Ubuntu has issued an advisory on July 25: https://usn.ubuntu.com/4074-1/ The issue is fixed upstream in git, post-3.0.7.1: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13602.html Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
version 3.0.8 released with 12 CVE's: https://www.videolan.org/security/sb-vlc308.html CVE-2019-13602, CVE-2019-13962, CVE-2019-14437, CVE-2019-14438, CVE-2019-14498, CVE-2019-14533, CVE-2019-14534, CVE-2019-14535, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14970
CC: (none) => mageia
And for reference, the NEWS file for 3.0.8: https://www.videolan.org/developers/vlc-branch/NEWS
vlc-3.0.8-1.mga8 uploaded for Cauldron by Shlomi (in tainted, core to come).
Version: Cauldron => 7Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO
Still waiting for a Mageia 6 build, but Shlomi built a Mageia 7 update. vlc-3.0.8-1.mga7 lib64vlc5-3.0.8-1.mga7 lib64vlccore9-3.0.8-1.mga7 lib64vlc-devel-3.0.8-1.mga7 vlc-plugin-common-3.0.8-1.mga7 vlc-plugin-zvbi-3.0.8-1.mga7 vlc-plugin-kate-3.0.8-1.mga7 vlc-plugin-libass-3.0.8-1.mga7 vlc-plugin-lua-3.0.8-1.mga7 vlc-plugin-ncurses-3.0.8-1.mga7 vlc-plugin-lirc-3.0.8-1.mga7 svlc-3.0.8-1.mga7 vlc-plugin-aa-3.0.8-1.mga7 vlc-plugin-sdl-3.0.8-1.mga7 vlc-plugin-shout-3.0.8-1.mga7 vlc-plugin-opengl-3.0.8-1.mga7 vlc-plugin-vdpau-3.0.8-1.mga7 vlc-plugin-projectm-3.0.8-1.mga7 vlc-plugin-theora-3.0.8-1.mga7 vlc-plugin-twolame-3.0.8-1.mga7 vlc-plugin-fluidsynth-3.0.8-1.mga7 vlc-plugin-gme-3.0.8-1.mga7 vlc-plugin-schroedinger-3.0.8-1.mga7 vlc-plugin-speex-3.0.8-1.mga7 vlc-plugin-flac-3.0.8-1.mga7 vlc-plugin-dv-3.0.8-1.mga7 vlc-plugin-mod-3.0.8-1.mga7 vlc-plugin-mpc-3.0.8-1.mga7 vlc-plugin-sid-3.0.8-1.mga7 vlc-plugin-sndio-3.0.8-1.mga7 vlc-plugin-pulse-3.0.8-1.mga7 vlc-plugin-jack-3.0.8-1.mga7 vlc-plugin-upnp-3.0.8-1.mga7 vlc-plugin-gnutls-3.0.8-1.mga7 vlc-plugin-libnotify-3.0.8-1.mga7 vlc-plugin-chromaprint-3.0.8-1.mga7 vlc-plugin-samba-3.0.8-1.mga7
Submitted mga6 core update now.
Mageia 6 package list: vlc-3.0.8-1.mga6 libvlc5-3.0.8-1.mga6 libvlccore9-3.0.8-1.mga6 libvlc-devel-3.0.8-1.mga6 vlc-plugin-common-3.0.8-1.mga6 vlc-plugin-zvbi-3.0.8-1.mga6 vlc-plugin-kate-3.0.8-1.mga6 vlc-plugin-libass-3.0.8-1.mga6 vlc-plugin-lua-3.0.8-1.mga6 vlc-plugin-ncurses-3.0.8-1.mga6 vlc-plugin-lirc-3.0.8-1.mga6 svlc-3.0.8-1.mga6 vlc-plugin-aa-3.0.8-1.mga6 vlc-plugin-sdl-3.0.8-1.mga6 vlc-plugin-shout-3.0.8-1.mga6 vlc-plugin-opengl-3.0.8-1.mga6 vlc-plugin-vdpau-3.0.8-1.mga6 vlc-plugin-projectm-3.0.8-1.mga6 vlc-plugin-theora-3.0.8-1.mga6 vlc-plugin-twolame-3.0.8-1.mga6 vlc-plugin-fluidsynth-3.0.8-1.mga6 vlc-plugin-gme-3.0.8-1.mga6 vlc-plugin-schroedinger-3.0.8-1.mga6 vlc-plugin-speex-3.0.8-1.mga6 vlc-plugin-flac-3.0.8-1.mga6 vlc-plugin-dv-3.0.8-1.mga6 vlc-plugin-mod-3.0.8-1.mga6 vlc-plugin-mpc-3.0.8-1.mga6 vlc-plugin-sid-3.0.8-1.mga6 vlc-plugin-pulse-3.0.8-1.mga6 vlc-plugin-jack-3.0.8-1.mga6 vlc-plugin-upnp-3.0.8-1.mga6 vlc-plugin-gnutls-3.0.8-1.mga6 vlc-plugin-libnotify-3.0.8-1.mga6 vlc-plugin-chromaprint-3.0.8-1.mga6
Mageia 6 tainted build failed though: http://pkgsubmit.mageia.org/uploads/failure/6/tainted/updates_testing/20190823191827.shlomif.duvel.41942/log/vlc-3.0.8-1.mga6.tainted/build.0.20190823191902.log Package list error: error: File not found: /home/iurt/rpmbuild/BUILDROOT/vlc-3.0.8-1.mga6.tainted.i386/usr/lib/vlc/plugins/demux/libmkv_plugin.so
Mageia 6 tainted build uploaded by Shlomi. Assigning to QA.
