Bug 20850 - VLC 2.2.5.1
Summary: VLC 2.2.5.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK MGA5-64-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-13 21:07 CEST by David Walser
Modified: 2017-11-22 17:47 CET (History)
4 users (show)

See Also:
Source RPM: vlc-2.2.4-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-05-13 21:07:10 CEST
VLC 2.2.5.1 has been released on May 11:
https://www.videolan.org/vlc/releases/2.2.5.html

Most of the fixes only affect Windows, but it does have "Various security improvements in demuxers and decoders," so we might want to update it for Mageia 5.
Comment 1 Shlomi Fish 2017-05-13 22:07:25 CEST
I have built a package for core 5 / updates_testing but didn't test it locally. Perhaps I should litmus test it on a VM and assign it to QA. We also need a package for tainted.
Comment 2 Shlomi Fish 2017-05-13 22:34:35 CEST
(In reply to Shlomi Fish from comment #1)
> I have built a package for core 5 / updates_testing but didn't test it
> locally. Perhaps I should litmus test it on a VM and assign it to QA. We
> also need a package for tainted.

Tested fine in a VBox VM - assigning to QA.

Assignee: shlomif => qa-bugs

Comment 3 David Walser 2017-05-13 23:55:15 CEST
Thanks Shlomi!

Advisory:
========================

The VLC packages have been updated to version 2.2.5.1, which includes various
security improvements in demuxers and decoders, as well as other bug fixes.

References:
https://www.videolan.org/vlc/releases/2.2.5.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
vlc-2.2.5.1-1.mga5
libvlc5-2.2.5.1-1.mga5
libvlccore8-2.2.5.1-1.mga5
libvlc-devel-2.2.5.1-1.mga5
vlc-plugin-common-2.2.5.1-1.mga5
vlc-plugin-zvbi-2.2.5.1-1.mga5
vlc-plugin-kate-2.2.5.1-1.mga5
vlc-plugin-libass-2.2.5.1-1.mga5
vlc-plugin-lua-2.2.5.1-1.mga5
vlc-plugin-ncurses-2.2.5.1-1.mga5
vlc-plugin-lirc-2.2.5.1-1.mga5
svlc-2.2.5.1-1.mga5
vlc-plugin-aa-2.2.5.1-1.mga5
vlc-plugin-sdl-2.2.5.1-1.mga5
vlc-plugin-shout-2.2.5.1-1.mga5
vlc-plugin-opengl-2.2.5.1-1.mga5
vlc-plugin-vdpau-2.2.5.1-1.mga5
vlc-plugin-projectm-2.2.5.1-1.mga5
vlc-plugin-theora-2.2.5.1-1.mga5
vlc-plugin-twolame-2.2.5.1-1.mga5
vlc-plugin-fluidsynth-2.2.5.1-1.mga5
vlc-plugin-gme-2.2.5.1-1.mga5
vlc-plugin-schroedinger-2.2.5.1-1.mga5
vlc-plugin-speex-2.2.5.1-1.mga5
vlc-plugin-flac-2.2.5.1-1.mga5
vlc-plugin-dv-2.2.5.1-1.mga5
vlc-plugin-mod-2.2.5.1-1.mga5
vlc-plugin-mpc-2.2.5.1-1.mga5
vlc-plugin-sid-2.2.5.1-1.mga5
vlc-plugin-pulse-2.2.5.1-1.mga5
vlc-plugin-jack-2.2.5.1-1.mga5
vlc-plugin-bonjour-2.2.5.1-1.mga5
vlc-plugin-upnp-2.2.5.1-1.mga5
vlc-plugin-gnutls-2.2.5.1-1.mga5
vlc-plugin-libnotify-2.2.5.1-1.mga5
vlc-plugin-chromaprint-2.2.5.1-1.mga5

from vlc-2.2.5.1-1.mga5.src.rpm
Comment 4 Len Lawrence 2017-05-14 14:05:53 CEST
Tested this for x86_64 on real hardware.

Installed any plugins which were missing then updated all the packages on the list from Tainted Updates Testing.

