plugin-fluidsynth-3.0.11-1.mga7 vlc-plugin-gme-3.0.11-1.mga7 vlc-plugin-schroedinger-3.0.11-1.mga7 vlc-plugin-speex-3.0.11-1.mga7 vlc-plugin-flac-3.0.11-1.mga7 vlc-plugin-dv-3.0.11-1.mga7 vlc-plugin-mod-3.0.11-1.mga7 vlc-plugin-mpc-3.0.11-1.mga7 vlc-plugin-sid-3.0.11-1.mga7 vlc-plugin-sndio-3.0.11-1.mga7 vlc-plugin-pulse-3.0.11-1.mga7 vlc-plugin-jack-3.0.11-1.mga7 vlc-plugin-upnp-3.0.11-1.mga7 vlc-plugin-gnutls-3.0.11-1.mga7 vlc-plugin-libnotify-3.0.11-1.mga7 vlc-plugin-chromaprint-3.0.11-1.mga7 vlc-plugin-samba-3.0.11-1.mga7 from vlc-3.0.11-1.mga7.src.rpm It built. Advisory in Comment 9. Whiteboard:
MGA7TOO =>
(none) Installed and tested without issues. Tested on a bunch of images, musics and videos. Tested local, upnp, http(s) podcasts, icecast, IP camera, rtps stream, audio capture, video capture, application capture. Tested software and vdpau playback. All worked correctly. No issues. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep vlc.*3.0 | sort lib64vlc5-3.0.11-1.mga7.tainted lib64vlccore9-3.0.11-1.mga7.tainted vlc-3.0.11-1.mga7.tainted vlc-plugin-common-3.0.11-1.mga7.tainted vlc-plugin-flac-3.0.11-1.mga7.tainted vlc-plugin-gnutls-3.0.11-1.mga7.tainted vlc-plugin-libass-3.0.11-1.mga7.tainted vlc-plugin-lua-3.0.11-1.mga7.tainted vlc-plugin-projectm-3.0.11-1.mga7.tainted vlc-plugin-pulse-3.0.11-1.mga7.tainted vlc-plugin-samba-3.0.11-1.mga7.tainted vlc-plugin-speex-3.0.11-1.mga7.tainted vlc-plugin-theora-3.0.11-1.mga7.tainted vlc-plugin-upnp-3.0.11-1.mga7.tainted vlc-plugin-vdpau-3.0.11-1.mga7.tainted CC:
(none) =>
mageia Tested the 64-bit non-tainted version on some videos from various digital cameras, some mp4, some avi. The following 9 packages are going to be installed: - lib64vlc5-3.0.11-1.mga7.x86_64 - lib64vlccore9-3.0.11-1.mga7.x86_64 - vlc-3.0.11-1.mga7.x86_64 - vlc-plugin-common-3.0.11-1.mga7.x86_64 - vlc-plugin-flac-3.0.11-1.mga7.x86_64 - vlc-plugin-pulse-3.0.11-1.mga7.x86_64 - vlc-plugin-speex-3.0.11-1.mga7.x86_64 - vlc-plugin-theora-3.0.11-1.mga7.x86_64 - vlc-plugin-vdpau-3.0.11-1.mga7.x86_64 No installation issues, and the videos played just fine. I'm actually surprised. I thought I had upgraded to the tainted version on this install long ago, but I guess not. Since both tainted and non-tainted are working, I'm giving this an OK, and validating. Advisory in Comment 9. Whiteboard:
(none) =>
MGA7-64-OK
Nicolas Lécureuil
2020-07-05 00:01:14 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0272.html Resolution:
(none) =>
FIXED Hi, The applet announced vlc updates and I authorized without looking too closely, a testament to a long history of the fine work of Mageia devels! However, my tainted versions were removed, e.g. [rolf@x570i extensions]$ sudo journalctl | grep vlc | grep erase | head -n 3 Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-speex-3.0.10-1.mga7.tainted.x86_64: success Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-flac-3.0.10-1.mga7.tainted.x86_64: success Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-samba-3.0.10-1.mga7.tainted.x86_64: success [rolf@x570i extensions]$ sudo journalctl | grep vlc | tail -n 3 Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-common-3.0.11-1.mga7.x86_64: success Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-flac-3.0.11-1.mga7.x86_64: success Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-speex-3.0.11-1.mga7.x86_64: success [rolf@x570i extensions]$ urpmq --sources vlc http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/release/vlc-3.0.7.1-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.8-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.10-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.11-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/release/vlc-3.0.7.1-1.mga7.tainted.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/updates/vlc-3.0.8-1.mga7.tainted.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/updates/vlc-3.0.10-1.mga7.tainted.x86_64.rpm I see the advisory page does not mention tainted, where up-bug it is. Was this pushed too soon? I haven't noticed this sort of thing happening before. Thanks. CC:
(none) =>
rolfpedersen bug 26897 created for getting the tainted versions pushed, that should have been included in this bug as per comment 9 CC:
(none) =>
davidwhodgins it was missing tainted on the src.rpm list. I will move it manually then. done In the future, make sure you add tainted in the SVN advisory. |