As per http://www.videolan.org/security/sa1203.html, VLC 2.0.3 is vulnerable to a buffer overflow is its PNG decoder. This vulnerability has been fixed in 2.0.4 and should be made available in Mageia 2.
Component: RPM Packages => SecurityHardware: i586 => AllAssignee: bugsquad => shlomif
(In reply to comment #0) > As per http://www.videolan.org/security/sa1203.html, VLC 2.0.3 is vulnerable to > a buffer overflow is its PNG decoder. This vulnerability has been fixed in > 2.0.4 and should be made available in Mageia 2. Thanks for letting me know. I submitted vlc-2.0.3-2.1 and vlc-2.0.3-2.2 for Mageia 2 to the build system, with the patch included. Please test once it is available and let me know.
Hi all, I tested the new VLC-2.0.3-2.1 from the core/updates_testing in an x86-64 Mageia 2 VM, and I was able to play an .flv fine (no audio though, due to the VM). Regards, -- Shlomi Fish
Did you read the comment from Thomas on dev-ml? Is this problem fixed?
CC: (none) => sander.lepik
(In reply to comment #3) > Did you read the comment from Thomas on dev-ml? Is this problem fixed? I did yes, I'll submit the new version now with the increased subrel. However, the buildsystem should be fixed to allow simultaneous building of core/updates_testing and tainted/updates_testing packages with identical ver+rel+subrel. Regards, -- Shlomi Fish
This is CVE-2012-5470. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5470 Is this ready for QA?
CC: (none) => luigiwalser
Summary: VLC 2.0.3 is vulnerable to a buffer overflow in PNG decoder => VLC 2.0.3 is vulnerable to a buffer overflow in PNG decoder (CVE-2012-5470)
(In reply to comment #5) > This is CVE-2012-5470. > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5470 > > Is this ready for QA? I believe it is ready for QA from core/updates_testing and tainted/updates_testing . Regards, -- Shlomi Fish
Assigning to QA. Advisory: ======================== Updated vlc packages fix security vulnerability: libpng_plugin in VideoLAN VLC media player 2.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted PNG file (CVE-2012-5470). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5470 http://www.videolan.org/security/sa1203.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== libvlc-devel-2.0.3-2.2.mga2 libvlc5-2.0.3-2.2.mga2 libvlccore5-2.0.3-2.2.mga2 svlc-2.0.3-2.2.mga2 vlc-2.0.3-2.2.mga2 vlc-plugin-aa-2.0.3-2.2.mga2 vlc-plugin-bonjour-2.0.3-2.2.mga2 vlc-plugin-common-2.0.3-2.2.mga2 vlc-plugin-dv-2.0.3-2.2.mga2 vlc-plugin-flac-2.0.3-2.2.mga2 vlc-plugin-fluidsynth-2.0.3-2.2.mga2 vlc-plugin-gme-2.0.3-2.2.mga2 vlc-plugin-gnutls-2.0.3-2.2.mga2 vlc-plugin-jack-2.0.3-2.2.mga2 vlc-plugin-kate-2.0.3-2.2.mga2 vlc-plugin-libass-2.0.3-2.2.mga2 vlc-plugin-libnotify-2.0.3-2.2.mga2 vlc-plugin-lirc-2.0.3-2.2.mga2 vlc-plugin-lua-2.0.3-2.2.mga2 vlc-plugin-mod-2.0.3-2.2.mga2 vlc-plugin-mpc-2.0.3-2.2.mga2 vlc-plugin-ncurses-2.0.3-2.2.mga2 vlc-plugin-opengl-2.0.3-2.2.mga2 vlc-plugin-projectm-2.0.3-2.2.mga2 vlc-plugin-pulse-2.0.3-2.2.mga2 vlc-plugin-schroedinger-2.0.3-2.2.mga2 vlc-plugin-sdl-2.0.3-2.2.mga2 vlc-plugin-shout-2.0.3-2.2.mga2 vlc-plugin-speex-2.0.3-2.2.mga2 vlc-plugin-theora-2.0.3-2.2.mga2 vlc-plugin-twolame-2.0.3-2.2.mga2 vlc-plugin-upnp-2.0.3-2.2.mga2 vlc-plugin-zvbi-2.0.3-2.2.mga2 from vlc-2.0.3-2.2.mga2.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugsSeverity: normal => major
