An advisory has been issued today (August 20): http://www.ocert.org/advisories/ocert-2015-009.html The advisory contains a link to the upstream commit to fix the issue. The fix will be included in VLC 2.2.2 (I'm not sure of the ETA on that release). Mageia 4 and Mageia 5 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Debian has issued an advisory for this today: https://lists.debian.org/debian-security-announce/2015/msg00241.html https://www.debian.org/security/2015/dsa-3342
URL: (none) => http://lwn.net/Vulnerabilities/655117/
Upstream patch can't be use for vlc-2.1.6 (mga4).
CC: (none) => yann.cantin
PoC: http://openwall.com/lists/oss-security/2015/08/20/8
Upstream patch fix the issue, tested with the poc in mga5 x86_64. Update ready in the svn for mga5 and Cauldron.
Updated packages for mga5 and Cauldron. No fix for mga4 yet. Advisory: ======================== Updated vlc packages fix security vulnerability (CVE-2015-5949) : Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a multimedia player and streamer, could dereference an arbitrary pointer due to insufficient restrictions on a writable buffer. This could allow remote attackers to execute arbitrary code via crafted 3GP files. References: http://www.ocert.org/advisories/ocert-2015-009.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5949 https://lists.debian.org/debian-security-announce/2015/msg00241.html PoC : http://openwall.com/lists/oss-security/2015/08/20/8 ======================== Updated packages in core/updates_testing and tainted/updates_testing ======================== vlc-2.2.1-1.1.mga5 lib64vlc5-2.2.1-1.1.mga5 lib64vlccore8-2.2.1-1.1.mga5 lib64vlc-devel-2.2.1-1.1.mga5 vlc-plugin-common-2.2.1-1.1.mga5 vlc-plugin-zvbi-2.2.1-1.1.mga5 vlc-plugin-kate-2.2.1-1.1.mga5 vlc-plugin-libass-2.2.1-1.1.mga5 vlc-plugin-lua-2.2.1-1.1.mga5 vlc-plugin-ncurses-2.2.1-1.1.mga5 vlc-plugin-lirc-2.2.1-1.1.mga5 svlc-2.2.1-1.1.mga5 vlc-plugin-aa-2.2.1-1.1.mga5 vlc-plugin-sdl-2.2.1-1.1.mga5 vlc-plugin-shout-2.2.1-1.1.mga5 vlc-plugin-opengl-2.2.1-1.1.mga5 vlc-plugin-vdpau-2.2.1-1.1.mga5 vlc-plugin-projectm-2.2.1-1.1.mga5 vlc-plugin-theora-2.2.1-1.1.mga5 vlc-plugin-twolame-2.2.1-1.1.mga5 vlc-plugin-fluidsynth-2.2.1-1.1.mga5 vlc-plugin-gme-2.2.1-1.1.mga5 vlc-plugin-schroedinger-2.2.1-1.1.mga5 vlc-plugin-speex-2.2.1-1.1.mga5 vlc-plugin-flac-2.2.1-1.1.mga5 vlc-plugin-dv-2.2.1-1.1.mga5 vlc-plugin-mod-2.2.1-1.1.mga5 vlc-plugin-mpc-2.2.1-1.1.mga5 vlc-plugin-sid-2.2.1-1.1.mga5 vlc-plugin-pulse-2.2.1-1.1.mga5 vlc-plugin-jack-2.2.1-1.1.mga5 vlc-plugin-bonjour-2.2.1-1.1.mga5 vlc-plugin-upnp-2.2.1-1.1.mga5 vlc-plugin-gnutls-2.2.1-1.1.mga5 vlc-plugin-libnotify-2.2.1-1.1.mga5 vlc-plugin-chromaprint-2.2.1-1.1.mga5 vlc-debuginfo-2.2.1-1.1.mga5 vlc-2.2.1-1.1.mga5.tainted lib64vlc5-2.2.1-1.1.mga5.tainted lib64vlccore8-2.2.1-1.1.mga5.tainted lib64vlc-devel-2.2.1-1.1.mga5.tainted vlc-plugin-common-2.2.1-1.1.mga5.tainted vlc-plugin-zvbi-2.2.1-1.1.mga5.tainted vlc-plugin-kate-2.2.1-1.1.mga5.tainted vlc-plugin-libass-2.2.1-1.1.mga5.tainted vlc-plugin-lua-2.2.1-1.1.mga5.tainted vlc-plugin-ncurses-2.2.1-1.1.mga5.tainted