A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file. https://nvd.nist.gov/vuln/detail/CVE-2020-13428
version 3.0.11 released.
CVE: (none) => CVE-2020-13428
Assignee: bugsquad => shlomifSummary: Security issue in vlc => vlc new security issue CVE-2020-13428Source RPM: vlc-3.0.10-1.mga7.tainted.src.rpm => vlc-3.0.10-1.mga7.src.rpm
NEWS file: https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=5a61ba26cec611bbc045fb235d40eba9e0a88ccf;hb=dc0c5ced7230e5660142302c7c1aef6cc14f3564 https://www.videolan.org/developers/vlc-branch/NEWS
Debian has issued an advisory for this on June 16: https://www.debian.org/security/2020/dsa-4704
Fixed in mga7 updates_testing vlc-3.0.10-1.1.mga7
Assignee: shlomif => qa-bugsCC: (none) => mageia
Still needs fixed in Cauldron and really should be updated to 3.0.11.
Whiteboard: (none) => MGA7TOOVersion: 7 => CauldronAssignee: qa-bugs => shlomif
update to 3.0.11 in mga7 ?
Yes.
new vlc available in mga7 vlc-3.0.11-1.mga7
Currently building in Cauldron, as well as mga7 tainted. If all builds succeed, it can be assigned to QA. Note that there are core and tainted builds. Advisory: ======================== Updated vlc packages fixes security vulnerability: A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file (CVE-2020-13428). The vlc package has been updated to version 3.0.11, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13428 https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=5a61ba26cec611bbc045fb235d40eba9e0a88ccf;hb=dc0c5ced7230e5660142302c7c1aef6cc14f3564 ======================== Updated packages in {core,tainted}/updates_testing: ======================== vlc-3.0.11-1.mga7 libvlc5-3.0.11-1.mga7 libvlccore9-3.0.11-1.mga7 libvlc-devel-3.0.11-1.mga7 vlc-plugin-common-3.0.11-1.mga7 vlc-plugin-zvbi-3.0.11-1.mga7 vlc-plugin-kate-3.0.11-1.mga7 vlc-plugin-libass-3.0.11-1.mga7 vlc-plugin-lua-3.0.11-1.mga7 vlc-plugin-ncurses-3.0.11-1.mga7 vlc-plugin-lirc-3.0.11-1.mga7 svlc-3.0.11-1.mga7 vlc-plugin-aa-3.0.11-1.mga7 vlc-plugin-sdl-3.0.11-1.mga7 vlc-plugin-shout-3.0.11-1.mga7 vlc-plugin-opengl-3.0.11-1.mga7 vlc-plugin-vdpau-3.0.11-1.mga7 vlc-plugin-projectm-3.0.11-1.mga7 vlc-plugin-theora-3.0.11-1.mga7 vlc-plugin-twolame-3.0.11-1.mga7 vlc-plugin-fluidsynth-3.0.11-1.mga7 vlc-plugin-gme-3.0.11-1.mga7 vlc-plugin-schroedinger-3.0.11-1.mga7 vlc-plugin-speex-3.0.11-1.mga7 vlc-plugin-flac-3.0.11-1.mga7 vlc-plugin-dv-3.0.11-1.mga7 vlc-plugin-mod-3.0.11-1.mga7 vlc-plugin-mpc-3.0.11-1.mga7 vlc-plugin-sid-3.0.11-1.mga7 vlc-plugin-sndio-3.0.11-1.mga7 vlc-plugin-pulse-3.0.11-1.mga7 vlc-plugin-jack-3.0.11-1.mga7 vlc-plugin-upnp-3.0.11-1.mga7 vlc-plugin-gnutls-3.0.11-1.mga7 vlc-plugin-libnotify-3.0.11-1.mga7 vlc-plugin-chromaprint-3.0.11-1.mga7 vlc-plugin-samba-3.0.11-1.mga7 from vlc-3.0.11-1.mga7.src.rpm
It built. Advisory in Comment 9.
Whiteboard: MGA7TOO => (none)Assignee: shlomif => qa-bugsVersion: Cauldron => 7
Installed and tested without issues. Tested on a bunch of images, musics and videos. Tested local, upnp, http(s) podcasts, icecast, IP camera, rtps stream, audio capture, video capture, application capture. Tested software and vdpau playback. All worked correctly. No issues. System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep vlc.*3.0 | sort lib64vlc5-3.0.11-1.mga7.tainted lib64vlccore9-3.0.11-1.mga7.tainted vlc-3.0.11-1.mga7.tainted vlc-plugin-common-3.0.11-1.mga7.tainted vlc-plugin-flac-3.0.11-1.mga7.tainted vlc-plugin-gnutls-3.0.11-1.mga7.tainted vlc-plugin-libass-3.0.11-1.mga7.tainted vlc-plugin-lua-3.0.11-1.mga7.tainted vlc-plugin-projectm-3.0.11-1.mga7.tainted vlc-plugin-pulse-3.0.11-1.mga7.tainted vlc-plugin-samba-3.0.11-1.mga7.tainted vlc-plugin-speex-3.0.11-1.mga7.tainted vlc-plugin-theora-3.0.11-1.mga7.tainted vlc-plugin-upnp-3.0.11-1.mga7.tainted vlc-plugin-vdpau-3.0.11-1.mga7.tainted
CC: (none) => mageia
Tested the 64-bit non-tainted version on some videos from various digital cameras, some mp4, some avi. The following 9 packages are going to be installed: - lib64vlc5-3.0.11-1.mga7.x86_64 - lib64vlccore9-3.0.11-1.mga7.x86_64 - vlc-3.0.11-1.mga7.x86_64 - vlc-plugin-common-3.0.11-1.mga7.x86_64 - vlc-plugin-flac-3.0.11-1.mga7.x86_64 - vlc-plugin-pulse-3.0.11-1.mga7.x86_64 - vlc-plugin-speex-3.0.11-1.mga7.x86_64 - vlc-plugin-theora-3.0.11-1.mga7.x86_64 - vlc-plugin-vdpau-3.0.11-1.mga7.x86_64 No installation issues, and the videos played just fine. I'm actually surprised. I thought I had upgraded to the tainted version on this install long ago, but I guess not. Since both tainted and non-tainted are working, I'm giving this an OK, and validating. Advisory in Comment 9.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0272.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Hi, The applet announced vlc updates and I authorized without looking too closely, a testament to a long history of the fine work of Mageia devels! However, my tainted versions were removed, e.g. [rolf@x570i extensions]$ sudo journalctl | grep vlc | grep erase | head -n 3 Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-speex-3.0.10-1.mga7.tainted.x86_64: success Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-flac-3.0.10-1.mga7.tainted.x86_64: success Jul 04 17:09:05 x570i [RPM][11857]: erase vlc-plugin-samba-3.0.10-1.mga7.tainted.x86_64: success [rolf@x570i extensions]$ sudo journalctl | grep vlc | tail -n 3 Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-common-3.0.11-1.mga7.x86_64: success Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-flac-3.0.11-1.mga7.x86_64: success Jul 04 17:09:13 x570i [RPM][11857]: install vlc-plugin-speex-3.0.11-1.mga7.x86_64: success [rolf@x570i extensions]$ urpmq --sources vlc http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/release/vlc-3.0.7.1-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.8-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.10-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/core/updates/vlc-3.0.11-1.mga7.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/release/vlc-3.0.7.1-1.mga7.tainted.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/updates/vlc-3.0.8-1.mga7.tainted.x86_64.rpm http://mirrors.kernel.org/mageia/distrib/7/x86_64/media/tainted/updates/vlc-3.0.10-1.mga7.tainted.x86_64.rpm I see the advisory page does not mention tainted, where up-bug it is. Was this pushed too soon? I haven't noticed this sort of thing happening before. Thanks.
CC: (none) => rolfpedersen
bug 26897 created for getting the tainted versions pushed, that should have been included in this bug as per comment 9
CC: (none) => davidwhodgins
it was missing tainted on the src.rpm list. I will move it manually then.
done
In the future, make sure you add tainted in the SVN advisory.