Debian has issued an advisory on March 17: https://www.debian.org/security/2019/dsa-4408 We fixed the first CVE in their advisory in Bug 24071. The two new issues are fixed in 2019.02.03 and 2019.02.27, respectively: http://live555.com/liveMedia/public/changelog.txt As it is statically compiled into mplayer and vlc, those will need to rebuilt against the updated live package.
Whiteboard: (none) => MGA6TOO
(In reply to David Walser from comment #0) > Debian has issued an advisory on March 17: > https://www.debian.org/security/2019/dsa-4408 > > We fixed the first CVE in their advisory in Bug 24071. > > The two new issues are fixed in 2019.02.03 and 2019.02.27, respectively: > http://live555.com/liveMedia/public/changelog.txt > > As it is statically compiled into mplayer and vlc, those will need to > rebuilt against the updated live package. Assigning to all packagers collectively, since there is no registered maintainer for the live package. Also CC'ing two committers and Shlomi, who maintains mplayer and vlc
Assignee: bugsquad => pkg-bugsCC: (none) => marja11, nicolas.salguero, shlomif, smelror
Suggested advisory: ======================== The updated packages fix security vulnerabilities: liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a Use-After-Free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact. (CVE-2019-7314) In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function. (CVE-2019-9215) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7314 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9215 https://www.debian.org/security/2019/dsa-4408 http://live555.com/liveMedia/public/changelog.txt ======================== Updated packages in core/updates_testing: ======================== live-2019.03.06-1.mga6 live-devel-2019.03.06-1.mga6 vlc-3.0.5-3.mga6 lib(64)vlc5-3.0.5-3.mga6 lib(64)vlccore9-3.0.5-3.mga6 lib(64)vlc-devel-3.0.5-3.mga6 vlc-plugin-common-3.0.5-3.mga6 vlc-plugin-zvbi-3.0.5-3.mga6 vlc-plugin-kate-3.0.5-3.mga6 vlc-plugin-libass-3.0.5-3.mga6 vlc-plugin-lua-3.0.5-3.mga6 vlc-plugin-ncurses-3.0.5-3.mga6 vlc-plugin-lirc-3.0.5-3.mga6 svlc-3.0.5-3.mga6 vlc-plugin-aa-3.0.5-3.mga6 vlc-plugin-sdl-3.0.5-3.mga6 vlc-plugin-shout-3.0.5-3.mga6 vlc-plugin-opengl-3.0.5-3.mga6 vlc-plugin-vdpau-3.0.5-3.mga6 vlc-plugin-projectm-3.0.5-3.mga6 vlc-plugin-theora-3.0.5-3.mga6 vlc-plugin-twolame-3.0.5-3.mga6 vlc-plugin-fluidsynth-3.0.5-3.mga6 vlc-plugin-gme-3.0.5-3.mga6 vlc-plugin-schroedinger-3.0.5-3.mga6 vlc-plugin-speex-3.0.5-3.mga6 vlc-plugin-flac-3.0.5-3.mga6 vlc-plugin-dv-3.0.5-3.mga6 vlc-plugin-mod-3.0.5-3.mga6 vlc-plugin-mpc-3.0.5-3.mga6 vlc-plugin-sid-3.0.5-3.mga6 vlc-plugin-pulse-3.0.5-3.mga6 vlc-plugin-jack-3.0.5-3.mga6 vlc-plugin-upnp-3.0.5-3.mga6 vlc-plugin-gnutls-3.0.5-3.mga6 vlc-plugin-libnotify-3.0.5-3.mga6 vlc-plugin-chromaprint-3.0.5-3.mga6 mplayer-1.3.0-14.mga6 mplayer-doc-1.3.0-14.mga6 