16631 – vlc new security issue CVE-2015-5949

Bug 16631 - vlc new security issue CVE-2015-5949

Summary: vlc new security issue CVE-2015-5949

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/655117/
Whiteboard:	MGA4-32-OK MGA4-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-08-21 23:13 CEST by Yann Cantin
Modified:	2015-08-27 22:50 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	vlc-2.1.6-1.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Yann Cantin 2015-08-21 23:13:50 CEST

+++ This bug was initially created as a clone of Bug #16623 +++

An advisory has been issued today (August 20):
http://www.ocert.org/advisories/ocert-2015-009.html

The advisory contains a link to the upstream commit to fix the issue.  The fix will be included in VLC 2.2.2 (I'm not sure of the ETA on that release).

Mageia 4 and Mageia 5 are also affected.

Reproducible: 

Steps to Reproduce:

Yann Cantin 2015-08-21 23:15:26 CEST

Assignee: bugsquad => yann.cantin
Source RPM: vlc-2.2.1-3.mga6.src.rpm => vlc-2.1.6-1.mga4.src.rpm

Comment 1 Yann Cantin 2015-08-22 22:26:31 CEST

Updated packages for mga4.
The PoC (see bug #16623) is irrelevant for version 2.1.6 (doesn't segfault).
Patch applied anyway.

Advisory:
========================

Updated vlc packages fix security vulnerability :

Loren Maggiore of Trail of Bits discovered that the 3GP parser of VLC, a
multimedia player and streamer, could dereference an arbitrary pointer
due to insufficient restrictions on a writable buffer. This could allow
remote attackers to execute arbitrary code via crafted 3GP files (CVE-2015-5949).

References:
http://www.ocert.org/advisories/ocert-2015-009.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5949
https://lists.debian.org/debian-security-announce/2015/msg00241.html

========================

Updated packages in core/updates_testing and tainted/updates_testing
========================
lib64vlc5-2.1.6-1.1.mga4
lib64vlccore7-2.1.6-1.1.mga4
lib64vlc-devel-2.1.6-1.1.mga4
svlc-2.1.6-1.1.mga4
vlc-2.1.6-1.1.mga4
vlc-debuginfo-2.1.6-1.1.mga4
vlc-plugin-aa-2.1.6-1.1.mga4
vlc-plugin-bonjour-2.1.6-1.1.mga4
vlc-plugin-common-2.1.6-1.1.mga4
vlc-plugin-dv-2.1.6-1.1.mga4
vlc-plugin-flac-2.1.6-1.1.mga4
vlc-plugin-fluidsynth-2.1.6-1.1.mga4
vlc-plugin-gme-2.1.6-1.1.mga4
vlc-plugin-gnutls-2.1.6-1.1.mga4
vlc-plugin-jack-2.1.6-1.1.mga4
vlc-plugin-kate-2.1.6-1.1.mga4
vlc-plugin-libass-2.1.6-1.1.mga4
vlc-plugin-libnotify-2.1.6-1.1.mga4
vlc-plugin-lirc-2.1.6-1.1.mga4
vlc-plugin-lua-2.1.6-1.1.mga4
vlc-plugin-mod-2.1.6-1.1.mga4
vlc-plugin-mpc-2.1.6-1.1.mga4
vlc-plugin-ncurses-2.1.6-1.1.mga4
vlc-plugin-opengl-2.1.6-1.1.mga4
vlc-plugin-projectm-2.1.6-1.1.mga4
vlc-plugin-pulse-2.1.6-1.1.mga4
vlc-plugin-schroedinger-2.1.6-1.1.mga4
vlc-plugin-sdl-2.1.6-1.1.mga4
vlc-plugin-shout-2.1.6-1.1.mga4
vlc-plugin-sid-2.1.6-1.1.mga4
vlc-plugin-speex-2.1.6-1.1.mga4
vlc-plugin-theora-2.1.6-1.1.mga4
vlc-plugin-twolame-2.1.6-1.1.mga4
vlc-plugin-upnp-2.1.6-1.1.mga4
vlc-plugin-zvbi-2.1.6-1.1.mga4

