Bug 24940 - VLC 3.0.7 (and security issues in faad2)
Summary: VLC 3.0.7 (and security issues in faad2)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-06-11 04:41 CEST by David Walser
Modified: 2019-08-12 01:19 CEST (History)
11 users (show)

See Also:
Source RPM: vlc-3.0.6-11.mga7.src.rpm, faad2-2.8.8-3.mga7.tainted.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-06-11 04:41:08 CEST
VLC 3.0.7 has been released on June 6:
https://www.videolan.org/developers/vlc-branch/NEWS

As the NEWS shows, it fixes a ton of security issues, detailed more here:
http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

which points out that some of the issues are actually in faad2, a separate library package.  Someone on another distro security team highlighted these commits with changes to faad2:
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=a31ca516a02678579c312897e648c64135725867;hp=fc62b4d2827fdd79a91f008d50cb4d3e70123ca3
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=46ba007cac64adc21ec9ab390ccf8c3a14ed6a19;hp=10aa791068a39acc905ce25b3c13aad48d5c465c

and a PoC for a faad2 issue (presumably fixed above) given CVE-2019-6956:
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commitdiff;h=46ba007cac64adc21ec9ab390ccf8c3a14ed6a19;hp=10aa791068a39acc905ce25b3c13aad48d5c465c
David Walser 2019-06-11 04:42:10 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Marja Van Waes 2019-06-11 12:05:26 CEST
Assigning to our registered VLC maintainer, CC'ing some submitters.

CC: (none) => geiger.david68210, lists.jjorge, marja11, nicolas.salguero, smelror
Assignee: bugsquad => shlomif

Comment 2 David Walser 2019-06-13 13:58:24 CEST
VLC 3.0.7.1 has been released on June 12, fixing a couple of bugs, and updating the bundled (we'll have to update the system one) libbluray to 1.1.2.
Comment 3 Shlomi Fish 2019-06-13 14:05:52 CEST
There are some updates in updates_testing.
Comment 4 David Walser 2019-06-13 14:10:52 CEST
Yes, please update the two packages in Comment 2 and then ask for everything to be moved to release, otherwise we can't do anything with Mageia 6.
Comment 5 Thomas Backlund 2019-06-14 11:11:46 CEST
Cauldron packages moved

CC: (none) => tmb
Whiteboard: MGA7TOO, MGA6TOO => (none)
Version: Cauldron => 6

Comment 6 Shlomi Fish 2019-07-15 11:47:21 CEST
Assigning to qa for testing.

Assignee: shlomif => qa-bugs

Comment 7 Len Lawrence 2019-07-16 21:09:54 CEST
Mageia 6, 
vlc is in madb but we need a package list.
As far as I can make out the POC test confirms that the faad2 issue has been fixed already.

Have installed all the tainted updates to vlc but now awaiting further information.  Shall test free version on another machine.

CC: (none) => tarazed25

Comment 8 David Walser 2019-07-18 22:20:25 CEST
This isn't ready for QA.  vlc-3.0.7.1-1.mga6.src.rpm has been built, but neither the libbluray or faad2 updates are available.

Assignee: qa-bugs => shlomif
CC: (none) => qa-bugs

Comment 9 David Walser 2019-07-20 15:51:29 CEST
faad2-2.8.8-1.mga6
libfaad2-2.8.8-1.mga6
libfaad_drm2-2.8.8-1.mga6
libfaad2-devel-2.8.8-1.mga6
libfaad2-static-devel-2.8.8-1.mga6
libbluray2-1.1.2-1.mga6
libbluray-java-1.1.2-1.mga6
libbluray-devel-1.1.2-1.mga6
libvlc-devel-3.0.7.1-1.mga6
libvlc5-3.0.7.1-1.mga6
libvlccore9-3.0.7.1-1.mga6
svlc-3.0.7.1-1.mga6
vlc-3.0.7.1-1.mga6
vlc-plugin-aa-3.0.7.1-1.mga6
vlc-plugin-chromaprint-3.0.7.1-1.mga6
vlc-plugin-common-3.0.7.1-1.mga6
vlc-plugin-dv-3.0.7.1-1.mga6
vlc-plugin-flac-3.0.7.1-1.mga6
vlc-plugin-fluidsynth-3.0.7.1-1.mga6
vlc-plugin-gme-3.0.7.1-1.mga6
vlc-plugin-gnutls-3.0.7.1-1.mga6
vlc-plugin-jack-3.0.7.1-1.mga6
vlc-plugin-kate-3.0.7.1-1.mga6
vlc-plugin-libass-3.0.7.1-1.mga6
vlc-plugin-libnotify-3.0.7.1-1.mga6
vlc-plugin-lirc-3.0.7.1-1.mga6
vlc-plugin-lua-3.0.7.1-1.mga6
vlc-plugin-mod-3.0.7.1-1.mga6
vlc-plugin-mpc-3.0.7.1-1.mga6
vlc-plugin-ncurses-3.0.7.1-1.mga6
vlc-plugin-opengl-3.0.7.1-1.mga6
vlc-plugin-projectm-3.0.7.1-1.mga6
vlc-plugin-pulse-3.0.7.1-1.mga6
vlc-plugin-schroedinger-3.0.7.1-1.mga6
vlc-plugin-sdl-3.0.7.1-1.mga6
vlc-plugin-shout-3.0.7.1-1.mga6
vlc-plugin-sid-3.0.7.1-1.mga6
vlc-plugin-speex-3.0.7.1-1.mga6
vlc-plugin-theora-3.0.7.1-1.mga6
vlc-plugin-twolame-3.0.7.1-1.mga6
vlc-plugin-upnp-3.0.7.1-1.mga6
vlc-plugin-vdpau-3.0.7.1-1.mga6
vlc-plugin-zvbi-3.0.7.1-1.mga6

from SRPMS:
faad2-2.8.8-1.mga6.src.rpm
libbluray-1.1.2-1.mga6.src.rpm
vlc-3.0.7.1-1.mga6.src.rpm

faad2 is only in tainted and vlc is in both core and tainted.

CC: qa-bugs => shlomif
Assignee: shlomif => qa-bugs

Comment 10 Len Lawrence 2019-07-22 02:02:12 CEST
Testing tainted versions on mga6, x86_64.

*Before update*
$ rpm -qa | grep faad2
lib64faad2-2.7-10.mga6.tainted
faad2-2.7-10.mga6.tainted

CVE-2019-6956
https://github.com/TeamSeri0us/pocs/blob/master/faad/global-buffer-overflow%40ps_mix_phase.md

$ faad global-buffer-overflow@ps_mix_phase
global-buffer-overflow@ps_mix_phase file info:
ADTS, 12.416 sec, 37 kbps, 48000 Hz

  ---------------------
 | Config:  2 Ch       |
  ---------------------
 | Ch |    Position    |
  ---------------------
 | 00 | Left front     |
 | 01 | Right front    |
  ---------------------

Decoding global-buffer-overflow@ps_mix_phase took:  0.05 sec. 247.35x real-time.

The upstream test under the asan framework aborts which probably confirms that faad has
already been fixed.

*After update*
The PoC returned exactly the same result, which seems to confirm the earlier conclusion.

vlc worked fine with svlc for MP3, MP4, MOV, and container formats like M4V and MKV, also WMV, AVI, ts and m2t.  Tested it with a free-to-air TV feed and video streamed over the network.  Subtitles working.  No problems with sound or vision.  Fullscreen, positioning controls, track skipping, speed control, pause and continue, reversing, snapshots, playlists... everything working as
expected.  Played audio CD and commercial DVD.
No idea how to test the bluray libraries - no free bluray discs if such things exist.  There was some such project a while ago.  Ubuntu has bluray support for vlc which needs libaacs0 for older blurays, libbluray-bdj and libbluray1 but my drive is DVD only.

Tainted updates good for 64-bits.
Comment 11 Len Lawrence 2019-07-24 04:55:41 CEST
Mga6, x86_64

Installed the free vlc packages and updated all of them.  Played various audio and audio/video files.  Checked the functions provided by the interface.  TV channels in SD and HD.  Audio CDs played fine and non-commercial DVDs (BBC).

Good for 64-bits.
Len Lawrence 2019-07-24 04:56:05 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 12 Thomas Andrews 2019-07-24 16:24:46 CEST
Sounds like a thorough test to me, Len. I'm going to give it a 32-bit OK based on a clean install in a vbox guest.

Validating. Needs advisory information if that in Comment 0 is insufficient.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Keywords: (none) => validated_update

Dave Hodgins 2019-07-25 16:45:34 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 13 Mageia Robot 2019-07-25 21:54:26 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0215.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 David Walser 2019-08-12 01:18:00 CEST
This update fixed CVE-2019-5439 in VLC:
https://usn.ubuntu.com/4074-1/
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5439.html
Comment 15 David Walser 2019-08-12 01:19:21 CEST
This update also fixed CVE-2019-12874 in VLC:
https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12874.html

Note You need to log in before you can comment on or make changes to this bug.