Bug 26809 - vlc new security issue CVE-2020-13428
Summary: vlc new security issue CVE-2020-13428
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-06-17 23:57 CEST by Marc Krämer
Modified: 2020-07-05 15:27 CEST (History)
6 users (show)

See Also:
Source RPM: vlc-3.0.10-1.mga7.src.rpm
CVE: CVE-2020-13428
Status comment:


Attachments

Description Marc Krämer 2020-06-17 23:57:58 CEST
A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file.

https://nvd.nist.gov/vuln/detail/CVE-2020-13428
Comment 1 Marc Krämer 2020-06-17 23:58:56 CEST
version 3.0.11 released.
Marc Krämer 2020-06-17 23:59:12 CEST

CVE: (none) => CVE-2020-13428

David Walser 2020-06-18 02:17:46 CEST

Assignee: bugsquad => shlomif
Summary: Security issue in vlc => vlc new security issue CVE-2020-13428
Source RPM: vlc-3.0.10-1.mga7.tainted.src.rpm => vlc-3.0.10-1.mga7.src.rpm

Comment 3 David Walser 2020-06-18 17:55:40 CEST
Debian has issued an advisory for this on June 16:
https://www.debian.org/security/2020/dsa-4704
Comment 4 Nicolas Lécureuil 2020-06-21 11:58:47 CEST
Fixed in mga7 updates_testing vlc-3.0.10-1.1.mga7

Assignee: shlomif => qa-bugs
CC: (none) => mageia

Comment 5 David Walser 2020-06-21 14:47:34 CEST
Still needs fixed in Cauldron and really should be updated to 3.0.11.

Whiteboard: (none) => MGA7TOO
Version: 7 => Cauldron
Assignee: qa-bugs => shlomif

Comment 6 Nicolas Lécureuil 2020-06-21 17:15:29 CEST
update to 3.0.11 in mga7 ?
Comment 7 David Walser 2020-06-21 18:24:56 CEST
Yes.
Comment 8 Nicolas Lécureuil 2020-06-22 00:44:37 CEST
new vlc  available in mga7

vlc-3.0.11-1.mga7
Comment 9 David Walser 2020-06-22 01:48:09 CEST
Currently building in Cauldron, as well as mga7 tainted.  If all builds succeed, it can be assigned to QA.  Note that there are core and tainted builds.

Advisory:
========================

Updated vlc packages fixes security vulnerability:

A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in
modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows
remote attackers to cause a denial of service (application crash) or execute
arbitrary code via a crafted H.264 Annex-B video (.avi for example) file
(CVE-2020-13428).

The vlc package has been updated to version 3.0.11, fixing this issue and
other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13428
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=5a61ba26cec611bbc045fb235d40eba9e0a88ccf;hb=dc0c5ced7230e5660142302c7c1aef6cc14f3564
========================

Updated packages in {core,tainted}/updates_testing:
========================
vlc-3.0.11-1.mga7
libvlc5-3.0.11-1.mga7
libvlccore9-3.0.11-1.mga7
libvlc-devel-3.0.11-1.mga7
vlc-plugin-common-3.0.11-1.mga7
vlc-plugin-zvbi-3.0.11-1.mga7
vlc-plugin-kate-3.0.11-1.mga7
vlc-plugin-libass-3.0.11-1.mga7
vlc-plugin-lua-3.0.11-1.mga7
vlc-plugin-ncurses-3.0.11-1.mga7
vlc-plugin-lirc-3.0.11-1.mga7
svlc-3.0.11-1.mga7
vlc-plugin-aa-3.0.11-1.mga7
vlc-plugin-sdl-3.0.11-1.mga7
vlc-plugin-shout-3.0.11-1.mga7
vlc-plugin-opengl-3.0.11-1.mga7
vlc-plugin-vdpau-3.0.11-1.mga7
vlc-plugin-projectm-3.0.11-1.mga7
vlc-plugin-theora-3.0.11-1.mga7
vlc-plugin-twolame-3.0.11-1.mga7
vlc-plugin-fluidsynth-3.0.11-1.mga7
vlc-plugin-gme-3.0.11-1.mga7
vlc-plugin-schroedinger-3.0.11-1.mga7
vlc-plugin-speex-3.0.11-1.mga7
vlc-plugin-flac-3.0.11-1.mga7
vlc-plugin-dv-3.0.11-1.mga7
vlc-plugin-mod-3.0.11-1.mga7
vlc-plugin-mpc-3.0.11-1.mga7
vlc-plugin-sid-3.0.11-1.mga7
vlc-plugin-sndio-3.0.11-1.mga7
vlc-plugin-pulse-3.0.11-1.mga7
vlc-plugin-jack-3.0.11-1.mga7
vlc-plugin-upnp-3.0.11-1.mga7
vlc-plugin-gnutls-3.0.11-1.mga7
vlc-plugin-libnotify-3.0.11-1.mga7
vlc-plugin-chromaprint-3.0.11-1.mga7
vlc-plugin-samba-3.0.11-1.mga7

from vlc-3.0.11-1.mga7.src.rpm
Comment 10 David Walser 2020-06-22 02:33:28 CEST
It built.  Advisory in Comment 9.