mplayer-gui-1.3.0-14.mga6 mencoder-1.3.0-14.mga6 from SRPMS: live-2019.03.06-1.mga6.src.rpm vlc-3.0.5-3.mga6.src.rpm mplayer-1.3.0-14.mga6.src.rpm Updated packages in tainted/updates_testing: ======================== vlc-3.0.5-3.mga6.tainted lib(64)vlc5-3.0.5-3.mga6.tainted lib(64)vlccore9-3.0.5-3.mga6.tainted lib(64)vlc-devel-3.0.5-3.mga6.tainted vlc-plugin-common-3.0.5-3.mga6.tainted vlc-plugin-zvbi-3.0.5-3.mga6.tainted vlc-plugin-kate-3.0.5-3.mga6.tainted vlc-plugin-libass-3.0.5-3.mga6.tainted vlc-plugin-lua-3.0.5-3.mga6.tainted vlc-plugin-ncurses-3.0.5-3.mga6.tainted vlc-plugin-lirc-3.0.5-3.mga6.tainted svlc-3.0.5-3.mga6.tainted vlc-plugin-aa-3.0.5-3.mga6.tainted vlc-plugin-sdl-3.0.5-3.mga6.tainted vlc-plugin-shout-3.0.5-3.mga6.tainted vlc-plugin-opengl-3.0.5-3.mga6.tainted vlc-plugin-vdpau-3.0.5-3.mga6.tainted vlc-plugin-projectm-3.0.5-3.mga6.tainted vlc-plugin-theora-3.0.5-3.mga6.tainted vlc-plugin-twolame-3.0.5-3.mga6.tainted vlc-plugin-fluidsynth-3.0.5-3.mga6.tainted vlc-plugin-gme-3.0.5-3.mga6.tainted vlc-plugin-schroedinger-3.0.5-3.mga6.tainted vlc-plugin-speex-3.0.5-3.mga6.tainted vlc-plugin-flac-3.0.5-3.mga6.tainted vlc-plugin-dv-3.0.5-3.mga6.tainted vlc-plugin-mod-3.0.5-3.mga6.tainted vlc-plugin-mpc-3.0.5-3.mga6.tainted vlc-plugin-sid-3.0.5-3.mga6.tainted vlc-plugin-pulse-3.0.5-3.mga6.tainted vlc-plugin-jack-3.0.5-3.mga6.tainted vlc-plugin-upnp-3.0.5-3.mga6.tainted vlc-plugin-gnutls-3.0.5-3.mga6.tainted vlc-plugin-libnotify-3.0.5-3.mga6.tainted vlc-plugin-chromaprint-3.0.5-3.mga6.tainted mplayer-1.3.0-14.mga6.tainted mplayer-doc-1.3.0-14.mga6.tainted mplayer-gui-1.3.0-14.mga6.tainted mencoder-1.3.0-14.mga6.tainted from SRPMS: vlc-3.0.5-3.mga6.tainted.src.rpm mplayer-1.3.0-14.mga6.tainted.src.rpm
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA6TOO => (none)CVE: (none) => CVE-2019-7314, CVE-2019-9215Status: NEW => ASSIGNEDVersion: Cauldron => 6
Thanks for working on this Nicolas! Since we have to push VLC anyway, could you update Mageia 6 to 3.0.6?
Suggested advisory: ======================== The updated packages fix security vulnerabilities: liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a Use-After-Free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact. (CVE-2019-7314) In Live555 before 2019.02.27, malformed headers lead to invalid memory access in the parseAuthorizationHeader function. (CVE-2019-9215) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7314 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9215 https://www.debian.org/security/2019/dsa-4408 http://live555.com/liveMedia/public/changelog.txt ======================== Updated packages in core/updates_testing: ======================== live-2019.03.06-1.mga6 live-devel-2019.03.06-1.mga6 vlc-3.0.6-1.mga6 lib(64)vlc5-3.0.6-1.mga6 lib(64)vlccore9-3.0.6-1.mga6 lib(64)vlc-devel-3.0.6-1.mga6 vlc-plugin-common-3.0.6-1.mga6 vlc-plugin-zvbi-3.0.6-1.mga6 vlc-plugin-kate-3.0.6-1.mga6 vlc-plugin-libass-3.0.6-1.mga6 vlc-plugin-lua-3.0.6-1.mga6 vlc-plugin-ncurses-3.0.6-1.mga6 vlc-plugin-lirc-3.0.6-1.mga6 svlc-3.0.6-1.mga6 vlc-plugin-aa-3.0.6-1.mga6 vlc-plugin-sdl-3.0.6-1.mga6 vlc-plugin-shout-3.0.6-1.mga6 vlc-plugin-opengl-3.0.6-1.mga6 vlc-plugin-vdpau-3.0.6-1.mga6 vlc-plugin-projectm-3.0.6-1.mga6 vlc-plugin-theora-3.0.6-1.mga6 vlc-plugin-twolame-3.0.6-1.mga6 vlc-plugin-fluidsynth-3.0.6-1.mga6 vlc-plugin-gme-3.0.6-1.mga6 vlc-plugin-schroedinger-3.0.6-1.mga6 vlc-plugin-speex-3.0.6-1.mga6 vlc-plugin-flac-3.0.6-1.mga6 vlc-plugin-dv-3.0.6-1.mga6 vlc-plugin-mod-3.0.6-1.mga6 vlc-plugin-mpc-3.0.6-1.mga6 vlc-plugin-sid-3.0.6-1.mga6 vlc-plugin-pulse-3.0.6-1.mga6 vlc-plugin-jack-3.0.6-1.mga6 vlc-plugin-upnp-3.0.6-1.mga6 vlc-plugin-gnutls-3.0.6-1.mga6 vlc-plugin-libnotify-3.0.6-1.mga6 vlc-plugin-chromaprint-3.0.6-1.mga6 mplayer-1.3.0-14.mga6 mplayer-doc-1.3.0-14.mga6 mplayer-gui-1.3.0-14.mga6 mencoder-1.3.0-14.mga6 from SRPMS: live-2019.03.06-1.mga6.src.rpm vlc-3.0.6-1.mga6.src.rpm mplayer-1.3.0-14.mga6.src.rpm Updated packages in tainted/updates_testing: ======================== vlc-3.0.6-1.mga6.tainted lib(64)vlc5-3.0.6-1.mga6.tainted lib(64)vlccore9-3.0.6-1.mga6.tainted lib(64)vlc-devel-3.0.6-1.mga6.tainted vlc-plugin-common-3.0.6-1.mga6.tainted vlc-plugin-zvbi-3.0.6-1.mga6.tainted vlc-plugin-kate-3.0.6-1.mga6.tainted vlc-plugin-libass-3.0.6-1.mga6.tainted vlc-plugin-lua-3.0.6-1.mga6.tainted vlc-plugin-ncurses-3.0.6-1.mga6.tainted vlc-plugin-lirc-3.0.6-1.mga6.tainted svlc-3.0.6-1.mga6.tainted vlc-plugin-aa-3.0.6-1.mga6.tainted vlc-plugin-sdl-3.0.6-1.mga6.tainted vlc-plugin-shout-3.0.6-1.mga6.tainted vlc-plugin-opengl-3.0.6-1.mga6.tainted vlc-plugin-vdpau-3.0.6-1.mga6.tainted vlc-plugin-projectm-3.0.6-1.mga6.tainted vlc-plugin-theora-3.0.6-1.mga6.tainted vlc-plugin-twolame-3.0.6-1.mga6.tainted vlc-plugin-fluidsynth-3.0.6-1.mga6.tainted vlc-plugin-gme-3.0.6-1.mga6.tainted vlc-plugin-schroedinger-3.0.6-1.mga6.tainted vlc-plugin-speex-3.0.6-1.mga6.tainted vlc-plugin-flac-3.0.6-1.mga6.tainted vlc-plugin-dv-3.0.6-1.mga6.tainted vlc-plugin-mod-3.0.6-1.mga6.tainted vlc-plugin-mpc-3.0.6-1.mga6.tainted vlc-plugin-sid-3.0.6-1.mga6.tainted vlc-plugin-pulse-3.0.6-1.mga6.tainted vlc-plugin-jack-3.0.6-1.mga6.tainted vlc-plugin-upnp-3.0.6-1.mga6.tainted vlc-plugin-gnutls-3.0.6-1.mga6.tainted vlc-plugin-libnotify-3.0.6-1.mga6.tainted vlc-plugin-chromaprint-3.0.6-1.mga6.tainted mplayer-1.3.0-14.mga6.tainted mplayer-doc-1.3.0-14.mga6.tainted mplayer-gui-1.3.0-14.mga6.tainted mencoder-1.3.0-14.mga6.tainted from SRPMS: vlc-3.0.6-1.mga6.tainted.src.rpm mplayer-1.3.0-14.mga6.tainted.src.rpm
Starting on this for 64-bits having tested it earlier this year. Shall post results for core and tainted separately. This shall likely take about 24 hours, maybe more.