Assignee: shlomif => qa-bugsCC: (none) => shlomif
Well, this now regresses on Mageia 6 if it drops matroska support... I think the proper fix would have been to fix this: checking for MATROSKA... no configure: WARNING: Library libebml >= 1.3.6 libmatroska needed for matroska was not found We have 1.3.7 in mga7, maybe that should have been updated on mga6 too
CC: (none) => tmb
Good catch, agreed.
Assignee: qa-bugs => shlomifCC: shlomif => qa-bugs
Thomas, it would help if you could delete the VLC build from Mageia 6 tainted updates_testing, so it can be rebuilt with the fix without messing with the release tag. Otherwise, all 5 other builds (6 core, 7 both and 8 both) will all have to be rebuilt. libebml update for 6: libebml4-1.3.7-1.mga6 libebml-devel-1.3.7-1.mga6
Mga 6 vlc removed... Unfortunately I read too fast, so I nuked the core build too :( So both core and tainted needs re-submitting
Thanks Thomas. That's ok, that way they'll both be built from the same commit.
I've re-pushed vlc-3.0.8-1.mga6 to mga6 core/tainted updates_testing with the matroska plugin added back in the filelists, and they are now all built and mirroring out
Thanks Thomas! Package lists in Comment 11, Comment 6, and Comment 4. Advisory to come.
CC: qa-bugs => shlomifAssignee: shlomif => qa-bugs
mga6, x86_64 Enabled core updates testing and updated all the packages. $ rpm -qa | grep vlc lib64vlccore9-3.0.8-1.mga6 vlc-plugin-lua-3.0.8-1.mga6 vlc-plugin-common-3.0.8-1.mga6 [...] Using DestroyVLC.vlt theme. Used Open->File->Add->Play to select and play input. Tried an MP3 file then the same track as an MP4 music video. In the gui, speed controls, fullscreen, Info, mute, volume control, Playlist, pause, all worked fine. Switched to cli for convenience using an alias. alias vlcx='vlc --avcodec-hw none --key-subtitle-toggle u ' Tried a variety of other audiofile and video formats; m4v, flac, ogg, wav, avi, mp4, divx, webm, mkv, m2t, ts, mov, swf and wmv. Subtitles could be enabled if available. $ vlcx LaFollia.webm A 4K music video from Voices Of Music which displayed at native resolution on a 4K monitor. $ vlc channels.xspf Displays TV from a free-to-air antenna connection through a DVB adapter. The playlist becomes the channel list. Subtitles work. HD channels also. Audio CDs are detected and can be played. Home-spun video DVDs play fine using $ vlc /dev/sr0 Commercial DVDs are detected and play fine with vlc. Subtitles come up when required. Anyway, looks like it is all working. Shall test the tainted version later.
CC: (none) => tarazed25
Debian has issued an advisory for this on August 20: https://www.debian.org/security/2019/dsa-4504 Advisory: ======================== Updated vlc packages fixes security vulnerabilities: Multiple security issues were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed file/stream is processed (CVE-2019-13602, CVE-2019-13962, CVE-2019-14437, CVE-2019-14438, CVE-2019-14498, CVE-2019-14533, CVE-2019-14534, CVE-2019-14535, CVE-2019-14776, CVE-2019-14777, CVE-2019-14778, CVE-2019-14970). The vlc package has been updated to version 3.0.8, fixing these issues and other bugs. In Mageia 6, the libebml package has been updated to version 1.3.7, which is needed for Matroska support. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13602 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13962 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14437 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14438 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14498 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14533 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14534 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14535 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14776 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14777 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14970 https://www.videolan.org/security/sb-vlc308.html https://www.videolan.org/developers/vlc-branch/NEWS https://www.debian.org/security/2019/dsa-4504
mga6, x86_64 Updated from free version to tainted vlc. $ rpm -qa | grep vlc vlc-plugin-aa-3.0.8-1.mga6.tainted vlc-plugin-libass-3.0.8-1.mga6.tainted vlc-plugin-mod-3.0.8-1.mga6.tainted vlc-3.0.8-1.mga6.tainted [...] 36 packages. Used skinned interface to create a playlist containing mp4, mkv and flv files. Exercized the gui controls. Ran vlc from the command line to play a variety of audio and video file formats, as listed in comment 16. Manipulated the progress bar in the gui to skip frames. Enabled subtitles where they were available. Used the following command to play a user created DVD. $ vlc /dev/sr0 Loaded a commercial audio CD and selected "skinned vlc player" to see the playlist and select tracks. Pointed vlc at Youtube to play a music video. $ vlc http://www.youtube.com/watch?v=VdQY7BusJNU Watched freeview TV with subtitles where available. $ vlc channels.xspf dvb tuner connected to antenna socket. No regressions. All looks good.
