Bug 21801 - vlc new security issue CVE-2017-10699
Summary: vlc new security issue CVE-2017-10699
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-10-02 23:39 CEST by David Walser
Modified: 2017-11-29 18:02 CET (History)
5 users (show)

See Also:
Source RPM: vlc-vlc-2.2.6-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-10-02 23:39:59 CEST
openSUSE has issued an advisory on September 29:
https://lists.opensuse.org/opensuse-updates/2017-09/msg00115.html

The issue was fixed upstream shortly after 2.2.6 in this commit:
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3
Comment 1 David Walser 2017-11-22 17:48:31 CET
VLC 2.2.8 is available, which includes multiple security fixes:
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=blob;f=NEWS;h=d9b31b4e5362c7d764f3e6b23b78aaeb0b8bf868;hb=3cc1d8cba982fc988c2a421e42408bb05d1ba37f

The updated NEWS file also references the commit from Comment 0 but without a CVE, and says that CVE-2017-9300 was fixed in an earlier commit before 2.2.5.1.  It does list CVE-2017-10699 as a new security issue fixed by 2.2.8 though.

We should update to it, and include the two commits after 2.2.8 was tagged:
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=shortlog

Summary: vlc new security issue CVE-2017-9300 => vlc new security issue CVE-2017-10699

Comment 2 David Walser 2017-11-22 19:42:21 CET
Debian has issued an advisory for this on November 21:
https://www.debian.org/security/2017/dsa-4045
Comment 3 David Walser 2017-11-22 23:57:17 CET
Updated package uploaded for Mageia 5 by Shlomi.  Thanks Shlomi!

Advisory:
========================

avcodec 2.2.x, as used in VideoLAN VLC media player before 2.2.7, allows
out-of-bounds heap memory write due to calling memcpy() with a wrong size,
leading to a denial of service (application crash) or possibly code execution
(CVE-2017-10699).

The VLC packages have been updated to version 2.2.8, which includes various
security improvements in decoders and demuxers, as well as other bug fixes.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10699
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=blob;f=NEWS;h=d9b31b4e5362c7d764f3e6b23b78aaeb0b8bf868;hb=3cc1d8cba982fc988c2a421e42408bb05d1ba37f
https://www.debian.org/security/2017/dsa-4045
========================

Updated packages in {core,tainted}/updates_testing:
========================
vlc-2.2.8-1.0.mga5
libvlc5-2.2.8-1.0.mga5
libvlccore8-2.2.8-1.0.mga5
libvlc-devel-2.2.8-1.0.mga5
vlc-plugin-common-2.2.8-1.0.mga5
vlc-plugin-zvbi-2.2.8-1.0.mga5
vlc-plugin-kate-2.2.8-1.0.mga5
vlc-plugin-libass-2.2.8-1.0.mga5
vlc-plugin-lua-2.2.8-1.0.mga5
vlc-plugin-ncurses-2.2.8-1.0.mga5
vlc-plugin-lirc-2.2.8-1.0.mga5
svlc-2.2.8-1.0.mga5
vlc-plugin-aa-2.2.8-1.0.mga5
vlc-plugin-sdl-2.2.8-1.0.mga5
vlc-plugin-shout-2.2.8-1.0.mga5
vlc-plugin-opengl-2.2.8-1.0.mga5
vlc-plugin-vdpau-2.2.8-1.0.mga5
vlc-plugin-projectm-2.2.8-1.0.mga5
vlc-plugin-theora-2.2.8-1.0.mga5
vlc-plugin-twolame-2.2.8-1.0.mga5
vlc-plugin-fluidsynth-2.2.8-1.0.mga5
vlc-plugin-gme-2.2.8-1.0.mga5
vlc-plugin-schroedinger-2.2.8-1.0.mga5
vlc-plugin-speex-2.2.8-1.0.mga5
vlc-plugin-flac-2.2.8-1.0.mga5
vlc-plugin-dv-2.2.8-1.0.mga5
vlc-plugin-mod-2.2.8-1.0.mga5
vlc-plugin-mpc-2.2.8-1.0.mga5
vlc-plugin-sid-2.2.8-1.0.mga5
vlc-plugin-pulse-2.2.8-1.0.mga5
vlc-plugin-jack-2.2.8-1.0.mga5
vlc-plugin-bonjour-2.2.8-1.0.mga5
vlc-plugin-upnp-2.2.8-1.0.mga5
vlc-plugin-gnutls-2.2.8-1.0.mga5
vlc-plugin-libnotify-2.2.8-1.0.mga5
vlc-plugin-chromaprint-2.2.8-1.0.mga5

from vlc-2.2.8-1.0.mga5.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 4 Len Lawrence 2017-11-23 13:48:08 CET
Mageia 5 on x86_64 real hardware.

Installed all the packages before enabling updates testing.
Updated them all and tested vlc with a variety of media with a favourite theme enabled (tests svlc to some extent).  No problems or regressions anywhere.
Watched live HD and SD TV.  Used playlist and next button to hop channels.
Audio and subtitles working fine.
Played pure audio files from disk - mp3, flac, ogg, wav.  Loaded m3u format playlist and selected tracks from that.  info button works, file and device selection, volume adjustment, menu and preferences.
Played video files in formats: mp4, mkv, flv, webm, avi, mov and gif (no soundtracks)
Where they were integrated subtitles could be invoked from the right-click on titlebar menu.  No srt files lying around just now so independent audio tracks cannot be tested.  Switching between fullscreen and native size works fine.
ShockwaveFlash did not work with vlc.
Next button can be used to skip to the next selection during play.  The previous button either restarts or goes back depending where you are.
Commercial audio CDs play fine as do commercial DVDs.  There is limited interaction with the on-screen menus.  Subtitles for instance have to be invoked from the vlc menu.  All videos can be paused, speeded up or slowed down.

This is all good so far for 64 bits.

Enabled tainted updates and updated everything and ran all the previous tests again.  Added a network test - viewed a Youtube scifi clip.
Everything worked.

CC: (none) => tarazed25

Len Lawrence 2017-11-23 14:03:42 CET

Whiteboard: (none) => MGA5-64-OK

Comment 5 Lewis Smith 2017-11-24 19:37:28 CET
Thank you Len for your usual exhaustive testing.
Validating, advisory uploaded.

CC: (none) => lewyssmith, sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 6 Mageia Robot 2017-11-26 22:19:20 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0424.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 7 Dave Hodgins 2017-11-29 18:02:04 CET
bug 22095 added to get the tainted srpm pushed too.

CC: (none) => davidwhodgins


Note You need to log in before you can comment on or make changes to this bug.