Probably PoC: http://www.exploit-db.com/exploits/21889/
There are two plugins in tainted release which can't be installed and are not mentioned here. # urpmi vlc-plugin- -a Packages vlc-plugin-projectm-2.0.1-1.mga2.tainted.x86_64, vlc-plugin-pulse-2.0.1-1.mga2.tainted.x86_64, vlc-plugin-theora-2.0.1-1.mga2.tainted.x86_64, vlc-plugin-common-2.0.1-1.mga2.tainted.x86_64 are already installed Some requested packages cannot be installed: vlc-plugin-ggi-2.0.0-1.mga2.tainted.x86_64 (due to unsatisfied vlc[== 2.0.0]) vlc-plugin-svgalib-2.0.0-1.mga2.tainted.x86_64 (due to unsatisfied vlc[== 2.0.0]) Maybe forgotten in a cauldron update prior to mga2 being released. I think they will need to be updated too.
It needn't hold up this update, although if Shlomi wants to fix it now, that's fine, but here's what happened wigh ggi and svgalib. Funda dropped those subpackages before Mageia 2 in a revision that just said "cleanup switches" and he forgot to Obsolete those subpackages (his most common type of mistake): http://svnweb.mageia.org/packages/updates/2/vlc/current/SPECS/vlc.spec?r1=221926&r2=221935 In SVN we should add an Obsoletes for vlc-plugin-ggi and vlc-plugin-svgalib in the vlc-plugin-common package, and this can be fixed with the next vlc update (or this one if it's rebuilt now).
tested for mga2 x86_64 with PoC from Comment 8: The crafted PNG will not be opened with VLC prior to update. Starting from cli: [marc@MGA2_64 Desktop]$ vlc crafted.png VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547) [0xd2f108] main libvlc: VLC wird mit dem Standard-Interface ausgeführt. Benutzen Sie 'cvlc', um VLC ohne Interface zu verwenden. libpng error: not enough data [0xd5d6a8] qt4 interface error: Unable to load extensions module [0x7f9334001018] png image decoder error: not enough data libpng error: not enough data [0x7f93340045f8] image demux error: Failed to load the image this is the same for non-updated Core and Tainted as well as updated Core and Tainted. So updated VLC version does not open the PNG as well. (Refering also to debian bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692130)
CC: (none) => marc.lattemannWhiteboard: (none) => MGA2-64-OK
tested for mga2 i586 - slightly different with not-updated vlc (Core and Tainted): [test@MGA2_32BIT Desktop]$ vlc crafted.png VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547) [0x9767920] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. Segmentation fault after update same result as in Comment 11 (Core and Tainted as well): [test@MGA2_32BIT Desktop]$ vlc crafted.png VLC media player 2.0.3 Twoflower (revision 2.0.2-93-g77aa89e) [0x9815920] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. libpng error: not enough data [0xb4a0ccd8] png image decoder error: not enough data libpng error: not enough data [0xb4a01618] image demux error: Failed to load the image therefore validate update. Please use Comment 7 for advisory and srcrpm. Can someone from sysadmin team can push packages to Core Updates and Tainted Updates respectively? Thanks.
Keywords: (none) => validated_updateCC: marc.lattemann => sysadmin-bugsWhiteboard: MGA2-64-OK => MGA2-64-OK, MGA2-32-OK
Bug 8159 filed for the plugin-ggi and plugin-svgalib packages not obsoleted.
Well done Marc & thanks David/
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0333
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED