Bug 8048 - VLC 2.0.3 is vulnerable to a buffer overflow in PNG decoder (CVE-2012-5470)
: VLC 2.0.3 is vulnerable to a buffer overflow in PNG decoder (CVE-2012-5470)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: Mageia 2
Assigned To: QA Team
:
: http://www.videolan.org/security/sa12...
: MGA2-64-OK, MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-11 23:17 CET by Frédéric Buclin
Modified: 2012-11-21 20:50 CET (History)
5 users (show)

See Also:
Source RPM: vlc-2.0.3-2.mga2
CVE:
Status comment:


Attachments

Description Frédéric Buclin 2012-11-11 23:17:00 CET
As per http://www.videolan.org/security/sa1203.html, VLC 2.0.3 is vulnerable to a buffer overflow is its PNG decoder. This vulnerability has been fixed in 2.0.4 and should be made available in Mageia 2.
Comment 1 Shlomi Fish 2012-11-12 11:58:54 CET
(In reply to comment #0)
> As per http://www.videolan.org/security/sa1203.html, VLC 2.0.3 is vulnerable to
> a buffer overflow is its PNG decoder. This vulnerability has been fixed in
> 2.0.4 and should be made available in Mageia 2.

Thanks for letting me know. I submitted vlc-2.0.3-2.1 and vlc-2.0.3-2.2 for Mageia 2 to the build system, with the patch included. Please test once it is available and let me know.
Comment 2 Shlomi Fish 2012-11-12 16:53:03 CET
Hi all, I tested the new VLC-2.0.3-2.1 from the core/updates_testing in an x86-64 Mageia 2 VM, and I was able to play an .flv fine (no audio though, due to the VM).

Regards,

-- Shlomi Fish
Comment 3 Sander Lepik 2012-11-12 16:58:25 CET
Did you read the comment from Thomas on dev-ml? Is this problem fixed?
Comment 4 Shlomi Fish 2012-11-12 17:20:25 CET
(In reply to comment #3)
> Did you read the comment from Thomas on dev-ml? Is this problem fixed?

I did yes, I'll submit the new version now with the increased subrel. However, the buildsystem should be fixed to allow simultaneous building of core/updates_testing and tainted/updates_testing packages with identical ver+rel+subrel.

Regards,

-- Shlomi Fish
Comment 5 David Walser 2012-11-16 04:20:49 CET
This is CVE-2012-5470.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5470

Is this ready for QA?
Comment 6 Shlomi Fish 2012-11-19 17:15:15 CET
(In reply to comment #5)
> This is CVE-2012-5470.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5470
> 
> Is this ready for QA?

I believe it is ready for QA from core/updates_testing and tainted/updates_testing .

Regards,

-- Shlomi Fish
Comment 7 David Walser 2012-11-19 17:24:09 CET
Assigning to QA.

Advisory:
========================

Updated vlc packages fix security vulnerability:

libpng_plugin in VideoLAN VLC media player 2.0.3 allows remote attackers
to cause a denial of service (application crash) via a crafted PNG file
(CVE-2012-5470).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5470
http://www.videolan.org/security/sa1203.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
libvlc-devel-2.0.3-2.2.mga2
libvlc5-2.0.3-2.2.mga2
libvlccore5-2.0.3-2.2.mga2
svlc-2.0.3-2.2.mga2
vlc-2.0.3-2.2.mga2
vlc-plugin-aa-2.0.3-2.2.mga2
vlc-plugin-bonjour-2.0.3-2.2.mga2
vlc-plugin-common-2.0.3-2.2.mga2
vlc-plugin-dv-2.0.3-2.2.mga2
vlc-plugin-flac-2.0.3-2.2.mga2
vlc-plugin-fluidsynth-2.0.3-2.2.mga2
vlc-plugin-gme-2.0.3-2.2.mga2
vlc-plugin-gnutls-2.0.3-2.2.mga2
vlc-plugin-jack-2.0.3-2.2.mga2
vlc-plugin-kate-2.0.3-2.2.mga2
vlc-plugin-libass-2.0.3-2.2.mga2
vlc-plugin-libnotify-2.0.3-2.2.mga2
vlc-plugin-lirc-2.0.3-2.2.mga2
vlc-plugin-lua-2.0.3-2.2.mga2
vlc-plugin-mod-2.0.3-2.2.mga2
vlc-plugin-mpc-2.0.3-2.2.mga2
vlc-plugin-ncurses-2.0.3-2.2.mga2
vlc-plugin-opengl-2.0.3-2.2.mga2
vlc-plugin-projectm-2.0.3-2.2.mga2
vlc-plugin-pulse-2.0.3-2.2.mga2
vlc-plugin-schroedinger-2.0.3-2.2.mga2
vlc-plugin-sdl-2.0.3-2.2.mga2
vlc-plugin-shout-2.0.3-2.2.mga2
vlc-plugin-speex-2.0.3-2.2.mga2
vlc-plugin-theora-2.0.3-2.2.mga2
vlc-plugin-twolame-2.0.3-2.2.mga2
vlc-plugin-upnp-2.0.3-2.2.mga2
vlc-plugin-zvbi-2.0.3-2.2.mga2

