Hi!

thanks for the notification.

I submitted vlc-2.0.8 packages to Mageia {2 or 3}/{core or tainted}/updates_testing:

http://pkgsubmit.mageia.org/

I think their release is 1mga for Mageia 3 and 0.1mga for Mageia 2.

Regards,

-- Shlomi Fish

Mageia 2, i586
updated my vlc packages to:
vlc-plugin-common-2.0.8-0.1.mga2
libvlc5-2.0.8-0.1.mga2
vlc-2.0.8-0.1.mga2
vlc-plugin-pulse-2.0.8-0.1.mga2
vlc-plugin-theora-2.0.8-0.1.mga2
libvlccore5-2.0.8-0.1.mga2 

connected to my DVB-S tuner and watched an emission. Works fine, including enabling subtitles

CC: (none) => marja11, qa-bugs

Mga2, i586, with the following tainted packages:
vlc-plugin-common-2.0.8-0.1.mga2.tainted
vlc-2.0.8-0.1.mga2.tainted
libvlccore5-2.0.8-0.1.mga2.tainted
libvlc5-2.0.8-0.1.mga2.tainted
vlc-plugin-pulse-2.0.8-0.1.mga2.tainted
vlc-plugin-theora-2.0.8-0.1.mga2.tainted

works just as well. All kinds of menu items work like expected, too, but I didn't check them all.
Tell me if there is something I should specifically check

Assigning to QA so I will be able to get the list of packages and write an advisory. The advisory will come later.

Assignee: shlomif => qa-bugs

Hi Marja,

(In reply to Marja van Waes from comment #3)
> Mga2, i586, with the following tainted packages:
> vlc-plugin-common-2.0.8-0.1.mga2.tainted
> vlc-2.0.8-0.1.mga2.tainted
> libvlccore5-2.0.8-0.1.mga2.tainted
> libvlc5-2.0.8-0.1.mga2.tainted
> vlc-plugin-pulse-2.0.8-0.1.mga2.tainted
> vlc-plugin-theora-2.0.8-0.1.mga2.tainted
> 
> works just as well. All kinds of menu items work like expected, too, but I
> didn't check them all.
> Tell me if there is something I should specifically check

Well, perhaps we should verify that we can no longer reproduce the crashes, but I think VLC is a pretty solid problem and should only be lightly tested.

Regards,

-- Shlomi Fish

CC: (none) => shlomif

Shlomi, just FYI the other reason madb doesn't show all of the packages yet is that it looks for the SRPM names being listed somewhere in the bug.  Just pasting those right from pkgsubmit itself onto here should make the other packages show up.

Mageia 3, i586, the same packages from /core/updates_testing/ as mentioned above: everything works as expected.

@ Shlomi

I don't have the slightest idea how to reproduce one of those crashes that are fixed now, not even in the old version of vlc. I never had them and I use vlc a lot.

same vlc packages as mentioned above, now from 3/i586/media/tainted/updates_testing/ :
everything works fine

Package list for madb to do its thing:

vlc-2.0.8-0.1.mga2

vlc-2.0.8-1.mga3

(In reply to Shlomi Fish from comment #9)
> Package list for madb to do its thing:

Since it was missing the i586 packages, trying to add .src.rpm to see if it helps.

vlc-2.0.8-0.1.mga2.src.rpm
vlc-2.0.8-1.mga3.src.rpm

now the same packages, s/lib/lib64/ from 3/x86_64/media/core/updates_testing

Again everything works fine for me :)

and the tainted ones from 3/x86_64/media/tainted/updates_testing/ work as expected, too

vlc from 2/x86_64/media/core/updates_testing is OK, too

and vlc from 2/x86_64/media/tainted/updates_testing/ is OK as well (of course only for how I am used to using it and without knowing how the fixed crashes could/can be reproduced)

Thanks for testing Marja!

This can be validated at some point, obviously once we have an advisory.  I don't know if any more details of the issues fixed will come out in the next few days.  The release notes linked in Comment 0 are all we have right now.  As for the package lists, madb mostly has it, just still missing i586/mga2 (and doesn't show tainted at all), so I'm waiting to check with Stormi to see if we can get that sorted out.

Funda has pushed a new build of this for some reason, so it'll need to be tested again.

vlc-2.0.8-0.2.mga2.src.rpm
vlc-2.0.8-2.mga3.src.rpm

Can we please not start doing this. 

