A CVE has been assigned for a security issue fixed in VLC 2.2.4: http://www.openwall.com/lists/oss-security/2016/05/27/7 It was fixed in this commit: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=c2d2c3698e47402ec36ecc6c8a85781dbd88b6a9 Looking at the git log, it looks like 2.2.4 will be tagged soon if it hasn't been already. They also applied a memory safety patch to their bundled libmad, which we should apply to our mad package, if applicable: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=9ec17d122ab12f3b66a81877805f38f9fd295003
Whiteboard: (none) => MGA5TOO
VLC 2.2.4 is now out, so you can update this. I have added the patch to the mad package in Cauldron and pushed it. I have also added it in Mageia 5 SVN, so make sure you push that when you push the Mageia 5 build for VLC.
Updated packages pushed in SVN for Mageia 5. Advisory: ======================== Updated vlc package fixes security vulnerability: A vulnerability was found in processing QuickTime IMA files. VLC does not check that the number of channels in the input stream is less than or equal to the size of the buffer, resulting in an out-of-bounds write potential for remote code execution via a malicious media file. This vulnerability has been fixed in version 2.2.4. References: http://www.openwall.com/lists/oss-security/2016/05/27/7 https://bugs.mageia.org/show_bug.cgi?id=18567 http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=c2d2c3698e47402ec36ecc6c8a85781dbd88b6a9 ======================== Updated packages in core/updates_testing: ======================== (Shlomi Fish will submit package in the near future). from vlc-2.2.4-1.mga5.src.rpm
CC: (none) => ymyasoedov
Also to be included with this update is the libmad (since that was patched by the VLC developers): libmad0-0.15.1b-16.1.mga5 libmad-devel-0.15.1b-16.1.mga5 from mad-0.15.1b-16.1.mga5.src.rpm Also, don't forget to include the (CVE-2016-5108) at the end of the blurb about the issue in the advisory. Thanks.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Everything is now built and uploaded. Note that there are core and tainted builds for vlc. Advisory: ======================== Updated vlc package fixes security vulnerability: A vulnerability was found in processing QuickTime IMA files. VLC does not check that the number of channels in the input stream is less than or equal to the size of the buffer, resulting in an out-of-bounds write potential for remote code execution via a malicious media file (CVE-2016-5108). The vlc package has been updated to version 2.2.4, which fixes this issue and other bugs. Also, the mad package has been patched to fix an out-of-bounds write which could cause VLC or other applications linked to that library to crash on an invalid mp3 file. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5108 http://www.openwall.com/lists/oss-security/2016/05/27/7 http://git.videolan.org/?p=vlc/vlc-2.2.git;a=blob;f=NEWS;h=1af86bef0317c8882acc363a7c8fc5e83097c7bd;hb=888b7e89d78e7073075fc0a007d47b93f4570fab ======================== Updated packages in core/updates_testing: ======================== libmad0-0.15.1b-16.1.mga5 libmad-devel-0.15.1b-16.1.mga5 from mad-0.15.1b-16.1.mga5.src.rpm ======================== Updated packages in {core,tainted}/updates_testing: ======================== vlc-2.2.4-1.mga5 libvlc5-2.2.4-1.mga5 libvlccore8-2.2.4-1.mga5 libvlc-devel-2.2.4-1.mga5 vlc-plugin-common-2.2.4-1.mga5 vlc-plugin-zvbi-2.2.4-1.mga5 vlc-plugin-kate-2.2.4-1.mga5 vlc-plugin-libass-2.2.4-1.mga5 vlc-plugin-lua-2.2.4-1.mga5 vlc-plugin-ncurses-2.2.4-1.mga5 vlc-plugin-lirc-2.2.4-1.mga5 svlc-2.2.4-1.mga5 vlc-plugin-aa-2.2.4-1.mga5 vlc-plugin-sdl-2.2.4-1.mga5 vlc-plugin-shout-2.2.4-1.mga5 vlc-plugin-opengl-2.2.4-1.mga5 vlc-plugin-vdpau-2.2.4-1.mga5 vlc-plugin-projectm-2.2.4-1.mga5 vlc-plugin-theora-2.2.4-1.mga5 vlc-plugin-twolame-2.2.4-1.mga5 vlc-plugin-fluidsynth-2.2.4-1.mga5 vlc-plugin-gme-2.2.4-1.mga5 vlc-plugin-schroedinger-2.2.4-1.mga5 vlc-plugin-speex-2.2.4-1.mga5 vlc-plugin-flac-2.2.4-1.mga5 vlc-plugin-dv-2.2.4-1.mga5 vlc-plugin-mod-2.2.4-1.mga5 vlc-plugin-mpc-2.2.4-1.mga5 vlc-plugin-sid-2.2.4-1.mga5 vlc-plugin-pulse-2.2.4-1.mga5 vlc-plugin-jack-2.2.4-1.mga5 vlc-plugin-bonjour-2.2.4-1.mga5 vlc-plugin-upnp-2.2.4-1.mga5 vlc-plugin-gnutls-2.2.4-1.mga5 vlc-plugin-libnotify-2.2.4-1.mga5 vlc-plugin-chromaprint-2.2.4-1.mga5 from vlc-2.2.4-1.mga5.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
Updated 64-bit tainted version: Still plays .mp4 files, the only video I have readily available.