from vlc-2.0.3-2.2.mga2.src.rpm
Comment 8 claire robinson 2012-11-19 18:29:53 CET
Probably PoC: http://www.exploit-db.com/exploits/21889/
Comment 9 claire robinson 2012-11-19 19:17:43 CET
There are two plugins in tainted release which can't be installed and are not mentioned here.

# urpmi vlc-plugin- -a
Packages vlc-plugin-projectm-2.0.1-1.mga2.tainted.x86_64, vlc-plugin-pulse-2.0.1-1.mga2.tainted.x86_64, vlc-plugin-theora-2.0.1-1.mga2.tainted.x86_64, vlc-plugin-common-2.0.1-1.mga2.tainted.x86_64 are already installed
Some requested packages cannot be installed:
vlc-plugin-ggi-2.0.0-1.mga2.tainted.x86_64 (due to unsatisfied vlc[== 2.0.0])
vlc-plugin-svgalib-2.0.0-1.mga2.tainted.x86_64 (due to unsatisfied vlc[== 2.0.0])


Maybe forgotten in a cauldron update prior to mga2 being released. 
I think they will need to be updated too.
Comment 10 David Walser 2012-11-19 19:37:22 CET
It needn't hold up this update, although if Shlomi wants to fix it now, that's fine, but here's what happened wigh ggi and svgalib.

Funda dropped those subpackages before Mageia 2 in a revision that just said "cleanup switches" and he forgot to Obsolete those subpackages (his most common type of mistake):
http://svnweb.mageia.org/packages/updates/2/vlc/current/SPECS/vlc.spec?r1=221926&r2=221935

In SVN we should add an Obsoletes for vlc-plugin-ggi and vlc-plugin-svgalib in the vlc-plugin-common package, and this can be fixed with the next vlc update (or this one if it's rebuilt now).
Comment 11 Marc Lattemann 2012-11-19 20:48:54 CET
tested for mga2 x86_64 with PoC from Comment 8:

The crafted PNG will not be opened with VLC prior to update. Starting from cli:

[marc@MGA2_64 Desktop]$ vlc crafted.png 
VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547)
[0xd2f108] main libvlc: VLC wird mit dem Standard-Interface ausgeführt. Benutzen Sie 'cvlc', um VLC ohne Interface zu verwenden.
libpng error: not enough data
[0xd5d6a8] qt4 interface error: Unable to load extensions module
[0x7f9334001018] png image decoder error: not enough data
libpng error: not enough data
[0x7f93340045f8] image demux error: Failed to load the image

this is the same for non-updated Core and Tainted as well as updated Core and Tainted.

So updated VLC version does not open the PNG as well. (Refering also to debian bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692130)
Comment 12 Marc Lattemann 2012-11-19 22:01:11 CET
tested for mga2 i586 - slightly different with not-updated vlc (Core and Tainted):

[test@MGA2_32BIT Desktop]$ vlc crafted.png 
VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547)
[0x9767920] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
Segmentation fault

after update same result as in Comment 11 (Core and Tainted as well):
[test@MGA2_32BIT Desktop]$ vlc crafted.png 
VLC media player 2.0.3 Twoflower (revision 2.0.2-93-g77aa89e)
[0x9815920] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
libpng error: not enough data
[0xb4a0ccd8] png image decoder error: not enough data
libpng error: not enough data
[0xb4a01618] image demux error: Failed to load the image


therefore validate update.


Please use Comment 7 for advisory and srcrpm.

Can someone from sysadmin team can push packages to Core Updates and Tainted Updates respectively? Thanks.
Comment 13 David Walser 2012-11-19 22:41:18 CET
Bug 8159 filed for the plugin-ggi and plugin-svgalib packages not obsoleted.
Comment 14 claire robinson 2012-11-19 22:45:45 CET
Well done Marc & thanks David/
Comment 15 Thomas Backlund 2012-11-21 20:50:55 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0333

Note You need to log in before you can comment on or make changes to this bug.