Bug 27990 - VLC 3.0.12.1 includes security improvements in the web interface
Summary: VLC 3.0.12.1 includes security improvements in the web interface
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-30 20:21 CET by David Walser
Modified: 2021-08-04 20:05 CEST (History)
5 users (show)

See Also:
Source RPM: vlc-3.0.11.1-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-30 20:21:30 CET 
VLC 3.0.12.1 has been released on December 16:
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=fa96b26d27516e6ee16a1781a380f2754b2d474d;hb=170157402b9c9ee5651838499549328c6715b5fe

It lists security improvements in the web interface among the changes.

The tarball doesn't seem to be available, but alt-linux has picked up the update.
David Walser 2020-12-30 20:21:38 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-12-30 21:51:43 CET 
VLC is nursed by different people, so assigning this globally.

Summary: VLC 3.0.12.1 => VLC 3.0.12.1 includes security improvements in the web interface
Source RPM: vlc-3.0.11.1-1.mga7.src.rpm => vlc-3.0.11.1-6.mga8.src.rpm, vlc-3.0.11.1-1.mga7.src.rpm
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2021-01-01 22:36:35 CET 
fixed in cauldron

Version: Cauldron => 7
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2021-01-01 22:59:40 CET 
pushed in core and tainted:
src:
    vlc-3.0.12.1-1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 4 David Walser 2021-01-01 23:05:09 CET 
Note that there are core and tainted builds.

Advisory:
========================

Updated vlc packages features security improvements:

The vlc package has been updated to version 3.0.12.1, which includes security
enhancements in the web interface, as well as other fixes and enhancements.

See the upstream NEWS file for details.

References:
https://git.videolan.org/?p=vlc/vlc-3.0.git;a=blob;f=NEWS;h=fa96b26d27516e6ee16a1781a380f2754b2d474d;hb=170157402b9c9ee5651838499549328c6715b5fe
========================

Updated packages in {core,tainted}/updates_testing:
========================
vlc-3.0.12.1-1.mga7
libvlc5-3.0.12.1-1.mga7
libvlccore9-3.0.12.1-1.mga7
libvlc-devel-3.0.12.1-1.mga7
vlc-plugin-common-3.0.12.1-1.mga7
vlc-plugin-zvbi-3.0.12.1-1.mga7
vlc-plugin-kate-3.0.12.1-1.mga7
vlc-plugin-libass-3.0.12.1-1.mga7
vlc-plugin-lua-3.0.12.1-1.mga7
vlc-plugin-ncurses-3.0.12.1-1.mga7
vlc-plugin-lirc-3.0.12.1-1.mga7
svlc-3.0.12.1-1.mga7
vlc-plugin-aa-3.0.12.1-1.mga7
vlc-plugin-sdl-3.0.12.1-1.mga7
vlc-plugin-shout-3.0.12.1-1.mga7
vlc-plugin-opengl-3.0.12.1-1.mga7
vlc-plugin-vdpau-3.0.12.1-1.mga7
vlc-plugin-projectm-3.0.12.1-1.mga7
vlc-plugin-theora-3.0.12.1-1.mga7
vlc-plugin-twolame-3.0.12.1-1.mga7
vlc-plugin-fluidsynth-3.0.12.1-1.mga7
vlc-plugin-gme-3.0.12.1-1.mga7
vlc-plugin-schroedinger-3.0.12.1-1.mga7
vlc-plugin-speex-3.0.12.1-1.mga7
vlc-plugin-flac-3.0.12.1-1.mga7
vlc-plugin-dv-3.0.12.1-1.mga7
vlc-plugin-mod-3.0.12.1-1.mga7
vlc-plugin-mpc-3.0.12.1-1.mga7
vlc-plugin-sid-3.0.12.1-1.mga7
vlc-plugin-sndio-3.0.12.1-1.mga7
vlc-plugin-pulse-3.0.12.1-1.mga7
vlc-plugin-jack-3.0.12.1-1.mga7
vlc-plugin-rist-3.0.12.1-1.mga7
vlc-plugin-upnp-3.0.12.1-1.mga7
vlc-plugin-gnutls-3.0.12.1-1.mga7
vlc-plugin-libnotify-3.0.12.1-1.mga7
vlc-plugin-chromaprint-3.0.12.1-1.mga7
vlc-plugin-samba-3.0.12.1-1.mga7

from vlc-3.0.12.1-1.mga7.src.rpm
Comment 5 Len Lawrence 2021-01-02 13:40:00 CET 
mga7, x86_64
Reverted to core release versions of all the packages, made a few quick checks then updated everything in the list.
Ran a series of simple checks on files with various video and audio formats.  Everything worked, including subtitles on videos where available.  Played Youtube video via network stream facility.  Home DVD recordings from TV or VCR played fine.  Commercial audio CDs OK.  Played a commercial cinema DVD.  svlc works as well - found my preferred theme.

So far so good for the free version.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2021-01-02 16:06:41 CET 
Continuing from comment 5:
Removed all trace of vlc from the system then reinstalled the tainted version.
Checked that then updated all the packages from tainted and executed all the tests already carried out albeit with different files occasionally.

Tested AIFF, AVI, DIVX, FLV, MP3, MP4, MPV, MKV, TS, MOV, OGG, FLAC, WAV, WMV, WEBM.  Shockwave Flash is not accepted.

Youtube videos via network stream, hardware audio CD and DVD.  svlc for themes.

Ready for use.

Whiteboard: (none) => MGA7-64-OK

Comment 7 Thomas Andrews 2021-01-03 17:32:42 CET 
Good, both core and tainted builds were tested.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-01-04 14:29:02 CET

CC: (none) => ouaurelien
Source RPM: vlc-3.0.11.1-6.mga8.src.rpm, vlc-3.0.11.1-1.mga7.src.rpm => vlc-3.0.11.1-1.mga7.src.rpm
Keywords: (none) => advisory

Comment 8 Mageia Robot 2021-01-04 15:43:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0005.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 9 David Walser 2021-01-16 16:06:22 CET 
This update also fixed CVE-2020-26664 (fixed in 3.0.12):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OD6C4CTIQTZF237437FPGD5AIRV33TET/
Comment 10 David Walser 2021-08-04 20:05:11 CEST 
This update also fixed CVE-2021-2580[1-4] (fixed in 3.0.12):
https://www.debian.org/lts/security/2021/dla-2728
Note You need to log in before you can comment on or make changes to this bug.