CC: (none) => andrewsfarm
(In reply to Thomas Andrews from comment #5) > Updated 64-bit tainted version: Still plays .mp4 files, the only video I > have readily available. Hi Thomas! You can find more kinds of videos and other media here: * http://www.shlomifish.org/Files/files/video/ * http://www.shlomifish.org/Files/files/music/ * http://modarchive.org/ * http://www.shlomifish.org/Iglu/shlomif/mods/ And you can also use youtube-dl to download stuff from YouTube. Regards, -- Shlomi Fish
Debian has issued an advisory for this on June 7: https://www.debian.org/security/2016/dsa-3598
URL: (none) => http://lwn.net/Vulnerabilities/690409/
In VirtualBox, M5, KDE, 32-bit Package(s) under test: vlc svlc libvlc5 libvlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora default install of vlc svlc libvlc5 libvlccore8 vlc-plugin-common vlc-plugin-pulse & vlc-plugin-theora [root@localhost wilcal]# urpmi vlc Package vlc-2.2.3-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.3-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlc5 Package libvlc5-2.2.3-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlccore8 Package libvlccore8-2.2.3-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.3-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.3-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.3-1.mga5.tainted.i586 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv install vlc svlc libvlc5 libvlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora from updates_testing [root@localhost wilcal]# urpmi vlc Package vlc-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlc5 Package libvlc5-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi libvlccore8 Package libvlccore8-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.4-1.mga5.tainted.i586 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.4-1.mga5.tainted.i586 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv
CC: (none) => wilcal.int
Whiteboard: (none) => MGA5-32-OK
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: vlc svlc lib64vlc5 lib64vlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora default install of vlc svlc lib64vlc5 lib64vlccore8 vlc-plugin-common vlc-plugin-pulse & vlc-plugin-theora [root@localhost wilcal]# urpmi vlc Package vlc-2.2.3-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.3-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlc5 Package lib64vlc5-2.2.3-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlccore8 Package lib64vlccore8-2.2.3-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.3-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.3-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.3-1.mga5.tainted.x86_64 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv install vlc svlc lib64vlc5 lib64vlccore8 vlc-plugin-common vlc-plugin-pulse vlc-plugin-theora from updates_testing [root@localhost wilcal]# urpmi vlc Package vlc-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi svlc Package svlc-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlc5 Package lib64vlc5-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi lib64vlccore8 Package lib64vlccore8-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-common Package vlc-plugin-common-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-pulse Package vlc-plugin-pulse-2.2.4-1.mga5.tainted.x86_64 is already installed [root@localhost wilcal]# urpmi vlc-plugin-theora Package vlc-plugin-theora-2.2.4-1.mga5.tainted.x86_64 is already installed VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0221.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This mad update has caused a clementine regression : crash playing MP3 on i586. You can go back with till this gets fixed with : urpmi --downgrade libmad0-0.15.1b-16.mga5
CC: (none) => lists.jjorge
Ouch. If you could report it upstream to the VLC developers with a stack trace, that would hopefully help.
(In reply to David Walser from comment #13) > Ouch. If you could report it upstream to the VLC developers with a stack > trace, that would hopefully help. VLC? it is gstreamer 0.10 that crashes, I wonder if it just needs a rebuild : 18:54:01.085 ERROR GstEnginePipeline:562 1 "gstmad.c(1523): gst_mad_chain (): /GstPipeline:pipeline/GstURIDecodeBin:uridecodebin-0/GstDecodeBin2:decodebin20/GstMad:mad0" 18:54:01.086 ERROR GstEnginePipeline:562 1 "gstbaseparse.c(2890): gst_base_parse_loop (): /GstPipeline:pipeline/GstURIDecodeBin:uridecodebin-0/GstDecodeBin2:decodebin20/GstMpegAudioParse:mpegaudioparse0: streaming stopped, reason error"
Yes, VLC. The change to libmad came from them. It wasn't an ABI change, so it's not a matter of rebuilding anything.
(In reply to David Walser from comment #15) > Yes, VLC. The change to libmad came from them. It wasn't an ABI change, so > it's not a matter of rebuilding anything. Done : https://trac.videolan.org/vlc/ticket/17065#ticket
I wonder if this is really not an ABI change, there are functions that change : -void mad_bit_init(struct mad_bitptr *bitptr, unsigned char const *byte) +void mad_bit_init(struct mad_bitptr *bitptr, unsigned char const *byte, unsigned int length)
Also a french user reported the same regression for radiotray!
CC: (none) => geiger.david68210
(In reply to David GEIGER from comment #18) > Also a french user reported the same regression for radiotray! I fixed the bug on a i586 system, rebuilding gstreamer0.10-plugins-ugly. Let's follow this on a new bug #18709 .