Bug 10902 - vlc new security issues fixed in 2.0.8
: vlc new security issues fixed in 2.0.8
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: MGA2TOO MGA3-32-OK MGA3-64-OK MGA2-32...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-08-02 16:32 CEST by David Walser
Modified: 2013-08-09 19:34 CEST (History)
10 users (show)

See Also:
Source RPM: vlc-2.0.6-1.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-08-02 16:32:27 CEST
Upstream has released version 2.0.8 on July 29:
http://www.videolan.org/vlc/releases/2.0.8.html

They said it is a security release.

From the fixes listed for 2.0.8, any of these might be security issues, but I don't have any more information on what is or isn't.

    Fix crash in QTsound.
    Fix use-after-free in sgimb module.
    Fix crashes in libavcodec module.
    Fix invalid memcpy in MMS access module.
    Improve resitance against malformed MKV files.

These issues are also fixed in 2.1.0-pre2, which we have in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 Shlomi Fish 2013-08-03 10:35:34 CEST
Hi!

thanks for the notification.

I submitted vlc-2.0.8 packages to Mageia {2 or 3}/{core or tainted}/updates_testing:

http://pkgsubmit.mageia.org/

I think their release is 1mga for Mageia 3 and 0.1mga for Mageia 2.

Regards,

-- Shlomi Fish
Comment 2 Marja van Waes 2013-08-03 14:44:41 CEST
Mageia 2, i586
updated my vlc packages to:
vlc-plugin-common-2.0.8-0.1.mga2
libvlc5-2.0.8-0.1.mga2
vlc-2.0.8-0.1.mga2
vlc-plugin-pulse-2.0.8-0.1.mga2
vlc-plugin-theora-2.0.8-0.1.mga2
libvlccore5-2.0.8-0.1.mga2 

connected to my DVB-S tuner and watched an emission. Works fine, including enabling subtitles
Comment 3 Marja van Waes 2013-08-03 15:10:12 CEST
Mga2, i586, with the following tainted packages:
vlc-plugin-common-2.0.8-0.1.mga2.tainted
vlc-2.0.8-0.1.mga2.tainted
libvlccore5-2.0.8-0.1.mga2.tainted
libvlc5-2.0.8-0.1.mga2.tainted
vlc-plugin-pulse-2.0.8-0.1.mga2.tainted
vlc-plugin-theora-2.0.8-0.1.mga2.tainted

works just as well. All kinds of menu items work like expected, too, but I didn't check them all.
Tell me if there is something I should specifically check
Comment 4 Shlomi Fish 2013-08-03 15:17:44 CEST
Assigning to QA so I will be able to get the list of packages and write an advisory. The advisory will come later.
Comment 5 Shlomi Fish 2013-08-03 15:21:39 CEST
Hi Marja,

(In reply to Marja van Waes from comment #3)
> Mga2, i586, with the following tainted packages:
> vlc-plugin-common-2.0.8-0.1.mga2.tainted
> vlc-2.0.8-0.1.mga2.tainted
> libvlccore5-2.0.8-0.1.mga2.tainted
> libvlc5-2.0.8-0.1.mga2.tainted
> vlc-plugin-pulse-2.0.8-0.1.mga2.tainted
> vlc-plugin-theora-2.0.8-0.1.mga2.tainted
> 
> works just as well. All kinds of menu items work like expected, too, but I
> didn't check them all.
> Tell me if there is something I should specifically check

Well, perhaps we should verify that we can no longer reproduce the crashes, but I think VLC is a pretty solid problem and should only be lightly tested.

Regards,

-- Shlomi Fish
Comment 6 David Walser 2013-08-03 15:35:00 CEST
Shlomi, just FYI the other reason madb doesn't show all of the packages yet is that it looks for the SRPM names being listed somewhere in the bug.  Just pasting those right from pkgsubmit itself onto here should make the other packages show up.
Comment 7 Marja van Waes 2013-08-03 15:53:47 CEST
Mageia 3, i586, the same packages from /core/updates_testing/ as mentioned above: everything works as expected.

@ Shlomi

I don't have the slightest idea how to reproduce one of those crashes that are fixed now, not even in the old version of vlc. I never had them and I use vlc a lot.
Comment 8 Marja van Waes 2013-08-03 16:23:03 CEST
same vlc packages as mentioned above, now from 3/i586/media/tainted/updates_testing/ :
everything works fine
Comment 9 Shlomi Fish 2013-08-03 16:33:24 CEST
Package list for madb to do its thing:

vlc-2.0.8-0.1.mga2

vlc-2.0.8-1.mga3
Comment 10 David Walser 2013-08-03 17:01:11 CEST
(In reply to Shlomi Fish from comment #9)
> Package list for madb to do its thing:

Since it was missing the i586 packages, trying to add .src.rpm to see if it helps.

vlc-2.0.8-0.1.mga2.src.rpm
vlc-2.0.8-1.mga3.src.rpm
Comment 11 Marja van Waes 2013-08-03 17:30:41 CEST
now the same packages, s/lib/lib64/ from 3/x86_64/media/core/updates_testing

Again everything works fine for me :)
Comment 12 Marja van Waes 2013-08-03 17:39:17 CEST
and the tainted ones from 3/x86_64/media/tainted/updates_testing/ work as expected, too
Comment 13 Marja van Waes 2013-08-03 20:01:12 CEST
vlc from 2/x86_64/media/core/updates_testing is OK, too
Comment 14 Marja van Waes 2013-08-03 20:24:54 CEST
and vlc from 2/x86_64/media/tainted/updates_testing/ is OK as well (of course only for how I am used to using it and without knowing how the fixed crashes could/can be reproduced)
Comment 15 David Walser 2013-08-03 20:29:48 CEST
Thanks for testing Marja!

This can be validated at some point, obviously once we have an advisory.  I don't know if any more details of the issues fixed will come out in the next few days.  The release notes linked in Comment 0 are all we have right now.  As for the package lists, madb mostly has it, just still missing i586/mga2 (and doesn't show tainted at all), so I'm waiting to check with Stormi to see if we can get that sorted out.
Comment 16 David Walser 2013-08-04 11:52:00 CEST
Funda has pushed a new build of this for some reason, so it'll need to be tested again.

vlc-2.0.8-0.2.mga2.src.rpm
vlc-2.0.8-2.mga3.src.rpm
Comment 17 claire robinson 2013-08-04 12:21:09 CEST
Can we please not start doing this. 

A proper package list should be provided on the bug, as required by the updates policy and needed by the QA team. As the madb fuction is now there, assuming srpms are properly listed in the bug, then there is no reason at all not to do this, it actually makes it easier to do once Sophie has caught up.
Comment 18 Thomas Backlund 2013-08-04 12:47:11 CEST
(In reply to David Walser from comment #16)
> Funda has pushed a new build of this for some reason, so it'll need to be
> tested again.
> 
> vlc-2.0.8-0.2.mga2.src.rpm
> vlc-2.0.8-2.mga3.src.rpm

It's because upstream did a few fixes and released a quick 2.0.8a...
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=summary


and one of them affects linux, wich is what Funda pulled in:
http://svnweb.mageia.org/packages/updates/3/vlc/current/SOURCES/vlc-2.0.8-to-2.0.8a.patch?view=markup&pathrev=463112
Comment 19 David Walser 2013-08-04 16:41:00 CEST
(In reply to claire robinson from comment #17)
> Can we please not start doing this. 
> 
> A proper package list should be provided on the bug, as required by the
> updates policy and needed by the QA team. As the madb fuction is now there,
> assuming srpms are properly listed in the bug, then there is no reason at
> all not to do this, it actually makes it easier to do once Sophie has caught
> up.

Please take it easy :D  I've been discussing this with Shlomi on IRC, and the madb function came about because we're trying to make it easier for packagers to do this, but the madb listing wasn't quite working correctly.  I was hoping to see Stormi to ask him about it.  I know we need the lists to make it easier to know what to test, and for the advisory, but Marja didn't have any issues finding what to test for this one specifically.  We haven't written a full advisory yet because this was just released and the information on it is a bit thin at this point (I don't know if more info will come out, but I was hoping maybe there would be a in a few days).  Point is, Shlomi understands the policy and we've discussed it, but it's a work in progress.  It could still be tested in the meantime (at least as long as people don't keep rebuilding it... :o).
Comment 20 David Walser 2013-08-04 17:33:00 CEST
It turns out that 2.0.7 also fixed a couple of security issues:
http://www.videolan.org/vlc/releases/2.0.7.html

Not sure why these aren't getting CVEs.  Here's more details on the issues fixed in the last two VLC releases, cobbled together from the git logs (thanks for the link tmb!) and the NEWS files.  I'm not 100% sure if the qtsound crash fix is a security issue, but the other ones are.  Also, note that vlc#7361 linked below has a link to a PoC.