CC: (none) => tarazed25
mga6, x86_64 Pre-update: reverted vlc and mplayer to core versions. live-2018.11.26-1.mga6.x86_64 already installed. Updated everything listed, from core updates testing. Moved to another machine on the LAN and installed and updated live555. Started the server on the remote machine, vega. $ cd /data/TV/movies $ live555MediaServer LIVE555 Media Server version 0.96 (LIVE555 Streaming Media library version 2019.03.06). Play streams from this server using the URL rtsp://192.168.1.<...>:8554/<filename> where <filename> is a file present in the current directory. Each file's type is inferred from its name suffix: ".264" => a H.264 Video Elementary Stream file [...] ".webm" => a WebM audio(Vorbis)+video(VP8) file See http://www.live555.com/mediaServer/ for additional documentation. (We use port 8000 for optional RTSP-over-HTTP tunneling, or for HTTP live streaming (for indexed Transport Stream files only).) Back to the test machine. Started vlc -> Menu -> Open Media -> Open Network Stream Pasted the name of the remote file into the address box and pressed play; the film started playing - sound working fine - also subtitles. Used address rtsp://vega:8554/TheGirlWithTheDragonTattoo.ts Note that I have no idea how to set up RTSP over HTTP or how you would stream it to a player. Used gmplayer to launch mplayer-gui but could not figure out how to access the network. It works fine with local files. Checked vlc and live555 with mkv as well. Note that it is very precise about which formats are supported (as inferred from the file extension); mp4, m2t are not accepted. Nor are subdirectories in names. The server must be running in the directory containing the required files.
Eventually figured out the mplayer procedure: right-clicked on the gui and selected 'ope' then 'url' from the dropdown list and typed in the remote address just as in vlc. That established a connection with vega and began playing the film but with strange artefacts - horizontal green lines flashing across the screen. Various messages in the log might be relevant - material for a bug report maybe. Anyway, it works.
Continuing from comments 6 and 7. Updated 39 packages from tainted updates testing. The Live555 server was still running on vega. Launched vlc and successfully streamed a video over RTSP to the local machine. Subtitles and sound working for .ts format. Tried mplayer. That worked also; no visual artefacts this time but also still no subtitles although subtitle autoloading was enabled. The menu allows the user to load an external subtitle track but in this case the track is internal and not recognized. mplayer cannot autoload the subtitle track even for a local .ts file although it has had no trouble in the past with external .srt files. This update looks fine for 64-bits on local hardware and a local network.
Whiteboard: (none) => MGA6-64-OK
Withdrawing the OK for this update to investigate the mplayer option -rtsp-stream-over-http. Found in man pages - LIVE555 only is specified for this option. It would be good to test this mode because one of the CVEs is concerned with just this. It would not reproduce the issue but would show that the fix has not broken anything.
Whiteboard: MGA6-64-OK => (none)
Res comment #9. What I tried was: $ mplayer -rtsp-stream-over-http -playlist playlist where playlist contained one line: rtsp://vega:8554/TheGirlWithTheDragonTattoo.ts That played but it was not obvious that http was being used. The log contains: Connecting to server vega[...]: 8554... librtsp: server responds: 'RTSP/1.0 454 Session Not Found' rtsp_session: unsupported RTSP server. Server type is 'unknown'. STREAM_LIVE555, URL: rtsp://vega:8554/TheGirlWithTheDragonTattoo.ts file format detected. Created new TCP socket 3 for connection Initiated "video/MP2T" RTP subsession on port 52182 live555 had noted earlier that 8000 was used for http, so another try with a different address in playlist. rtsp://vega:8000/TheGirlWithTheDragonTattoo.ts Log shows: Connecting to server vega[...]: 8000... librtsp: server responds: 'RTSP/1.0 454 Session Not Found' rtsp_session: unsupported RTSP server. Server type is 'unknown'. STREAM_LIVE555, URL: rtsp://vega:8000/TheGirlWithTheDragonTattoo.ts file format detected. Created new TCP socket 3 for connection Initiated "video/MP2T" RTP subsession on port 47504 The video plays but I cannot be certain that rtsp is piggybacking on http.
As a last resort I tried netstat while the film was playing. # netstat -p | grep <RTP subsession port number> which found nothing.
Since this has not attracted any comments I am going to pass it as is.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Addendum to the advisory: Also, VLC has been updated to version 3.0.6. References: https://www.videolan.org/developers/vlc-branch/NEWS
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0121.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED