Bug 32487 - vlc new security issue (An out-of-bounds write was discovered in the MMS demuxer of the VLC media player)
Summary: vlc new security issue (An out-of-bounds write was discovered in the MMS demu...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK,MGA9-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-11-03 15:27 CET by Nicolas Salguero
Modified: 2024-01-14 23:25 CET (History)
5 users (show)

See Also:
Source RPM: vlc-3.0.18-5.mga9(.tainted).src.rpm
CVE: CVE-2023-47359, CVE-2023-47360
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-11-03 15:27:56 CET 
Debian has issued an advisory for this on November 2:
https://lwn.net/Articles/950049/

Cauldron already contains VLC 3.0.20 so it is not affected.

Mageia 8 is also affected.
Nicolas Salguero 2023-11-03 15:28:49 CET

CC: (none) => nicolas.salguero
Source RPM: (none) => vlc-3.0.18-5.mga9(.tainted).src.rpm
Whiteboard: (none) => MGA8TOO

Nicolas Salguero 2023-11-03 15:29:05 CET

Status comment: (none) => Fixed upstream in 3.0.20

Comment 1 Lewis Smith 2023-11-05 21:05:21 CET 
We already have thanks to Stig v3.0.20 in Cauldron.
It looks sensible to assign this to you for M8 & M9.

Assignee: bugsquad => smelror

Comment 2 Nicolas Salguero 2024-01-08 15:31:22 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An out-of-bounds write was discovered in the MMS demuxer of the VLC media player.

References:
https://lwn.net/Articles/950049/
========================

Updated packages in core/updates_testing:
========================
lib(64)vlc-devel-3.0.20-1.mga9
lib(64)vlc5-3.0.20-1.mga9
lib(64)vlccore9-3.0.20-1.mga9
svlc-3.0.20-1.mga9
vlc-3.0.20-1.mga9
vlc-plugin-aa-3.0.20-1.mga9
vlc-plugin-chromaprint-3.0.20-1.mga9
vlc-plugin-common-3.0.20-1.mga9
vlc-plugin-dv-3.0.20-1.mga9
vlc-plugin-flac-3.0.20-1.mga9
vlc-plugin-fluidsynth-3.0.20-1.mga9
vlc-plugin-gme-3.0.20-1.mga9
vlc-plugin-gnutls-3.0.20-1.mga9
vlc-plugin-jack-3.0.20-1.mga9
vlc-plugin-kate-3.0.20-1.mga9
vlc-plugin-libass-3.0.20-1.mga9
vlc-plugin-libnotify-3.0.20-1.mga9
vlc-plugin-lirc-3.0.20-1.mga9
vlc-plugin-lua-3.0.20-1.mga9
vlc-plugin-mod-3.0.20-1.mga9
vlc-plugin-mpc-3.0.20-1.mga9
vlc-plugin-ncurses-3.0.20-1.mga9
vlc-plugin-opengl-3.0.20-1.mga9
vlc-plugin-projectm-3.0.20-1.mga9
vlc-plugin-pulse-3.0.20-1.mga9
vlc-plugin-rist-3.0.20-1.mga9
vlc-plugin-samba-3.0.20-1.mga9
vlc-plugin-schroedinger-3.0.20-1.mga9
vlc-plugin-sdl-3.0.20-1.mga9
vlc-plugin-shout-3.0.20-1.mga9
vlc-plugin-sid-3.0.20-1.mga9
vlc-plugin-sndio-3.0.20-1.mga9
vlc-plugin-speex-3.0.20-1.mga9
vlc-plugin-theora-3.0.20-1.mga9
vlc-plugin-twolame-3.0.20-1.mga9
vlc-plugin-upnp-3.0.20-1.mga9
vlc-plugin-vdpau-3.0.20-1.mga9
vlc-plugin-zvbi-3.0.20-1.mga9

from SRPM:
vlc-3.0.20-1.mga9.src.rpm

Updated packages in tainted/updates_testing:
========================
lib(64)vlc-devel-3.0.20-1.mga9.tainted
lib(64)vlc5-3.0.20-1.mga9.tainted
lib(64)vlccore9-3.0.20-1.mga9.tainted
svlc-3.0.20-1.mga9.tainted
vlc-3.0.20-1.mga9.tainted
vlc-plugin-aa-3.0.20-1.mga9.tainted
vlc-plugin-chromaprint-3.0.20-1.mga9.tainted
vlc-plugin-common-3.0.20-1.mga9.tainted
vlc-plugin-dv-3.0.20-1.mga9.tainted
vlc-plugin-fdkaac-3.0.20-1.mga9.tainted
vlc-plugin-flac-3.0.20-1.mga9.tainted
vlc-plugin-fluidsynth-3.0.20-1.mga9.tainted
vlc-plugin-gme-3.0.20-1.mga9.tainted
vlc-plugin-gnutls-3.0.20-1.mga9.tainted
vlc-plugin-jack-3.0.20-1.mga9.tainted
vlc-plugin-kate-3.0.20-1.mga9.tainted
vlc-plugin-libass-3.0.20-1.mga9.tainted
vlc-plugin-libnotify-3.0.20-1.mga9.tainted
vlc-plugin-lirc-3.0.20-1.mga9.tainted
vlc-plugin-lua-3.0.20-1.mga9.tainted
vlc-plugin-mod-3.0.20-1.mga9.tainted
vlc-plugin-mpc-3.0.20-1.mga9.tainted
vlc-plugin-ncurses-3.0.20-1.mga9.tainted
vlc-plugin-opengl-3.0.20-1.mga9.tainted
vlc-plugin-projectm-3.0.20-1.mga9.tainted
vlc-plugin-pulse-3.0.20-1.mga9.tainted
vlc-plugin-rist-3.0.20-1.mga9.tainted
vlc-plugin-samba-3.0.20-1.mga9.tainted
vlc-plugin-schroedinger-3.0.20-1.mga9.tainted
vlc-plugin-sdl-3.0.20-1.mga9.tainted
vlc-plugin-shout-3.0.20-1.mga9.tainted
vlc-plugin-sid-3.0.20-1.mga9.tainted
vlc-plugin-sndio-3.0.20-1.mga9.tainted
vlc-plugin-speex-3.0.20-1.mga9.tainted
vlc-plugin-theora-3.0.20-1.mga9.tainted
vlc-plugin-twolame-3.0.20-1.mga9.tainted
vlc-plugin-upnp-3.0.20-1.mga9.tainted
vlc-plugin-vdpau-3.0.20-1.mga9.tainted
vlc-plugin-zvbi-3.0.20-1.mga9.tainted

from SRPM:
vlc-3.0.20-1.mga9.tainted.src.rpm

Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Assignee: smelror => qa-bugs
Status comment: Fixed upstream in 3.0.20 => (none)

PC LX 2024-01-08 16:01:50 CET

CC: (none) => mageia

Comment 3 Marja Van Waes 2024-01-08 17:37:14 CET 
(In reply to Nicolas Salguero from comment #0)
> Debian has issued an advisory for this on November 2:
> https://lwn.net/Articles/950049/

That is DSA 5545-1 which is said to be CVE-2023-47359 and CVE-2023-47360 here:
https://security-tracker.debian.org/tracker/DSA-5545-1

So addihg those to the CVE: field

CVE: (none) => CVE-2023-47359, CVE-2023-47360
CC: (none) => marja11

Comment 4 Marja Van Waes 2024-01-08 17:58:37 CET 
Advisory from comment 2 adjusted and added to SVN. 

https://svnweb.mageia.org/advisories/32487.adv?view=markup&pathrev=15494

Nicolas, if it was wrong to adjust it, then please remove the "advisory" keyword.

Also remove it, if it needs to be changed for a different reason. It helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Comment 5 katnatek 2024-01-09 03:19:47 CET 
Tested on Real Hardware Maheia 9 x86_64

The vlc packages in my system were updated without issues
Play some videos without issues
Comment 6 PC LX 2024-01-10 13:18:02 CET 
Installed and tested tainted packages without issues.

Tested on a variety of files with no issues. No regressions noticed.


System: Mageia 9, x86_65, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.


$ uname -a
Linux jupiter 6.5.13-desktop-6.mga9 #1 SMP PREEMPT_DYNAMIC Sun Dec 17 22:42:25 UTC 2023 x86_64 GNU/Linux
$ rpm -qa | grep vlc | sort
lib64vlc5-3.0.20-1.mga9.tainted
lib64vlccore9-3.0.20-1.mga9.tainted
phonon4qt5-vlc-0.11.3-2.mga9
vlc-3.0.20-1.mga9.tainted
vlc-plugin-common-3.0.20-1.mga9.tainted
vlc-plugin-lua-3.0.20-1.mga9.tainted
vlc-plugin-opengl-3.0.20-1.mga9.tainted
vlc-plugin-pulse-3.0.20-1.mga9.tainted
vlc-plugin-samba-3.0.20-1.mga9.tainted
vlc-plugin-theora-3.0.20-1.mga9.tainted
vlc-plugin-upnp-3.0.20-1.mga9.tainted
vlc-plugin-vdpau-3.0.20-1.mga9.tainted
Comment 7 Herman Viaene 2024-01-12 14:46:52 CET 
MGA9-64 Plasma Wayland on HP Pavillion
First installed the regular Core  packages and tested those, then installed the tainted packages over them.
Both sets tested with sound files wav and mp3, and video files mkv, avi and mp..
No problems whatsoever.
In view of the other tests from katnatek and PC-LX, giving the OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 8 katnatek 2024-01-12 21:26:57 CET 
Tested on real hardware Mageia 9 i586 lxqt

Play a video with subtitles it complains about subtitles format
VLC no puede decodificar el formato "ssa " (SubStation Alpha subtitles)

After install vlc-libass, and try again I can see the subtitles so that was a "the chair" issue

Keywords: (none) => validated_update
Whiteboard: MGA9-64-OK => MGA9-64-OK,MGA9-32-OK
CC: (none) => sysadmin-bugs

Comment 9 katnatek 2024-01-12 21:33:28 CET 
(In reply to katnatek from comment #8)
> After install vlc-libass, and try again I can see the subtitles so that was
> a "the chair" issue

I mean vlc-plugin-libass
Comment 10 Mageia Robot 2024-01-14 23:25:49 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0007.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.