A proper package list should be provided on the bug, as required by the updates policy and needed by the QA team. As the madb fuction is now there, assuming srpms are properly listed in the bug, then there is no reason at all not to do this, it actually makes it easier to do once Sophie has caught up.

(In reply to David Walser from comment #16)
> Funda has pushed a new build of this for some reason, so it'll need to be
> tested again.
> 
> vlc-2.0.8-0.2.mga2.src.rpm
> vlc-2.0.8-2.mga3.src.rpm

It's because upstream did a few fixes and released a quick 2.0.8a...
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=summary


and one of them affects linux, wich is what Funda pulled in:
http://svnweb.mageia.org/packages/updates/3/vlc/current/SOURCES/vlc-2.0.8-to-2.0.8a.patch?view=markup&pathrev=463112

CC: (none) => tmb

(In reply to claire robinson from comment #17)
> Can we please not start doing this. 
> 
> A proper package list should be provided on the bug, as required by the
> updates policy and needed by the QA team. As the madb fuction is now there,
> assuming srpms are properly listed in the bug, then there is no reason at
> all not to do this, it actually makes it easier to do once Sophie has caught
> up.

Please take it easy :D  I've been discussing this with Shlomi on IRC, and the madb function came about because we're trying to make it easier for packagers to do this, but the madb listing wasn't quite working correctly.  I was hoping to see Stormi to ask him about it.  I know we need the lists to make it easier to know what to test, and for the advisory, but Marja didn't have any issues finding what to test for this one specifically.  We haven't written a full advisory yet because this was just released and the information on it is a bit thin at this point (I don't know if more info will come out, but I was hoping maybe there would be a in a few days).  Point is, Shlomi understands the policy and we've discussed it, but it's a work in progress.  It could still be tested in the meantime (at least as long as people don't keep rebuilding it... :o).

It turns out that 2.0.7 also fixed a couple of security issues:
http://www.videolan.org/vlc/releases/2.0.7.html

Not sure why these aren't getting CVEs.  Here's more details on the issues fixed in the last two VLC releases, cobbled together from the git logs (thanks for the link tmb!) and the NEWS files.  I'm not 100% sure if the qtsound crash fix is a security issue, but the other ones are.  Also, note that vlc#7361 linked below has a link to a PoC.

2.0.8
Demux:
* sgimb: use after free (fixes #8724 https://trac.videolan.org/vlc/ticket/8724 )
* Improve resistance and checking against malformed MKV files
  (Check element size before reading it
   This should avoid integer overflows inside the libebml causing heap buffer
   overflow.
   Since new called by the lib is limited to SIZE_MAX bytes.)

Access:
* qtsound: fix crash when freeing memory

2.0.7
Input:
* Fix memory exhaustion vulnerability when playing specifically crafted
  playlist files.
  (stream_ReadLine: correctly return an error on overflow
   fixes #7361 https://trac.videolan.org/vlc/ticket/7361 )

HTTP Interface:
* lua http: Fix two xss vulnerabilities (CVE-2013-3565)

MGA3-32 not ok for me

in VirtualBox

default install vlc-2.0.6-1.mga3.tainted.i586 from core release
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.6-1.mga3.tainted.i586 is already installed

Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio files.

install vlc-2.0.8-2.mga3.tainted.i586 from core updates_testing
Rerun testing with the same above files. All successful
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-2.mga3.tainted.i586 is already installed
But VLC -> Help -> About still reflects:
VLC media player 2.0.6 Twoflower, the old version

CC: (none) => wilcal.int

(In reply to William Kenney from comment #21)
> MGA3-32 not ok for me
> 
> in VirtualBox
> 
> default install vlc-2.0.6-1.mga3.tainted.i586 from core release
> [root@localhost wilcal]# urpmi vlc
> Package vlc-2.0.6-1.mga3.tainted.i586 is already installed
> 
> Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio
> files.
> 
> install vlc-2.0.8-2.mga3.tainted.i586 from core updates_testing
> Rerun testing with the same above files. All successful
> [root@localhost wilcal]# urpmi vlc
> Package vlc-2.0.8-2.mga3.tainted.i586 is already installed
> But VLC -> Help -> About still reflects:
> VLC media player 2.0.6 Twoflower, the old version

That's strange. Are you sure you restarted VLC and all instances of it? Also try "pkill vlc".

Regards,

-- Shlomi Fish

@ William

what is the output of 
rpm -qa | grep vlc

(In reply to Shlomi Fish from comment #22)

> That's strange. Are you sure you restarted VLC and all instances of it? Also
> try "pkill vlc".

Still same result.

(In reply to Marja van Waes from comment #23)

> what is the output of 
> rpm -qa | grep vlc

[root@localhost wilcal]# rpm -qa | grep vlc
vlc-plugin-theora-2.0.8-2.mga3.tainted
libvlccore5-2.0.6-1.mga3.tainted
vlc-2.0.8-2.mga3.tainted
vlc-plugin-common-2.0.6-1.mga3.tainted
libvlc5-2.0.6-1.mga3.tainted
vlc-plugin-pulse-2.0.6-1.mga3.tainted

(In reply to William Kenney from comment #25)
> (In reply to Marja van Waes from comment #23)
> 
> > what is the output of 
> > rpm -qa | grep vlc
> 
> [root@localhost wilcal]# rpm -qa | grep vlc
> vlc-plugin-theora-2.0.8-2.mga3.tainted
> libvlccore5-2.0.6-1.mga3.tainted
> vlc-2.0.8-2.mga3.tainted
> vlc-plugin-common-2.0.6-1.mga3.tainted
> libvlc5-2.0.6-1.mga3.tainted
> vlc-plugin-pulse-2.0.6-1.mga3.tainted

Please update the five 2.0.6-1 packages you see above to 2.0.8-2 too :-)

(In reply to Marja van Waes from comment #26)

> Please update the five 2.0.6-1 packages you see above to 2.0.8-2 too :-)

Now is:

[root@localhost wilcal]# rpm -qa | grep vlc
vlc-plugin-theora-2.0.8-2.mga3.tainted
vlc-plugin-common-2.0.8-2.mga3.tainted
vlc-plugin-pulse-2.0.8-2.mga3.tainted
vlc-2.0.8-2.mga3.tainted
libvlccore5-2.0.8-2.mga3.tainted
libvlc5-2.0.8-2.mga3.tainted

And now VLC -> Help -> About is:
VLC media player 2.0.6 Twoflower

Should not just using the MCC do all those automatically?

Just to make sure, did you also reboot after updating? Maybe some libs are stuck in cache or something :/

CC: (none) => mageia

(In reply to Sander Lepik from comment #28)
> Just to make sure, did you also reboot after updating? Maybe some libs are
> stuck in cache or something :/

I did. I'm out of here for a few hours. When I return
I'll re-run the whole process. Should not just MCC updating
VLC take care of all of these?

(In reply to David Walser from comment #19)
> (In reply to claire robinson from comment #17)
> > Can we please not start doing this. 
> > 
> > A proper package list should be provided on the bug, as required by the
> > updates policy and needed by the QA team. As the madb fuction is now there,
> > assuming srpms are properly listed in the bug, then there is no reason at
> > all not to do this, it actually makes it easier to do once Sophie has caught
> > up.
> 
> Please take it easy :D  I've been discussing this with Shlomi on IRC, and
> the madb function came about because we're trying to make it easier for
> packagers to do this, but the madb listing wasn't quite working correctly. 
> I was hoping to see Stormi to ask him about it.  I know we need the lists to
> make it easier to know what to test, and for the advisory, but Marja didn't
> have any issues finding what to test for this one specifically.  We haven't
> written a full advisory yet because this was just released and the
> information on it is a bit thin at this point (I don't know if more info
> will come out, but I was hoping maybe there would be a in a few days). 
> Point is, Shlomi understands the policy and we've discussed it, but it's a
> work in progress.  It could still be tested in the meantime (at least as
> long as people don't keep rebuilding it... :o).


Marja is an apprentice packager, the advisories here should be appropriate for 'apprentice' QA team, or there is no point. Taking it easy or not..

(In reply to claire robinson from comment #30)
> Marja is an apprentice packager, the advisories here should be appropriate
> for 'apprentice' QA team, or there is no point. Taking it easy or not..

Fair enough, but Shlomi is the packager for this bug, and the advisory isn't ready yet.  That doesn't mean it isn't ready to be tested (it is), it just isn't quite ready to be validated and pushed yet.

I have absolutely no problem with going through this process here.
I use VLC a lot so I'm pretty familiar with it's work'ns.
I'll keep a test'n with what you got.