lib64vlc5-2.1.6-1.1.mga4.tainted
lib64vlccore7-2.1.6-1.1.mga4.tainted
lib64vlc-devel-2.1.6-1.1.mga4.tainted
svlc-2.1.6-1.1.mga4.tainted
vlc-2.1.6-1.1.mga4.tainted
vlc-debuginfo-2.1.6-1.1.mga4.tainted
vlc-plugin-aa-2.1.6-1.1.mga4.tainted
vlc-plugin-bonjour-2.1.6-1.1.mga4.tainted
vlc-plugin-common-2.1.6-1.1.mga4.tainted
vlc-plugin-dv-2.1.6-1.1.mga4.tainted
vlc-plugin-flac-2.1.6-1.1.mga4.tainted
vlc-plugin-fluidsynth-2.1.6-1.1.mga4.tainted
vlc-plugin-gme-2.1.6-1.1.mga4.tainted
vlc-plugin-gnutls-2.1.6-1.1.mga4.tainted
vlc-plugin-jack-2.1.6-1.1.mga4.tainted
vlc-plugin-kate-2.1.6-1.1.mga4.tainted
vlc-plugin-libass-2.1.6-1.1.mga4.tainted
vlc-plugin-libnotify-2.1.6-1.1.mga4.tainted
vlc-plugin-lirc-2.1.6-1.1.mga4.tainted
vlc-plugin-lua-2.1.6-1.1.mga4.tainted
vlc-plugin-mod-2.1.6-1.1.mga4.tainted
vlc-plugin-mpc-2.1.6-1.1.mga4.tainted
vlc-plugin-ncurses-2.1.6-1.1.mga4.tainted
vlc-plugin-opengl-2.1.6-1.1.mga4.tainted
vlc-plugin-projectm-2.1.6-1.1.mga4.tainted
vlc-plugin-pulse-2.1.6-1.1.mga4.tainted
vlc-plugin-schroedinger-2.1.6-1.1.mga4.tainted
vlc-plugin-sdl-2.1.6-1.1.mga4.tainted
vlc-plugin-shout-2.1.6-1.1.mga4.tainted
vlc-plugin-sid-2.1.6-1.1.mga4.tainted
vlc-plugin-speex-2.1.6-1.1.mga4.tainted
vlc-plugin-theora-2.1.6-1.1.mga4.tainted
vlc-plugin-twolame-2.1.6-1.1.mga4.tainted
vlc-plugin-upnp-2.1.6-1.1.mga4.tainted
vlc-plugin-zvbi-2.1.6-1.1.mga4.tainted

from SRPMS:
vlc-2.1.6-1.1.mga4.src.rpm
vlc-2.1.6-1.1.mga4.tainted.src.rpm

Assignee: yann.cantin => qa-bugs

Comment 2 Herman Viaene 2015-08-24 11:46:03 CEST

MGA4-32 on Acer D620 Xfce
No installation issues.
Plays mpg file (captured from DVB-T device) perfectly.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA4-32-OK

James Kerr 2015-08-25 11:46:15 CEST

Depends on: 16623 => (none)

Comment 3 Samuel Verschelde 2015-08-27 16:52:37 CEST

Seems to work OK on MGA4 64. Validating. Just needs advisory to be uploaded.

Keywords: (none) => validated_update
Status: NEW => RESOLVED
Resolution: (none) => WONTFIX
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Thomas Backlund 2015-08-27 17:08:08 CEST

Wontfix is not a good solution for a validation :)

Status: RESOLVED => REOPENED
CC: (none) => tmb
Resolution: WONTFIX => (none)

Comment 5 Samuel Verschelde 2015-08-27 17:14:36 CEST

Oops, I wonder what happened.

Comment 6 Rémi Verschelde 2015-08-27 20:20:48 CEST

Advisory uploaded.

Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory

Comment 7 Mageia Robot 2015-08-27 22:50:48 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0329.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.