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OK MGA6-64-OK
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK => MGA6TOO MGA6-64-OK
In VirtualBox, M7, Plasma, 64-bit Package(s) under test: vlc default install of vlc [[root@localhost wilcal]# urpmi vlc Package vlc-3.0.7.1-1.mga7.tainted.x86_64 is already installed VLC works Plays content on local computer and from a DLNA server on the LAN install vlc from updates_testing To satisfy dependencies, the following package(s) also need to be installed: - lib64vlc5-3.0.8-1.mga7.tainted.x86_64 - lib64vlccore9-3.0.8-1.mga7.tainted.x86_64 - svlc-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-common-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-flac-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-lua-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-pulse-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-samba-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-speex-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-theora-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-upnp-3.0.8-1.mga7.tainted.x86_64 - vlc-plugin-vdpau-3.0.8-1.mga7.tainted.x86_64 [root@localhost wilcal]# urpmi vlc Package vlc-3.0.8-1.mga7.tainted.x86_64 is already installed VLC works Plays content on local computer and from a DLNA server on the LAN
CC: (none) => wilcal.int
Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK
In VirtualBox, M7, Gnome, 32-bit Package(s) under test: vlc default install of vlc To satisfy dependencies, the following package(s) also need to be installed: - fonts-ttf-bitstream-vera-1.10-17.mga7.noarch - libcddb2-1.3.2-17.mga7.i586 - libcrystalhd-common-0-0.20110315.12.mga7.i586 - libcrystalhd3-0-0.20110315.12.mga7.i586 - libdvbpsi10-1.3.2-2.mga7.i586 - libdvdcss2-1.4.2-2.mga7.tainted.i586 - libebml4-1.3.7-1.mga7.i586 - libmatroska6-1.5.0-2.mga7.i586 - libmpeg2dec0-0.5.1-13.mga7.i586 - libopencv_calib3d3.4-3.4.5-2.mga7.i586 - libopencv_flann3.4-3.4.5-2.mga7.i586 - libopencv_highgui3.4-3.4.5-2.mga7.i586 - libopencv_imgcodecs3.4-3.4.5-2.mga7.i586 - libopencv_objdetect3.4-3.4.5-2.mga7.i586 - libprotobuf-lite17-3.6.1-1.mga7.i586 - libvlc5-3.0.7.1-1.mga7.tainted.i586 - libvlccore9-3.0.7.1-1.mga7.tainted.i586 - libxcb-composite0-1.13.1-1.mga7.i586 - libxcb-xv0-1.13.1-1.mga7.i586 - vlc-plugin-common-3.0.7.1-1.mga7.i586 - vlc-plugin-lua-3.0.7.1-1.mga7.tainted.i586 - vlc-plugin-pulse-3.0.7.1-1.mga7.tainted.i586 - vlc-plugin-samba-3.0.7.1-1.mga7.tainted.i586 - vlc-plugin-theora-3.0.7.1-1.mga7.tainted.i586 - vlc-plugin-vdpau-3.0.7.1-1.mga7.i586 - vlc-plugin-upnp-3.0.7.1-1.mga7.tainted.i586 - libixml10-1.8.4-3.mga7.i586 - libupnp13-1.8.4-3.mga7.i586 [root@localhost wilcal]# urpmi vlc Package vlc-3.0.7.1-1.mga7.tainted.i586 is already installed VLC works Plays content on local computer and from a DLNA server on the LAN install vlc from updates_testing TThe following 12 packages are going to be installed: - libdca0-0.0.6-1.mga7.tainted.i586 - libfaad2-2.8.8-3.mga7.tainted.i586 - libvlc5-3.0.8-1.mga7.tainted.i586 - libvlccore9-3.0.8-1.mga7.tainted.i586 - vlc-3.0.8-1.mga7.tainted.i586 - vlc-plugin-common-3.0.8-1.mga7.tainted.i586 - vlc-plugin-lua-3.0.8-1.mga7.tainted.i586 - vlc-plugin-pulse-3.0.8-1.mga7.tainted.i586 - vlc-plugin-samba-3.0.8-1.mga7.tainted.i586 - vlc-plugin-theora-3.0.8-1.mga7.tainted.i586 - vlc-plugin-upnp-3.0.8-1.mga7.tainted.i586 - vlc-plugin-vdpau-3.0.8-1.mga7.tainted.i586 [root@localhost wilcal]# urpmi vlc Package vlc-3.0.8-1.mga7.tainted.i586 is already installed VLC works Plays content on local computer and from a DLNA server on the LAN
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK => MGA6TOO MGA6-64-OK MGA7-32-OK MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
Hi No problem to update in Mageia 6 : everything works right every kind of media can be read No problem in mageia 7 except that this doesn't solve bug 24470 VLC can't fluently read wbm files and doesn't propose the zoom slider on the left part of the window
CC: (none) => philippedidier
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0233.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED