Debian has issued an advisory on July 7: https://www.debian.org/security/2014/dsa-2973 The first 2 CVEs there are already fixed in both Mageia 3 and Mageia 4. CVE-2013-4388 is fixed in Mageia 4, but for Mageia 3 it would need to be updated to at least 2.0.9, where that one was fixed upstream. The NEWS file also lists a modplug issue fixed in 2.0.9, but we build against system modplug, so that'd be a non-issue: http://www.videolan.org/developers/vlc-branch/NEWS There is a 2.0.10 that we could possibly update to. The only thing the NEWS file lists for that that looks security relevant is: "Add protection against several potential heap buffer overflow in libebml" However, the only commit in GIT I can find that seems to refer to that was in the 2.0.8 release (see "Check element size before reading it"): http://git.videolan.org/?p=vlc/vlc-2.0.git;a=shortlog That GIT log for the 2.0 branch also mentions that updates the bundled live555 to 2013.11.26 for "security issues" for which it does not give any further information. Our package is built against the system live, which is older than 2013.11.26 in both Mageia 3 and Mageia 4, so perhaps we need to update it. The GIT log for 2.0 also lists "vlc_readdir: fix integer overflow on error." For Mageia 4, looking at the NEWS file again, it lists this for 2.1.3: "Fix integer overflow on error when using vlc_readdir" "Avoid an infinite recursion in MKV tags parsing" both of which could indicate security issues. For 2.1.5 it lists fixes for bundled libpng and gnutls libraries. We do have a BR for gnutls-devel. We don't have one for png-devel, but perhaps it's getting pulled in by another BR, as vlc-plugin-common is linked to the system png library on both Mageia 3 and Mageia 4. There does not appear to be anything else security relevant in the git logs for the 2.1 branch. In summary, we should probably update to VLC 2.0.10 on Mageia 3 and VLC 2.1.5 on Mageia 4, as well as updating live555 (live package) to the current version (which I also need to update in Cauldron). FWIW, VLC 2.0.10 bundles 2014.01.21 and VLC 2.1.5 bundles 2014.05.27. Reproducible: Steps to Reproduce:
CC: (none) => fundawangWhiteboard: (none) => MGA3TOO
The upstream changelog for live555 mentions the security issue: http://live555.com/liveMedia/public/changelog.txt See the entries under 2013.11.26 and 2013.11.29. The live555 code is statically compiled into both mplayer and vlc, so after submitting an updated build for the live package (done), I need to submit rebuilds for mplayer and the updates for vlc.
Updated live and vlc packages and rebuilt mplayer packages uploaded for Mageia 3 and Mageia 4. Please note that there are core and tainted builds for vlc and mplayer. Advisory: ======================== Updated live, mplayer, and vlc packages fix security vulnerabilities: The live555 RTSP streaming server and client libraries before 2013.11.29 are vulnerable to buffer overflows in RTSP command parsing that potentially allow for arbitrary code execution when connected to a malicious client or server. The RTSP client streaming code in the mplayer and vlc packages is built from the live555 code in the live package. They have been rebuilt with the updated live packages. The vlc packages have also been updated to 2.0.10 for Mageia 3 and 2.1.5 for Mageia 4, fixing several other bugs and potential security issues. The Mageia 3 update fixes a buffer overflow in the mp4a packetizer (CVE-2013-4388) that was fixed upstream in 2.0.9. Finally, the mplayer update for Mageia 3 includes two upstream patches; one disables playlist parsing for security reasons and the other fixes mp3 decoding cutting out early (mga#10478). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4388 http://live555.com/liveMedia/public/changelog.txt http://www.videolan.org/developers/vlc-branch/NEWS http://lists.mplayerhq.hu/pipermail/mplayer-announce/2013-May/000070.html https://www.debian.org/security/2014/dsa-2973 https://bugs.mageia.org/show_bug.cgi?id=10478 https://bugs.mageia.org/show_bug.cgi?id=13705 ======================== Updated packages in core/updates_testing: ======================== live-2014.07.04-1.mga3 live-devel-2014.07.04-1.mga3 live-2014.07.04-1.mga4 live-devel-2014.07.04-1.mga4 Updated packages in {core,tainted}/updates_testing: ======================== vlc-2.0.10-1.mga3 libvlc5-2.0.10-1.mga3 libvlccore5-2.0.10-1.mga3 libvlc-devel-2.0.10-1.mga3 vlc-plugin-common-2.0.10-1.mga3 vlc-plugin-zvbi-2.0.10-1.mga3 vlc-plugin-kate-2.0.10-1.mga3 vlc-plugin-libass-2.0.10-1.mga3 vlc-plugin-lua-2.0.10-1.mga3 vlc-plugin-ncurses-2.0.10-1.mga3 vlc-plugin-lirc-2.0.10-1.mga3 svlc-2.0.10-1.mga3 vlc-plugin-aa-2.0.10-1.mga3 vlc-plugin-sdl-2.0.10-1.mga3 vlc-plugin-shout-2.0.10-1.mga3 vlc-plugin-opengl-2.0.10-1.mga3 vlc-plugin-projectm-2.0.10-1.mga3 vlc-plugin-theora-2.0.10-1.mga3 vlc-plugin-twolame-2.0.10-1.mga3 vlc-plugin-fluidsynth-2.0.10-1.mga3 vlc-plugin-gme-2.0.10-1.mga3 vlc-plugin-schroedinger-2.0.10-1.mga3 vlc-plugin-speex-2.0.10-1.mga3 vlc-plugin-flac-2.0.10-1.mga3 vlc-plugin-dv-2.0.10-1.mga3 vlc-plugin-mod-2.0.10-1.mga3 vlc-plugin-mpc-2.0.10-1.mga3 vlc-plugin-sid-2.0.10-1.mga3 vlc-plugin-pulse-2.0.10-1.mga3 vlc-plugin-jack-2.0.10-1.mga3 vlc-plugin-bonjour-2.0.10-1.mga3 vlc-plugin-upnp-2.0.10-1.mga3 vlc-plugin-gnutls-2.0.10-1.mga3 vlc-plugin-libnotify-2.0.10-1.mga3 mplayer-1.1-13.r35916.3.mga3 mplayer-doc-1.1-13.r35916.3.mga3 mplayer-gui-1.1-13.r35916.3.mga3 mencoder-1.1-13.r35916.3.mga3 vlc-2.1.5-1.mga4 libvlc5-2.1.5-1.mga4 libvlccore7-2.1.5-1.mga4 libvlc-devel-2.1.5-1.mga4 vlc-plugin-common-2.1.5-1.mga4 vlc-plugin-zvbi-2.1.5-1.mga4 vlc-plugin-kate-2.1.5-1.mga4 vlc-plugin-libass-2.1.5-1.mga4 vlc-plugin-lua-2.1.5-1.mga4 vlc-plugin-ncurses-2.1.5-1.mga4 vlc-plugin-lirc-2.1.5-1.mga4 svlc-2.1.5-1.mga4 vlc-plugin-aa-2.1.5-1.mga4 vlc-plugin-sdl-2.1.5-1.mga4 vlc-plugin-shout-2.1.5-1.mga4 vlc-plugin-opengl-2.1.5-1.mga4 vlc-plugin-projectm-2.1.5-1.mga4 vlc-plugin-theora-2.1.5-1.mga4 vlc-plugin-twolame-2.1.5-1.mga4 vlc-plugin-fluidsynth-2.1.5-1.mga4 vlc-plugin-gme-2.1.5-1.mga4 vlc-plugin-schroedinger-2.1.5-1.mga4 vlc-plugin-speex-2.1.5-1.mga4 vlc-plugin-flac-2.1.5-1.mga4 vlc-plugin-dv-2.1.5-1.mga4 vlc-plugin-mod-2.1.5-1.mga4 vlc-plugin-mpc-2.1.5-1.mga4 vlc-plugin-sid-2.1.5-1.mga4 vlc-plugin-pulse-2.1.5-1.mga4 vlc-plugin-jack-2.1.5-1.mga4 vlc-plugin-bonjour-2.1.5-1.mga4 vlc-plugin-upnp-2.1.5-1.mga4 vlc-plugin-gnutls-2.1.5-1.mga4 vlc-plugin-libnotify-2.1.5-1.mga4 mplayer-1.1.1-3.r36361.3.mga4 mplayer-doc-1.1.1-3.r36361.3.mga4 mplayer-gui-1.1.1-3.r36361.3.mga4 mencoder-1.1.1-3.r36361.3.mga4 from SRPMS: live-2014.07.04-1.mga3.src.rpm vlc-2.0.10-1.mga3.src.rpm mplayer-1.1-13.r35916.3.mga3.src.rpm live-2014.07.04-1.mga4.src.rpm vlc-2.1.5-1.mga4.src.rpm mplayer-1.1.1-3.r36361.3.mga4.src.rpm
Source RPM: vlc => live, mplayer, vlcCC: (none) => shlomifAssignee: shlomif => qa-bugsSummary: vlc new security issues CVE-2013-4388 and more => live555 buffer overflow, mplayer playlist issue, vlc buffer overflow (CVE-2013-4388) and more
In VirtualBox, M3, KDE, 32-bit Package(s) under test: live vlc mplayer mplayer-gui default install of live vlc mplayer mplayer-gui [root@localhost wilcal]# urpmi live Package live-2013.01.04-2.mga3.i586 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.0.8-2.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1-12.r35916.4.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1-12.r35916.4.mga3.tainted.i586 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files install live vlc mplayer mplayer-gui from updates_testing [root@localhost wilcal]# urpmi live Package live-2014.07.04-1.mga3.i586 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.0.10-1.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1-13.r35916.3.mga3.