Whiteboard: MGA7TOO => (none)
Assignee: shlomif => qa-bugs
Version: Cauldron => 7

Comment 11 PC LX 2020-06-22 12:10:44 CEST
Installed and tested without issues.


Tested on a bunch of images, musics and videos.
Tested local, upnp, http(s) podcasts, icecast, IP camera, rtps stream, audio capture, video capture, application capture.
Tested software and vdpau playback.
All worked correctly. No issues.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.


$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep vlc.*3.0 | sort
lib64vlc5-3.0.11-1.mga7.tainted
lib64vlccore9-3.0.11-1.mga7.tainted
vlc-3.0.11-1.mga7.tainted
vlc-plugin-common-3.0.11-1.mga7.tainted
vlc-plugin-flac-3.0.11-1.mga7.tainted
vlc-plugin-gnutls-3.0.11-1.mga7.tainted
vlc-plugin-libass-3.0.11-1.mga7.tainted
vlc-plugin-lua-3.0.11-1.mga7.tainted
vlc-plugin-projectm-3.0.11-1.mga7.tainted
vlc-plugin-pulse-3.0.11-1.mga7.tainted
vlc-plugin-samba-3.0.11-1.mga7.tainted
vlc-plugin-speex-3.0.11-1.mga7.tainted
vlc-plugin-theora-3.0.11-1.mga7.tainted
vlc-plugin-upnp-3.0.11-1.mga7.tainted
vlc-plugin-vdpau-3.0.11-1.mga7.tainted

CC: (none) => mageia

Comment 12 Thomas Andrews 2020-06-23 22:27:46 CEST
Tested the 64-bit non-tainted version on some videos from various digital cameras, some mp4, some avi.

The following 9 packages are going to be installed:

- lib64vlc5-3.0.11-1.mga7.x86_64
- lib64vlccore9-3.0.11-1.mga7.x86_64
- vlc-3.0.11-1.mga7.x86_64
- vlc-plugin-common-3.0.11-1.mga7.x86_64
- vlc-plugin-flac-3.0.11-1.mga7.x86_64
- vlc-plugin-pulse-3.0.11-1.mga7.x86_64
- vlc-plugin-speex-3.0.11-1.mga7.x86_64
- vlc-plugin-theora-3.0.11-1.mga7.x86_64
- vlc-plugin-vdpau-3.0.11-1.mga7.x86_64

No installation issues, and the videos played just fine. 

I'm actually surprised. I thought I had upgraded to the tainted version on this install long ago, but I guess not. Since both tainted and non-tainted are working, I'm giving this an OK, and validating. Advisory in Comment 9.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Nicolas Lécureuil 2020-07-05 00:01:14 CEST

Keywords: (none) => advisory

Comment 13 Mageia Robot 2020-07-05 00:48:37 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0272.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 Rolf Pedersen 2020-07-05 02:40:57 CEST
Hi,
The applet announced vlc updates and I authorized without looking too closely, a testament to a long history of the fine work of Mageia devels!

However, my tainted versions were removed, e.g.

[rolf@x570i extensions]$ sudo journalctl | grep vlc | grep erase | head -n 3
Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-speex-3.0.10-1.mga7.tainted.x86_64: success
Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-flac-3.0.10-1.mga7.tainted.x86_64: success
Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-samba-3.0.10-1.mga7.tainted.x86_64: success

[rolf@x570i extensions]$ sudo journalctl | grep vlc | tail -n 3
Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-common-3.0.11-1.mga7.x86_64: success
Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-flac-3.0.11-1.mga7.x86_64: success
Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-speex-3.0.11-1.mga7.x86_64: success

[rolf@x570i extensions]$ urpmq --sources vlc
http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/release/vlc-3.0.7.1-1.mga7.x86_64.rpm
http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.8-1.mga7.x86_64.rpm
http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.10-1.mga7.x86_64.rpm
http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.11-1.mga7.x86_64.rpm
http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/release/vlc-3.0.7.1-1.mga7.tainted.x86_64.rpm
http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/updates/vlc-3.0.8-1.mga7.tainted.x86_64.rpm
http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/updates/vlc-3.0.10-1.mga7.tainted.x86_64.rpm

I see the advisory page does not mention tainted, where up-bug it is.  Was this pushed too soon?  I haven't noticed this sort of thing happening before.

Thanks.

CC: (none) => rolfpedersen

Comment 15 Dave Hodgins 2020-07-05 03:34:35 CEST
bug 26897 created for getting the tainted versions pushed, that should have
been included in this bug as per comment 9

CC: (none) => davidwhodgins

Comment 16 Nicolas Lécureuil 2020-07-05 09:27:06 CEST
it was missing tainted on the src.rpm list.

I will move it manually then.
Comment 17 Nicolas Lécureuil 2020-07-05 09:31:22 CEST
done
Comment 18 David Walser 2020-07-05 15:27:39 CEST
In the future, make sure you add tainted in the SVN advisory.

Note You need to log in before you can comment on or make changes to this bug.