Ran skinned vlc from the commandline to check various sound and video formats and container formats:
mov, mp3, mp4, mkv, m2t, ogg, flac, wav, swf
All played fine, sound and vision.  Subtitles weere displayed where specified and NFS shares played across the network.  Played Youtube videos from the commandline and by using the UpnP service via the Open File -> Network menu.  Skins work courtesy of svlc.

DVDs however could not be played (this is the case for all players on this machine so there may be something missing).
These subsidiary libraries were already installed
  lib64dvdcss2-1.3.0-3.mga5.tainted
  lib64dvdread4-5.0.2-1.mga5
  lib64dvdnav4-5.0.3-1.mga5

Tried commandline invocation
$ vlc dvd://1
and using the Disc menu internally; Disc -> DVD, Title = 1

"Your input can't be opened:
VLC is unable to open the MRL 'dvd:///dev/sr0#1:1'. Check the log for details."

Terminal output:
libGL error: No matching fbConfigs or visuals found
libGL error: failed to load driver: swrast
libdvdnav: Using dvdnav version 5.0.3
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.IFO.
libdvdnav: vm: failed to read VIDEO_TS.IFO
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.BUP.
[00007f2c8c001238] core input error: open of `dvd:///dev/sr0#1:1' failed

CC: (none) => tarazed25

Comment 5 Len Lawrence 2017-05-14 14:15:51 CEST
$ cvlc dvd://1
VLC media player 2.2.5.1 Umbrella (revision 2.2.5.1-14-g05b653355c)
[0000000001f195f8] upnp services discovery: Initializing libupnp on '(null)' interface
[0000000001f26948] dummy interface: using the dummy interface module...
libdvdnav: Using dvdnav version 5.0.3
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.IFO.
libdvdnav: vm: failed to read VIDEO_TS.IFO
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdread:DVDOpenFileUDF:UDFFindFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.BUP.
[00007f9d700009b8] core input error: open of `dvd://1' failed
[00007f9d700009b8] core input error: Your input can't be opened
[00007f9d700009b8] core input error: VLC is unable to open the MRL 'dvd://1'. Check the log for details.
Comment 6 Len Lawrence 2017-05-14 18:22:50 CEST
So, it was a bad disk.  Tried a later commercial disk and there were no problems playing, with sound, with subtitles, fullscreen, keyboard zoom function, ...

Passing this for 64-bits.
Comment 7 Len Lawrence 2017-05-14 20:26:05 CEST
Tested for i586 in virtualbox.
Tainted packages installed and then updated.

Ran cvlc and vlc from the command line against various audio format files and videos.  All working OK - sound via host interface.  Launched vlc and added a skin and relaunched it.  Used Open File -> Network to specify a Youtube URL and streamed the video.  Working fine.  Used Machine Settings menu to attach the host DVD/CDROM device to the IDE controller.  Open File -> Disc to select the DVD and played it OK with sound and subtitles.

This looks OK for 32-bits.

The free version needs to be tested on both architectures before this can be validated.  Any volunteers?

If not I shall try this on another system and not enable tainted media sources.
Waiting for a while in case anybody responds.
Comment 8 David Walser 2017-05-15 18:13:10 CEST
More details on the security fixes are in this article:
http://news.softpedia.com/news/vlc-media-player-2-2-5-improves-video-scaling-in-vdpau-mp3-playback-and-more-515657.shtml
Comment 9 William Kenney 2017-05-18 22:28:35 CEST
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
vlc svlc libvlc5 libvlccore8 vlc-plugin-common
vlc-plugin-pulse vlc-plugin-theora

default install of vlc svlc libvlc5 libvlccore8
vlc-plugin-common vlc-plugin-pulse & vlc-plugin-theora

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.65-desktop586-1.mga5
[root@localhost wilcal]# urpmi vlc
Package vlc-2.2.4-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi svlc
Package svlc-2.2.4-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi libvlc5
Package libvlc5-2.2.4-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi libvlccore8
Package libvlccore8-2.2.4-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-common
Package vlc-plugin-common-2.2.4-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-pulse
Package vlc-plugin-pulse-2.2.4-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-theora
Package vlc-plugin-theora-2.2.4-1.mga5.tainted.i586 is already installed

VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv

Install:
vlc svlc libvlc5 libvlccore8 vlc-plugin-common
vlc-plugin-pulse vlc-plugin-theora
from updates-testing

[root@localhost wilcal]# urpmi vlc
Package vlc-2.2.5.1-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi svlc
Package svlc-2.2.5.1-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi libvlc5
Package libvlc5-2.2.5.1-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi libvlccore8
Package libvlccore8-2.2.5.1-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-common
Package vlc-plugin-common-2.2.5.1-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-pulse
Package vlc-plugin-pulse-2.2.5.1-1.mga5.tainted.i586 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-theora
Package vlc-plugin-theora-2.2.5.1-1.mga5.tainted.i586 is already installed

VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv

CC: (none) => wilcal.int

William Kenney 2017-05-18 22:28:54 CEST

Whiteboard: (none) => MGA5-32-OK

Comment 10 William Kenney 2017-05-18 22:43:11 CEST
In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
vlc svlc libvlc5 libvlccore8 vlc-plugin-common
vlc-plugin-pulse vlc-plugin-theora

default install of vlc svlc lib64vlc5 lib64vlccore8
vlc-plugin-common vlc-plugin-pulse & vlc-plugin-theora

[root@localhost wilcal]# uname -a
Linux localhost.localdomain 4.4.65-desktop-1.mga5
[root@localhost wilcal]# urpmi vlc
Package vlc-2.2.4-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi svlc
Package svlc-2.2.4-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64vlc5
Package lib64vlc5-2.2.4-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64vlccore8
Package lib64vlccore8-2.2.4-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-common
Package vlc-plugin-common-2.2.4-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-pulse
Package vlc-plugin-pulse-2.2.4-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-theora
Package vlc-plugin-theora-2.2.4-1.mga5.tainted.x86_64 is already installed

VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv

Install:
vlc svlc lib64vlc5 lib64vlccore8 vlc-plugin-common
vlc-plugin-pulse vlc-plugin-theora
from updates-testing

[root@localhost wilcal]# urpmi vlc
Package vlc-2.2.5.1-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi svlc
Package svlc-2.2.5.1-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64vlc5
Package lib64vlc5-2.2.5.1-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi lib64vlccore8
Package lib64vlccore8-2.2.5.1-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-common
Package vlc-plugin-common-2.2.5.1-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-pulse
Package vlc-plugin-pulse-2.2.5.1-1.mga5.tainted.x86_64 is already installed
[root@localhost wilcal]# urpmi vlc-plugin-theora
Package vlc-plugin-theora-2.2.5.1-1.mga5.tainted.x86_64 is already installed

VLC plays files: mov mp4 avi flv wmv wav mp3 webm ogg ogv
William Kenney 2017-05-18 22:43:27 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

Comment 11 William Kenney 2017-05-18 22:45:01 CEST
For me this update works fine.
I will validate this in 24-hours
unless someone finds and issue.
Comment 12 Len Lawrence 2017-05-19 10:06:13 CEST
@wilcal comment 11.  No time to check untainted version so go ahead and validate.
Comment 13 William Kenney 2017-05-19 12:27:09 CEST
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2017-05-20 22:27:42 CEST

CC: (none) => davidwhodgins
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory

Comment 14 Mageia Robot 2017-05-21 22:29:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0144.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 15 David Walser 2017-05-24 13:51:29 CEST
Apparently some of the issues fixed in 2.2.5.1 specifically are the widely publicized subtitle flaws, which have CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313 according to this article:
http://www.eweek.com/security/check-point-discovers-media-subtitle-vulnerability-impacting-millions
Comment 16 David Walser 2017-11-22 17:47:03 CET
According to the updated NEWS file, 2.2.5.1 fixed CVE-2017-9300 and CVE-2017-9301:
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=blob;f=NEWS;h=d9b31b4e5362c7d764f3e6b23b78aaeb0b8bf868;hb=3cc1d8cba982fc988c2a421e42408bb05d1ba37f

Note You need to log in before you can comment on or make changes to this bug.