vlc-plugin-lirc-2.2.1-1.1.mga5.tainted svlc-2.2.1-1.1.mga5.tainted vlc-plugin-aa-2.2.1-1.1.mga5.tainted vlc-plugin-sdl-2.2.1-1.1.mga5.tainted vlc-plugin-shout-2.2.1-1.1.mga5.tainted vlc-plugin-opengl-2.2.1-1.1.mga5.tainted vlc-plugin-vdpau-2.2.1-1.1.mga5.tainted vlc-plugin-projectm-2.2.1-1.1.mga5.tainted vlc-plugin-theora-2.2.1-1.1.mga5.tainted vlc-plugin-twolame-2.2.1-1.1.mga5.tainted vlc-plugin-fluidsynth-2.2.1-1.1.mga5.tainted vlc-plugin-gme-2.2.1-1.1.mga5.tainted vlc-plugin-schroedinger-2.2.1-1.1.mga5.tainted vlc-plugin-speex-2.2.1-1.1.mga5.tainted vlc-plugin-flac-2.2.1-1.1.mga5.tainted vlc-plugin-dv-2.2.1-1.1.mga5.tainted vlc-plugin-mod-2.2.1-1.1.mga5.tainted vlc-plugin-mpc-2.2.1-1.1.mga5.tainted vlc-plugin-sid-2.2.1-1.1.mga5.tainted vlc-plugin-pulse-2.2.1-1.1.mga5.tainted vlc-plugin-jack-2.2.1-1.1.mga5.tainted vlc-plugin-bonjour-2.2.1-1.1.mga5.tainted vlc-plugin-upnp-2.2.1-1.1.mga5.tainted vlc-plugin-gnutls-2.2.1-1.1.mga5.tainted vlc-plugin-libnotify-2.2.1-1.1.mga5.tainted vlc-plugin-chromaprint-2.2.1-1.1.mga5.tainted vlc-debuginfo-2.2.1-1.1.mga5.tainted from SRPMS: vlc-2.2.1-1.1.mga5.src.rpm vlc-2.2.1-1.1.mga5.tainted.src.rpm
Assignee: shlomif => qa-bugs
Thanks, everything looks pretty good, other than the (CVE) should be at the end of the paragraph rather than the title in the advisory. Thanks for this. Mageia 4 should be fixed as well; the patch applies cleanly there too. Assigning this back to Yann until Mageia 4's update is available.
CC: (none) => qa-bugsVersion: Cauldron => 5Assignee: qa-bugs => yann.cantinWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Blocks: (none) => 16631
Assigning this back to QA since the cloned Mageia 4 bug is now filed.
CC: qa-bugs => (none)Assignee: yann.cantin => qa-bugsWhiteboard: MGA4TOO => (none)
I've installed. Tested Movie, flac and MP3 player. All seems to be working properly.
CC: (none) => brtians1Whiteboard: (none) => MGA5-64-OK
Installed on 32-bit VBox VM. Audio seems to be working correctly. All items installed as expected.
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
I think that this bug should depend on bug 16631 (the mga4 bug) which should block this one. Can I just change these? This update could then be validated and the dependency would prevent it from being released until 16631 is validated.
Ignore comment #10 - I got it the wrong way round.
Why should there be a dependency between the two bugs? IMO it's only required if the Mageia 4 updated version is higher than the Mageia 5 release version, but that's not the case as far as I know. There is (a priori) no reason to make sure that both updates are pushed at the same time.
Validated update The advisory is in comment #5 A QA committer needs to upload the advisory to SVN The packages can then be pushed to updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
(In reply to Rémi Verschelde from comment #12) That's why I got confused. I had trouble identifying the purpose of the block. I've removed the block.
Blocks: 16631 => (none)
Advisory uploaded.
Whiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0324.html
Status: NEW => RESOLVEDResolution: (none) => FIXED