VLC 3.0.7 has been released on June 6: https://www.videolan.org/developers/vlc-branch/NEWS As the NEWS shows, it fixes a ton of security issues, detailed more here: http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security which points out that some of the issues are actually in faad2, a separate library package. Someone on another distro security team highlighted these commits with changes to faad2: https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=a31ca516a02678579c312897e648c64135725867;hp=fc62b4d2827fdd79a91f008d50cb4d3e70123ca3 https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=46ba007cac64adc21ec9ab390ccf8c3a14ed6a19;hp=10aa791068a39acc905ce25b3c13aad48d5c465c and a PoC for a faad2 issue (presumably fixed above) given CVE-2019-6956: https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=46ba007cac64adc21ec9ab390ccf8c3a14ed6a19;hp=10aa791068a39acc905ce25b3c13aad48d5c465c
Whiteboard: (none) => MGA7TOO, MGA6TOO
Assigning to our registered VLC maintainer, CC'ing some submitters.
CC: (none) => geiger.david68210, lists.jjorge, marja11, nicolas.salguero, smelrorAssignee: bugsquad => shlomif
VLC 3.0.7.1 has been released on June 12, fixing a couple of bugs, and updating the bundled (we'll have to update the system one) libbluray to 1.1.2.
There are some updates in updates_testing.
Yes, please update the two packages in Comment 2 and then ask for everything to be moved to release, otherwise we can't do anything with Mageia 6.
Cauldron packages moved
CC: (none) => tmbWhiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 6
Assigning to qa for testing.
Assignee: shlomif => qa-bugs
Mageia 6, vlc is in madb but we need a package list. As far as I can make out the POC test confirms that the faad2 issue has been fixed already. Have installed all the tainted updates to vlc but now awaiting further information. Shall test free version on another machine.
CC: (none) => tarazed25
This isn't ready for QA. vlc-3.0.7.1-1.mga6.src.rpm has been built, but neither the libbluray or faad2 updates are available.
Assignee: qa-bugs => shlomifCC: (none) => qa-bugs
faad2-2.8.8-1.mga6 libfaad2-2.8.8-1.mga6 libfaad_drm2-2.8.8-1.mga6 libfaad2-devel-2.8.8-1.mga6 libfaad2-static-devel-2.8.8-1.mga6 libbluray2-1.1.2-1.mga6 libbluray-java-1.1.2-1.mga6 libbluray-devel-1.1.2-1.mga6 libvlc-devel-3.0.7.1-1.mga6 libvlc5-3.0.7.1-1.mga6 libvlccore9-3.0.7.1-1.mga6 svlc-3.0.7.1-1.mga6 vlc-3.0.7.1-1.mga6 vlc-plugin-aa-3.0.7.1-1.mga6 vlc-plugin-chromaprint-3.0.7.1-1.mga6 vlc-plugin-common-3.0.7.1-1.mga6 vlc-plugin-dv-3.0.7.1-1.mga6 vlc-plugin-flac-3.0.7.1-1.mga6 vlc-plugin-fluidsynth-3.0.7.1-1.mga6 vlc-plugin-gme-3.0.7.1-1.mga6 vlc-plugin-gnutls-3.0.7.1-1.mga6 vlc-plugin-jack-3.0.7.1-1.mga6 vlc-plugin-kate-3.0.7.1-1.mga6 vlc-plugin-libass-3.0.7.1-1.mga6 vlc-plugin-libnotify-3.0.7.1-1.mga6 vlc-plugin-lirc-3.0.7.1-1.mga6 vlc-plugin-lua-3.0.7.1-1.mga6 vlc-plugin-mod-3.0.7.1-1.mga6 vlc-plugin-mpc-3.0.7.1-1.mga6 vlc-plugin-ncurses-3.0.7.1-1.mga6 vlc-plugin-opengl-3.0.7.1-1.mga6 vlc-plugin-projectm-3.0.7.1-1.mga6 vlc-plugin-pulse-3.0.7.1-1.mga6 vlc-plugin-schroedinger-3.0.7.1-1.mga6 vlc-plugin-sdl-3.0.7.1-1.mga6 vlc-plugin-shout-3.0.7.1-1.mga6 vlc-plugin-sid-3.0.7.1-1.mga6 vlc-plugin-speex-3.0.7.1-1.mga6 vlc-plugin-theora-3.0.7.1-1.mga6 vlc-plugin-twolame-3.0.7.1-1.mga6 vlc-plugin-upnp-3.0.7.1-1.mga6 vlc-plugin-vdpau-3.0.7.1-1.mga6 vlc-plugin-zvbi-3.0.7.1-1.mga6 from SRPMS: faad2-2.8.8-1.mga6.src.rpm libbluray-1.1.2-1.mga6.src.rpm vlc-3.0.7.1-1.mga6.src.rpm faad2 is only in tainted and vlc is in both core and tainted.
CC: qa-bugs => shlomifAssignee: shlomif => qa-bugs
Testing tainted versions on mga6, x86_64. *Before update* $ rpm -qa | grep faad2 lib64faad2-2.7-10.mga6.tainted faad2-2.7-10.mga6.tainted CVE-2019-6956 https://github.com/TeamSeri0us/pocs/blob/master/faad/global-buffer-overflow%40ps_mix_phase.md $ faad global-buffer-overflow@ps_mix_phase global-buffer-overflow@ps_mix_phase file info: ADTS, 12.416 sec, 37 kbps, 48000 Hz --------------------- | Config: 2 Ch | --------------------- | Ch | Position | --------------------- | 00 | Left front | | 01 | Right front | --------------------- Decoding global-buffer-overflow@ps_mix_phase took: 0.05 sec. 247.35x real-time. The upstream test under the asan framework aborts which probably confirms that faad has already been fixed. *After update* The PoC returned exactly the same result, which seems to confirm the earlier conclusion. vlc worked fine with svlc for MP3, MP4, MOV, and container formats like M4V and MKV, also WMV, AVI, ts and m2t. Tested it with a free-to-air TV feed and video streamed over the network. Subtitles working. No problems with sound or vision. Fullscreen, positioning controls, track skipping, speed control, pause and continue, reversing, snapshots, playlists... everything working as expected. Played audio CD and commercial DVD. No idea how to test the bluray libraries - no free bluray discs if such things exist. There was some such project a while ago. Ubuntu has bluray support for vlc which needs libaacs0 for older blurays, libbluray-bdj and libbluray1 but my drive is DVD only. Tainted updates good for 64-bits.
Mga6, x86_64 Installed the free vlc packages and updated all of them. Played various audio and audio/video files. Checked the functions provided by the interface. TV channels in SD and HD. Audio CDs played fine and non-commercial DVDs (BBC). Good for 64-bits.
Whiteboard: (none) => MGA6-64-OK
Sounds like a thorough test to me, Len. I'm going to give it a 32-bit OK based on a clean install in a vbox guest. Validating. Needs advisory information if that in Comment 0 is insufficient.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OKKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0215.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update fixed CVE-2019-5439 in VLC: https://usn.ubuntu.com/4074-1/ https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5439.html
This update also fixed CVE-2019-12874 in VLC: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12874.html