Here is the full list for Mga 3

vlc-2.0.8-2
lib64vlc5-2.0.8-2
lib64vlccore5-2.0.8-2
lib64vlc-devel-2.0.8-2
vlc-plugin-common-2.0.8-2
vlc-plugin-zvbi-2.0.8-2
vlc-plugin-kate-2.0.8-2
vlc-plugin-libass-2.0.8-2
vlc-plugin-lua-2.0.8-2
vlc-plugin-ncurses-2.0.8-2
vlc-plugin-lirc-2.0.8-2
svlc-2.0.8-2
vlc-plugin-aa-2.0.8-2
vlc-plugin-sdl-2.0.8-2
vlc-plugin-shout-2.0.8-2
vlc-plugin-opengl-2.0.8-2
vlc-plugin-projectm-2.0.8-2
vlc-plugin-theora-2.0.8-2
vlc-plugin-twolame-2.0.8-2
vlc-plugin-fluidsynth-2.0.8-2
vlc-plugin-gme-2.0.8-2
vlc-plugin-schroedinger-2.0.8-2
vlc-plugin-speex-2.0.8-2
vlc-plugin-flac-2.0.8-2
vlc-plugin-dv-2.0.8-2
vlc-plugin-mod-2.0.8-2
vlc-plugin-mpc-2.0.8-2
vlc-plugin-sid-2.0.8-2
vlc-plugin-pulse-2.0.8-2
vlc-plugin-jack-2.0.8-2
vlc-plugin-bonjour-2.0.8-2
vlc-plugin-upnp-2.0.8-2
vlc-plugin-gnutls-2.0.8-2
vlc-plugin-libnotify-2.0.8-2
vlc-debuginfo-2.0.8-2

taken from http://pkgsubmit.mageia.org/uploads/done/3/tainted/updates_testing/20130804065556.fwang.valstar.4540/vlc-2.0.8-2.mga3.tainted/build.0.20130804065605.log
Mga 2 doesn't have vlc-plugin-sid

I wouldn't know of a way to test each and everyone of those packages, though. What William did, testing some video and audio files in different formats, seems good enough.

Is it really needed to test that PoC ? I mean, even if the vulnerability is still there, this bug fixes other security issues.
If it is needed, step-by-step instructions on how to do that are welcome. Checking http://www.1337day.com/exploits/19220 and https://trac.videolan.org/vlc/attachment/ticket/7361/vlc.txt do not make me see how to do that.

and, of course, for i586

lib64vlc5-2.0.8-2
lib64vlccore5-2.0.8-2
lib64vlc-devel-2.0.8-2

should be:

libvlc5-2.0.8-2
libvlccore5-2.0.8-2
libvlc-devel-2.0.8-2

and insert a 0 for Mga 2
2.0.8-0.2

Adding Funda to the CC.

CC: (none) => fundawang

OK, let me be straight: the whole procedure here with the bug has made me angry and anxious, and it made me irritated. I was agitated from the fact that Funda uploaded a new package of VLC-2.0.8a without consulting me and once again stepped on my toes. Funda, do you read me - please stop doing that! If I update a package on Mageia 2/Mageia 3, please let me know by E-mail or IRC if there's a problem and not upload a package of your own.

Anyway, we need to test the new VLCs now, and to also generate a list of the affected RPMs in Mga2/Mga3 x86-64/i586 core/tainted updates_testing. How can we do that? When can we reach Stormi for fixing madb.mageia.org?

Regards,

-- Shlomi Fish

madb appears to be listing the packages correctly now:
http://mageia.madb.org/tools/listRpmsForQaBug/bugnum/10902%3F

This has also been made more difficult by the fact that upstream hasn't done a very good job identifying the security issues fixed, requesting CVEs, or generally making much information available.

Anyway, with the list of packages linked above and the info I posted in Comment 20, we should be able to generate an advisory.  I'll keep an eye out to see if any more info comes out today.

Hi David,

(In reply to David Walser from comment #38)
> madb appears to be listing the packages correctly now:
> http://mageia.madb.org/tools/listRpmsForQaBug/bugnum/10902%3F
> 

Thanks! It does indeed.

> This has also been made more difficult by the fact that upstream hasn't done
> a very good job identifying the security issues fixed, requesting CVEs, or
> generally making much information available.

Yes.

> 
> Anyway, with the list of packages linked above and the info I posted in
> Comment 20, we should be able to generate an advisory.  I'll keep an eye out
> to see if any more info comes out today.

Thanks! Were the packages properly tested yet?