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1-13.r35916.3.mga3.tainted.i586 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: live vlc mplayer mplayer-gui default install of live vlc mplayer mplayer-gui [root@localhost wilcal]# urpmi live Package live-2013.01.04-2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.0.8-2.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files install live vlc mplayer mplayer-gui from updates_testing [root@localhost wilcal]# urpmi live Package live-2014.07.04-1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.0.10-1.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1-13.r35916.3.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1-13.r35916.3.mga3.tainted.x86_64 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
M4 later today
In VirtualBox, M4, KDE, 32-bit Package(s) under test: live vlc mplayer mplayer-gui default install of live vlc mplayer mplayer-gui [root@localhost wilcal]# urpmi live Package live-2013.09.27-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.1.2-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1.1-3.r36361.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1.1-3.r36361.1.mga4.tainted.i586 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files install live vlc mplayer mplayer-gui from updates_testing [root@localhost wilcal]# urpmi live Package live-2014.07.04-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1.1-3.r36361.3.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1.1-3.r36361.3.mga4.tainted.i586 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
In VirtualBox, M4, KDE, 64-bit Package(s) under test: live vlc mplayer mplayer-gui default install of live vlc mplayer mplayer-gui [root@localhost wilcal]# urpmi live Package live-2013.01.04-2.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.0.8-2.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1-12.r35916.4.mga3.tainted.x86_64 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files install live vlc mplayer mplayer-gui from updates_testing [root@localhost wilcal]# urpmi live Package live-2014.07.04-1.mga4.x86_64 is already installed [root@localhost wilcal]# urpmi vlc Package vlc-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer Package mplayer-1.1.1-3.r36361.3.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi mplayer-gui Package mplayer-gui-1.1.1-3.r36361.3.mga4.tainted.x86_64 is already installed mplayer-gui plays an mp4 stream from: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 Plug the following into vlc -> Media -> Open Network Stream -> Please enter a network URL: http://www.podtrac.com/pts/redirect.mp4/twit.cachefly.net/video/tnt/tnt1047/tnt1047_h264b_640x368_256.mp4 mplayer-gui plays mov mp4 dvd flv local files vlc plays mov mp4 dvd flv local files Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Looks good to me David. Anything else otherwise lets push it?
I'm gonna turn this one loose.
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded with srpms below.. src: 3: core: - live-2014.07.04-1.mga3 - vlc-2.0.10-1.mga3 - mplayer-1.1-13.r35916.3.mga3 tainted: - vlc-2.0.10-1.mga3.tainted - mplayer-1.1-13.r35916.3.mga3.tainted 4: core: - live-2014.07.04-1.mga4 - vlc-2.1.5-1.mga4 - mplayer-1.1.1-3.r36361.3.mga4 tainted: - vlc-2.1.5-1.mga4.tainted - mplayer-1.1.1-3.r36361.3.mga4.tainted
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Update pushed. http://advisories.mageia.org/MGASA-2014-0296.html
CC: (none) => mageia
Closing
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
LWN reference for the live issue: http://lwn.net/Vulnerabilities/607284/
Blocks: (none) => 10478
(In reply to David Walser from comment #14) > LWN reference for the live issue: > http://lwn.net/Vulnerabilities/607284/ This is apparently now CVE-2013-6933, currently listed here: http://lwn.net/Vulnerabilities/632569/