2.0.8
Demux:
* sgimb: use after free (fixes #8724 https://trac.videolan.org/vlc/ticket/8724 )
* Improve resistance and checking against malformed MKV files
  (Check element size before reading it
   This should avoid integer overflows inside the libebml causing heap buffer
   overflow.
   Since new called by the lib is limited to SIZE_MAX bytes.)

Access:
* qtsound: fix crash when freeing memory

2.0.7
Input:
* Fix memory exhaustion vulnerability when playing specifically crafted
  playlist files.
  (stream_ReadLine: correctly return an error on overflow
   fixes #7361 https://trac.videolan.org/vlc/ticket/7361 )

HTTP Interface:
* lua http: Fix two xss vulnerabilities (CVE-2013-3565)
Comment 21 William Kenney 2013-08-04 18:32:03 CEST
MGA3-32 not ok for me

in VirtualBox

default install vlc-2.0.6-1.mga3.tainted.i586 from core release
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.6-1.mga3.tainted.i586 is already installed

Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio files.

install vlc-2.0.8-2.mga3.tainted.i586 from core updates_testing
Rerun testing with the same above files. All successful
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-2.mga3.tainted.i586 is already installed
But VLC -> Help -> About still reflects:
VLC media player 2.0.6 Twoflower, the old version
Comment 22 Shlomi Fish 2013-08-04 19:11:18 CEST
(In reply to William Kenney from comment #21)
> MGA3-32 not ok for me
> 
> in VirtualBox
> 
> default install vlc-2.0.6-1.mga3.tainted.i586 from core release
> [root@localhost wilcal]# urpmi vlc
> Package vlc-2.0.6-1.mga3.tainted.i586 is already installed
> 
> Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio
> files.
> 
> install vlc-2.0.8-2.mga3.tainted.i586 from core updates_testing
> Rerun testing with the same above files. All successful
> [root@localhost wilcal]# urpmi vlc
> Package vlc-2.0.8-2.mga3.tainted.i586 is already installed
> But VLC -> Help -> About still reflects:
> VLC media player 2.0.6 Twoflower, the old version

That's strange. Are you sure you restarted VLC and all instances of it? Also try "pkill vlc".

Regards,

-- Shlomi Fish
Comment 23 Marja van Waes 2013-08-04 19:14:12 CEST
@ William

what is the output of 
rpm -qa | grep vlc
Comment 24 William Kenney 2013-08-04 19:26:10 CEST
(In reply to Shlomi Fish from comment #22)

> That's strange. Are you sure you restarted VLC and all instances of it? Also
> try "pkill vlc".

Still same result.
Comment 25 William Kenney 2013-08-04 19:28:28 CEST
(In reply to Marja van Waes from comment #23)

> what is the output of 
> rpm -qa | grep vlc

[root@localhost wilcal]# rpm -qa | grep vlc
vlc-plugin-theora-2.0.8-2.mga3.tainted
libvlccore5-2.0.6-1.mga3.tainted
vlc-2.0.8-2.mga3.tainted
vlc-plugin-common-2.0.6-1.mga3.tainted
libvlc5-2.0.6-1.mga3.tainted
vlc-plugin-pulse-2.0.6-1.mga3.tainted
Comment 26 Marja van Waes 2013-08-04 19:49:46 CEST
(In reply to William Kenney from comment #25)
> (In reply to Marja van Waes from comment #23)
> 
> > what is the output of 
> > rpm -qa | grep vlc
> 
> [root@localhost wilcal]# rpm -qa | grep vlc
> vlc-plugin-theora-2.0.8-2.mga3.tainted
> libvlccore5-2.0.6-1.mga3.tainted
> vlc-2.0.8-2.mga3.tainted
> vlc-plugin-common-2.0.6-1.mga3.tainted
> libvlc5-2.0.6-1.mga3.tainted
> vlc-plugin-pulse-2.0.6-1.mga3.tainted

Please update the five 2.0.6-1 packages you see above to 2.0.8-2 too :-)
Comment 27 William Kenney 2013-08-04 20:13:02 CEST
(In reply to Marja van Waes from comment #26)

> Please update the five 2.0.6-1 packages you see above to 2.0.8-2 too :-)

Now is:

[root@localhost wilcal]# rpm -qa | grep vlc
vlc-plugin-theora-2.0.8-2.mga3.tainted
vlc-plugin-common-2.0.8-2.mga3.tainted
vlc-plugin-pulse-2.0.8-2.mga3.tainted
vlc-2.0.8-2.mga3.tainted
libvlccore5-2.0.8-2.mga3.tainted
libvlc5-2.0.8-2.mga3.tainted

And now VLC -> Help -> About is:
VLC media player 2.0.6 Twoflower

Should not just using the MCC do all those automatically?
Comment 28 Sander Lepik 2013-08-04 20:27:20 CEST
Just to make sure, did you also reboot after updating? Maybe some libs are stuck in cache or something :/
Comment 29 William Kenney 2013-08-04 20:29:56 CEST
(In reply to Sander Lepik from comment #28)
> Just to make sure, did you also reboot after updating? Maybe some libs are
> stuck in cache or something :/

I did. I'm out of here for a few hours. When I return
I'll re-run the whole process. Should not just MCC updating
VLC take care of all of these?
Comment 30 claire robinson 2013-08-04 21:00:17 CEST
(In reply to David Walser from comment #19)
> (In reply to claire robinson from comment #17)
> > Can we please not start doing this. 
> > 
> > A proper package list should be provided on the bug, as required by the
> > updates policy and needed by the QA team. As the madb fuction is now there,
> > assuming srpms are properly listed in the bug, then there is no reason at
> > all not to do this, it actually makes it easier to do once Sophie has caught
> > up.
> 
> Please take it easy :D  I've been discussing this with Shlomi on IRC, and
> the madb function came about because we're trying to make it easier for
> packagers to do this, but the madb listing wasn't quite working correctly. 
> I was hoping to see Stormi to ask him about it.  I know we need the lists to
> make it easier to know what to test, and for the advisory, but Marja didn't
> have any issues finding what to test for this one specifically.  We haven't
> written a full advisory yet because this was just released and the
> information on it is a bit thin at this point (I don't know if more info
> will come out, but I was hoping maybe there would be a in a few days). 
> Point is, Shlomi understands the policy and we've discussed it, but it's a
> work in progress.  It could still be tested in the meantime (at least as
> long as people don't keep rebuilding it... :o).


Marja is an apprentice packager, the advisories here should be appropriate for 'apprentice' QA team, or there is no point. Taking it easy or not..
Comment 31 David Walser 2013-08-04 22:41:31 CEST
(In reply to claire robinson from comment #30)
> Marja is an apprentice packager, the advisories here should be appropriate
> for 'apprentice' QA team, or there is no point. Taking it easy or not..

Fair enough, but Shlomi is the packager for this bug, and the advisory isn't ready yet.  That doesn't mean it isn't ready to be tested (it is), it just isn't quite ready to be validated and pushed yet.
Comment 32 William Kenney 2013-08-05 02:22:41 CEST
I have absolutely no problem with going through this process here.
I use VLC a lot so I'm pretty familiar with it's work'ns.
I'll keep a test'n with what you got.
Comment 33 Marja van Waes 2013-08-05 09:14:41 CEST
Here is the full list for Mga 3

vlc-2.0.8-2
lib64vlc5-2.0.8-2
lib64vlccore5-2.0.8-2
lib64vlc-devel-2.0.8-2
vlc-plugin-common-2.0.8-2
vlc-plugin-zvbi-2.0.8-2
vlc-plugin-kate-2.0.8-2
vlc-plugin-libass-2.0.8-2
vlc-plugin-lua-2.0.8-2
vlc-plugin-ncurses-2.0.8-2
vlc-plugin-lirc-2.0.8-2
svlc-2.0.8-2
vlc-plugin-aa-2.0.8-2
vlc-plugin-sdl-2.0.8-2
vlc-plugin-shout-2.0.8-2
vlc-plugin-opengl-2.0.8-2
vlc-plugin-projectm-2.0.8-2
vlc-plugin-theora-2.0.8-2
vlc-plugin-twolame-2.0.8-2
vlc-plugin-fluidsynth-2.0.8-2
vlc-plugin-gme-2.0.8-2
vlc-plugin-schroedinger-2.0.8-2
vlc-plugin-speex-2.0.8-2
vlc-plugin-flac-2.0.8-2
vlc-plugin-dv-2.0.8-2
vlc-plugin-mod-2.0.8-2
vlc-plugin-mpc-2.0.8-2
vlc-plugin-sid-2.0.8-2
vlc-plugin-pulse-2.0.8-2
vlc-plugin-jack-2.0.8-2
vlc-plugin-bonjour-2.0.8-2
vlc-plugin-upnp-2.0.8-2
vlc-plugin-gnutls-2.0.8-2
vlc-plugin-libnotify-2.0.8-2
vlc-debuginfo-2.0.8-2