Regards,

-- Shlomi Fish

tested with the following packages from 3/i586/media/core/updates_testing/
and after that with the same packages from 3/i586/media/tainted/updates_testing/
vlc-plugin-common-2.0.8-2
libvlc5-2.0.8-2
vlc-2.0.8-2
vlc-plugin-pulse-2.0.8-2
vlc-plugin-theora-2.0.8-2
libvlccore5-2.0.8-2

m3u video stream (als with subtitles), avi video and mp3 sound files all work fine, a link to a podcast.css that points to an mp3 works fine, too.
with tainted, the same files and streams work well, and so does mp4
About shows it is VLC Media Player 2.0.8 Twoflower

I did not try the PoC, because I don't understand how

Advisory 10902.adv uploaded to svn.

CC: (none) => davidwhodgins

Additional testing Mageia 3 i586.

I could reproduce the PoC from vlc#7361. A clarification on the procedure:
- Create a script called exploit.pl with the content of this file: https://trac.videolan.org/vlc/attachment/ticket/7361/vlc.txt
- Follow the command given in "usage": perl exploit.pl > file.vlc
(It also works with 'perl exploit.pl > file.m3u'
- Open the created file in VLC, the latter being opened in a terminal to see the error journal. See that your computer burns and you have to kill VLC.

The update candidate does fix vlc#7361 (both core and tainted versions).


I'm adding the MGA3-32-OK tag (since marja tested successfully that VLC works as intended), but I'd like to know about this:

----
# rpm -qa | grep vlc
vlc-plugin-theora-2.0.6-1.mga3.tainted
libvlccore5-2.0.6-1.mga3.tainted
libvlc5-2.0.6-1.mga3.tainted
vlc-2.0.6-1.mga3.tainted
vlc-plugin-pulse-2.0.6-1.mga3.tainted
vlc-plugin-common-2.0.6-1.mga3.tainted

# ecut
Enabling Core Updates Testing

# urpmi vlc
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  vlc                            2.0.8        2.mga3        i586    
  vlc-plugin-theora              2.0.8        2.mga3        i586
----

Is it the intended behaviour? I don't know how VLC is packaged, but I would expect "urpmi vlc" to install at least libvlc*, no?

CC: (none) => remi
Whiteboard: MGA2TOO => MGA2TOO MGA3-32-OK

(In reply to Rémi Verschelde from comment #42)
> Is it the intended behaviour? I don't know how VLC is packaged, but I would
> expect "urpmi vlc" to install at least libvlc*, no?

It just means that the main vlc package doesn't have versioned dependencies on its libraries, which is common, and such dependencies aren't strictly necessary.  You'll notice things like that if you try to update it using the method that you did, but regular users won't ever notice that.

(In reply to Rémi Verschelde from comment #42)

> 
> I could reproduce the PoC from vlc#7361. A clarification on the procedure:

Thanks a lot for the clarification, Rémi :)

Now tested the same six vlc packages as mentioned above, first from 
3/x86_64/media/core/updates_testing/
and then from
3/x86_64/media/tainted/updates_testing/
The results are just as good as for Mga3 i586 (see comment 40)
Using the PoC, vlc doesn't go crazy anymore :)

Whiteboard: MGA2TOO MGA3-32-OK => MGA2TOO MGA3-32-OK MGA3-64-OK

MGA2-32 ok for me

in VirtualBox

default install vlc-2.0.6-0.1.mga2.tainted.i586 from core release
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.6-0.1.mga2.tainted.i586 is already installed

Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio files.

install vlc-2.0.8-0.2.mga2.tainted.i586 from core updates_testing
Rerun testing with the same above files. All successful
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-0.2.mga2.tainted.i586 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

Whiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK => MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-32-OK

MGA2-64 ok for me

in VirtualBox

default install vlc-2.0.6-0.1.mga2.tainted.x86_64 from core release
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.6-0.1.mga2.tainted.x86_64 is already installed

Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio files.

install vlc-2.0.8-0.2.mga2.tainted.x86_64 from core updates_testing
Rerun testing with the same above files. All successful
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-0.2.mga2.tainted.x86_64 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

If it's a go with David it's a go for me.

Whiteboard: MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-32-OK => MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-32-OK MGA2-64-OK

Validating the update.

Could someone from the sysadmin team push 10902.adv to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed:
http://advisories.mageia.org/MGASA-2013-0241.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED