Debian has issued an advisory on February 2: https://www.debian.org/security/2015/dsa-3150 They fixed CVE-2014-9626 through CVE-2014-9630. OpenSuSE has issued an advisory today (February 3): http://lists.opensuse.org/opensuse-updates/2015-02/msg00015.html They fixed CVE-2014-9625. The issues were first referenced here (reply has CVE assignments): http://openwall.com/lists/oss-security/2015/01/20/5 Patched packages uploaded for Mageia 4 and Cauldron. Note that there are core and tainted builds for this package. Advisory: ======================== Updated vlc packages fix security vulnerabilities: On 32 bit builds, parsing of update status files with a size of 4294967295 or more lead to an integer truncation caused by a cast to size_t in a call to malloc and a subsequent buffer overflow. This happened prior to checking the files' signature (CVE-2014-9625). The MP4 demuxer, when parsing string boxes, did not properly check the length of the box, leading to a possible integer underflow when using this length value in a call to memcpy(). This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted MP4 files (CVE-2014-9626). The MP4 demuxer, when parsing string boxes, did not properly check that the conversion of the box length from 64bit integer to 32bit integer on 32bit platforms did not cause a truncation, leading to a possible buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted MP4 files (CVE-2014-9627). The MP4 demuxer, when parsing string boxes, did not properly check the length of the box, leading to a possible buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution via crafted MP4 files (CVE-2014-9628). The Dirac and Schroedinger encoders did not properly check for an integer overflow on 32bit platforms, leading to a possible buffer overflow. This could allow remote attackers to cause a denial of service (crash) or arbitrary code execution (CVE-2014-9629). When streaming ogg-files via rtp, an ogg-file can trigger an invalid memory write access using an overly long 'configuration' string, which causes an attempted stack allocation with an attacker-controlled size (CVE-2014-9630). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9630 http://lists.opensuse.org/opensuse-updates/2015-02/msg00015.html https://www.debian.org/security/2015/dsa-3150 http://openwall.com/lists/oss-security/2015/01/20/11 ======================== Updated packages in {core,tainted}/updates_testing: ======================== vlc-2.1.5-1.1.mga4 libvlc5-2.1.5-1.1.mga4 libvlccore7-2.1.5-1.1.mga4 libvlc-devel-2.1.5-1.1.mga4 vlc-plugin-common-2.1.5-1.1.mga4 vlc-plugin-zvbi-2.1.5-1.1.mga4 vlc-plugin-kate-2.1.5-1.1.mga4 vlc-plugin-libass-2.1.5-1.1.mga4 vlc-plugin-lua-2.1.5-1.1.mga4 vlc-plugin-ncurses-2.1.5-1.1.mga4 vlc-plugin-lirc-2.1.5-1.1.mga4 svlc-2.1.5-1.1.mga4 vlc-plugin-aa-2.1.5-1.1.mga4 vlc-plugin-sdl-2.1.5-1.1.mga4 vlc-plugin-shout-2.1.5-1.1.mga4 vlc-plugin-opengl-2.1.5-1.1.mga4 vlc-plugin-projectm-2.1.5-1.1.mga4 vlc-plugin-theora-2.1.5-1.1.mga4 vlc-plugin-twolame-2.1.5-1.1.mga4 vlc-plugin-fluidsynth-2.1.5-1.1.mga4 vlc-plugin-gme-2.1.5-1.1.mga4 vlc-plugin-schroedinger-2.1.5-1.1.mga4 vlc-plugin-speex-2.1.5-1.1.mga4 vlc-plugin-flac-2.1.5-1.1.mga4 vlc-plugin-dv-2.1.5-1.1.mga4 vlc-plugin-mod-2.1.5-1.1.mga4 vlc-plugin-mpc-2.1.5-1.1.mga4 vlc-plugin-sid-2.1.5-1.1.mga4 vlc-plugin-pulse-2.1.5-1.1.mga4 vlc-plugin-jack-2.1.5-1.1.mga4 vlc-plugin-bonjour-2.1.5-1.1.mga4 vlc-plugin-upnp-2.1.5-1.1.mga4 vlc-plugin-gnutls-2.1.5-1.1.mga4 vlc-plugin-libnotify-2.1.5-1.1.mga4 from vlc-2.1.5-1.1.mga4.src.rpm Reproducible: Steps to Reproduce:
LWN reference for CVE-2014-9625: http://lwn.net/Vulnerabilities/631651/
In VirtualBox, M4, KDE, 32-bit I think this is the most common setup of VLC: Package(s) under test: vlc svlc vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora vlc-plugin-upnp libvlc5 libvlccore7 default install of vlc svlc vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora vlc-plugin-upnp libvlc5 libvlccore7 [root@localhost wilcal]# urpmi vlc Package vlc-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-upnp Package vlc-plugin-upnp-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlc5 Package libvlc5-2.1.5-1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlccore7 Package libvlccore7-2.1.5-1.mga4.tainted.i586 is already installed I can play audio & video files from my local UPnP server. install vlc svlc vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora vlc-plugin-upnp libvlc5 libvlccore7 from updates_testing [root@localhost wilcal]# urpmi vlc Package vlc-2.1.5-1.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.1.5-1.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.1.5-1.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.1.5-1.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.1.5-1.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-upnp Package vlc-plugin-upnp-2.1.5-1.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlc5 Package libvlc5-2.1.5-1.1.mga4.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlccore7 Package libvlccore7-2.1.5-1.1.mga4.tainted.i586 is already installed I can play audio & video files from my local UPnP server. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit I think this is the most common setup of VLC: Package(s) under test: vlc svlc vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora vlc-plugin-upnp lib64vlc5 lib64vlccore7 default install of vlc svlc vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora vlc-plugin-upnp lib64vlc5 lib64vlccore7 [root@localhost wilcal]# urpmi vlc Package vlc-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-upnp Package vlc-plugin-upnp-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlc5 Package lib64vlc5-2.1.5-1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlccore7 Package lib64vlccore7-2.1.5-1.mga4.tainted.x86_64 is already installed I can play audio & video files from my local UPnP server. install vlc svlc vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora vlc-plugin-upnp lib64vlc5 lib64vlccore7 from updates_testing [root@localhost wilcal]# urpmi vlc Package vlc-2.1.5-1.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.1.5-1.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.1.5-1.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.1.5-1.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.1.5-1.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-upnp Package vlc-plugin-upnp-2.1.5-1.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlc5 Package lib64vlc5-2.1.5-1.1.mga4.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlccore7 Package lib64vlccore7-2.1.5-1.1.mga4.tainted.x86_64 is already installed I can play audio & video files from my local UPnP server. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
I'm going to validate this bug in 24-hours in case someone else wants to do some testing.
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded. Remembered to add the vlc-2.1.5-1.1.mga4.tainted srpm too \o/
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0053.html
Status: NEW => RESOLVEDResolution: (none) => FIXED