taken from http://pkgsubmit.mageia.org/uploads/done/3/tainted/updates_testing/20130804065556.fwang.valstar.4540/vlc-2.0.8-2.mga3.tainted/build.0.20130804065605.log
Mga 2 doesn't have vlc-plugin-sid

I wouldn't know of a way to test each and everyone of those packages, though. What William did, testing some video and audio files in different formats, seems good enough.

Is it really needed to test that PoC ? I mean, even if the vulnerability is still there, this bug fixes other security issues.
If it is needed, step-by-step instructions on how to do that are welcome. Checking http://www.1337day.com/exploits/19220 and https://trac.videolan.org/vlc/attachment/ticket/7361/vlc.txt do not make me see how to do that.
Comment 34 Marja van Waes 2013-08-05 09:21:51 CEST
and, of course, for i586

lib64vlc5-2.0.8-2
lib64vlccore5-2.0.8-2
lib64vlc-devel-2.0.8-2

should be:

libvlc5-2.0.8-2
libvlccore5-2.0.8-2
libvlc-devel-2.0.8-2
Comment 35 Marja van Waes 2013-08-05 09:23:04 CEST
and insert a 0 for Mga 2
2.0.8-0.2
Comment 36 Shlomi Fish 2013-08-05 11:15:06 CEST
Adding Funda to the CC.
Comment 37 Shlomi Fish 2013-08-05 11:20:18 CEST
OK, let me be straight: the whole procedure here with the bug has made me angry and anxious, and it made me irritated. I was agitated from the fact that Funda uploaded a new package of VLC-2.0.8a without consulting me and once again stepped on my toes. Funda, do you read me - please stop doing that! If I update a package on Mageia 2/Mageia 3, please let me know by E-mail or IRC if there's a problem and not upload a package of your own.

Anyway, we need to test the new VLCs now, and to also generate a list of the affected RPMs in Mga2/Mga3 x86-64/i586 core/tainted updates_testing. How can we do that? When can we reach Stormi for fixing madb.mageia.org?

Regards,

-- Shlomi Fish
Comment 38 David Walser 2013-08-05 11:26:13 CEST
madb appears to be listing the packages correctly now:
http://mageia.madb.org/tools/listRpmsForQaBug/bugnum/10902%3F

This has also been made more difficult by the fact that upstream hasn't done a very good job identifying the security issues fixed, requesting CVEs, or generally making much information available.

Anyway, with the list of packages linked above and the info I posted in Comment 20, we should be able to generate an advisory.  I'll keep an eye out to see if any more info comes out today.
Comment 39 Shlomi Fish 2013-08-05 11:35:19 CEST
Hi David,

(In reply to David Walser from comment #38)
> madb appears to be listing the packages correctly now:
> http://mageia.madb.org/tools/listRpmsForQaBug/bugnum/10902%3F
> 

Thanks! It does indeed.

> This has also been made more difficult by the fact that upstream hasn't done
> a very good job identifying the security issues fixed, requesting CVEs, or
> generally making much information available.

Yes.

> 
> Anyway, with the list of packages linked above and the info I posted in
> Comment 20, we should be able to generate an advisory.  I'll keep an eye out
> to see if any more info comes out today.

Thanks! Were the packages properly tested yet?

Regards,

-- Shlomi Fish
Comment 40 Marja van Waes 2013-08-05 18:13:07 CEST
tested with the following packages from 3/i586/media/core/updates_testing/
and after that with the same packages from 3/i586/media/tainted/updates_testing/
vlc-plugin-common-2.0.8-2
libvlc5-2.0.8-2
vlc-2.0.8-2
vlc-plugin-pulse-2.0.8-2
vlc-plugin-theora-2.0.8-2
libvlccore5-2.0.8-2

m3u video stream (als with subtitles), avi video and mp3 sound files all work fine, a link to a podcast.css that points to an mp3 works fine, too.
with tainted, the same files and streams work well, and so does mp4
About shows it is VLC Media Player 2.0.8 Twoflower

I did not try the PoC, because I don't understand how
Comment 41 Dave Hodgins 2013-08-06 03:36:35 CEST
Advisory 10902.adv uploaded to svn.
Comment 42 Rémi Verschelde 2013-08-06 12:10:59 CEST
Additional testing Mageia 3 i586.

I could reproduce the PoC from vlc#7361. A clarification on the procedure:
- Create a script called exploit.pl with the content of this file: https://trac.videolan.org/vlc/attachment/ticket/7361/vlc.txt
- Follow the command given in "usage": perl exploit.pl > file.vlc
(It also works with 'perl exploit.pl > file.m3u'
- Open the created file in VLC, the latter being opened in a terminal to see the error journal. See that your computer burns and you have to kill VLC.

The update candidate does fix vlc#7361 (both core and tainted versions).


I'm adding the MGA3-32-OK tag (since marja tested successfully that VLC works as intended), but I'd like to know about this:

----
# rpm -qa | grep vlc
vlc-plugin-theora-2.0.6-1.mga3.tainted
libvlccore5-2.0.6-1.mga3.tainted
libvlc5-2.0.6-1.mga3.tainted
vlc-2.0.6-1.mga3.tainted
vlc-plugin-pulse-2.0.6-1.mga3.tainted
vlc-plugin-common-2.0.6-1.mga3.tainted

# ecut
Enabling Core Updates Testing

# urpmi vlc
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  vlc                            2.0.8        2.mga3        i586    
  vlc-plugin-theora              2.0.8        2.mga3        i586
----

Is it the intended behaviour? I don't know how VLC is packaged, but I would expect "urpmi vlc" to install at least libvlc*, no?
Comment 43 David Walser 2013-08-06 13:02:25 CEST
(In reply to Rémi Verschelde from comment #42)
> Is it the intended behaviour? I don't know how VLC is packaged, but I would
> expect "urpmi vlc" to install at least libvlc*, no?

It just means that the main vlc package doesn't have versioned dependencies on its libraries, which is common, and such dependencies aren't strictly necessary.  You'll notice things like that if you try to update it using the method that you did, but regular users won't ever notice that.
Comment 44 Marja van Waes 2013-08-06 17:35:25 CEST
(In reply to Rémi Verschelde from comment #42)

> 
> I could reproduce the PoC from vlc#7361. A clarification on the procedure:

Thanks a lot for the clarification, Rémi :)

Now tested the same six vlc packages as mentioned above, first from 
3/x86_64/media/core/updates_testing/
and then from
3/x86_64/media/tainted/updates_testing/
The results are just as good as for Mga3 i586 (see comment 40)
Using the PoC, vlc doesn't go crazy anymore :)
Comment 45 William Kenney 2013-08-07 18:58:59 CEST
MGA2-32 ok for me

in VirtualBox

default install vlc-2.0.6-0.1.mga2.tainted.i586 from core release
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.6-0.1.mga2.tainted.i586 is already installed

Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio files.

install vlc-2.0.8-0.2.mga2.tainted.i586 from core updates_testing
Rerun testing with the same above files. All successful
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-0.2.mga2.tainted.i586 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm
Comment 46 William Kenney 2013-08-07 19:00:02 CEST
MGA2-64 ok for me

in VirtualBox

default install vlc-2.0.6-0.1.mga2.tainted.x86_64 from core release
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.6-0.1.mga2.tainted.x86_64 is already installed

Opened VLC, played several mpeg2 mpeg4 flv mov video files and mp3 audio files.

install vlc-2.0.8-0.2.mga2.tainted.x86_64 from core updates_testing
Rerun testing with the same above files. All successful
[root@localhost wilcal]# urpmi vlc
Package vlc-2.0.8-0.2.mga2.tainted.x86_64 is already installed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
VirtualBox 4.2.16-1.mga3.x86_64.rpm

If it's a go with David it's a go for me.
Comment 47 Dave Hodgins 2013-08-08 02:09:18 CEST
Validating the update.

Could someone from the sysadmin team push 10902.adv to updates.
Comment 48 Thomas Backlund 2013-08-09 19:34:55 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0241.html

Note You need to log in before you can comment on or make changes to this bug.