As Mageia 1 contained the vlc-plugin-ggi and vlc-plugin-svgalib subpackages from the vlc SRPM, and they were dropped before Mageia 2, those subpackages should have been obsoleted (probably in vlc-plugin-common would have been best). See https://bugs.mageia.org/show_bug.cgi?id=8048#c10 for more.
Fixed packages uploaded for Mageia 2 and Cauldron. Advisory -------- This update removes the vlc-plugin-ggi and vlc-plugin-svgalib packages from Mageia 1 that no longer exist in Mageia 2. Updated RPMs: vlc-2.0.3-2.3.mga2 libvlc5-2.0.3-2.3.mga2 libvlccore5-2.0.3-2.3.mga2 libvlc-devel-2.0.3-2.3.mga2 vlc-plugin-common-2.0.3-2.3.mga2 vlc-plugin-zvbi-2.0.3-2.3.mga2 vlc-plugin-kate-2.0.3-2.3.mga2 vlc-plugin-libass-2.0.3-2.3.mga2 vlc-plugin-lua-2.0.3-2.3.mga2 vlc-plugin-ncurses-2.0.3-2.3.mga2 vlc-plugin-lirc-2.0.3-2.3.mga2 svlc-2.0.3-2.3.mga2 vlc-plugin-aa-2.0.3-2.3.mga2 vlc-plugin-sdl-2.0.3-2.3.mga2 vlc-plugin-shout-2.0.3-2.3.mga2 vlc-plugin-opengl-2.0.3-2.3.mga2 vlc-plugin-projectm-2.0.3-2.3.mga2 vlc-plugin-theora-2.0.3-2.3.mga2 vlc-plugin-twolame-2.0.3-2.3.mga2 vlc-plugin-fluidsynth-2.0.3-2.3.mga2 vlc-plugin-gme-2.0.3-2.3.mga2 vlc-plugin-schroedinger-2.0.3-2.3.mga2 vlc-plugin-speex-2.0.3-2.3.mga2 vlc-plugin-flac-2.0.3-2.3.mga2 vlc-plugin-dv-2.0.3-2.3.mga2 vlc-plugin-mod-2.0.3-2.3.mga2 vlc-plugin-mpc-2.0.3-2.3.mga2 vlc-plugin-pulse-2.0.3-2.3.mga2 vlc-plugin-jack-2.0.3-2.3.mga2 vlc-plugin-bonjour-2.0.3-2.3.mga2 vlc-plugin-upnp-2.0.3-2.3.mga2 vlc-plugin-gnutls-2.0.3-2.3.mga2 vlc-plugin-libnotify-2.0.3-2.3.mga2 Source RPM: vlc-2.0.3-2.3.mga2.src.rpm
Assignee: shlomif => qa-bugs
Note that these packages exist in tainted too (thanks Funda).
I just discovered two upstream security advisories: http://www.videolan.org/security/sa1301.html http://www.videolan.org/security/sa1302.html The second one gives a direct link to the git commit that fixed it: http://git.videolan.org/?p=vlc.git;a=commit;h=b31ce523331aa3a6e620b68cdfe3f161d519631e The first one just says they were on November 17, which sounds like these 3: http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=74ff87cc141bc1b88a38ee90f95b3d935c938a56 http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=e5075a80e1000eca63076c8a657262feb2579e02 http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=8e8b02ff1720eb46dabe2864e79d47b40a2792d5 So those are the patches I added (had to rediff the last one). SA-1301 didn't affect Cauldron as we have 2.0.5 there (fixed in 2.0.4). SA-1302 did affect Cauldron, as it was fixed after 2.0.5. SA-1301 and SA-1302 both affect Mageia 2. Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated vlc packages fix security vulnerabilities: VLC media player 2.0.4 and earlier are vulnerable to buffer overflows in the freetype renderer and HTML subtitle parser. When parsing a specially crafted file, a buffer overflow might occur. If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC or arbitratry code execution (VideoLAN-SA-1301). VLC media player 2.0.5 and earlier are vulnerable to a buffer overflow in the ASF demuxer. When parsing a specially crafted ASF movie, a buffer overflow might occur. If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player's process. In some cases attackers might exploit this issue to execute arbitrary code within the context of the application but this information is not confirmed (VideoLAN-SA-1302). Additionally, this update removes the vlc-plugin-ggi and vlc-plugin-svgalib packages from Mageia 1 that no longer exist in Mageia 2. References: http://www.videolan.org/security/sa1301.html http://www.videolan.org/security/sa1302.html ======================== Updated packages in {core,tainted}/updates_testing: ======================== vlc-2.0.3-2.4.mga2 libvlc5-2.0.3-2.4.mga2 libvlccore5-2.0.3-2.4.mga2 libvlc-devel-2.0.3-2.4.mga2 vlc-plugin-common-2.0.3-2.4.mga2 vlc-plugin-zvbi-2.0.3-2.4.mga2 vlc-plugin-kate-2.0.3-2.4.mga2 vlc-plugin-libass-2.0.3-2.4.mga2 vlc-plugin-lua-2.0.3-2.4.mga2 vlc-plugin-ncurses-2.0.3-2.4.mga2 vlc-plugin-lirc-2.0.3-2.4.mga2 svlc-2.0.3-2.4.mga2 vlc-plugin-aa-2.0.3-2.4.mga2 vlc-plugin-sdl-2.0.3-2.4.mga2 vlc-plugin-shout-2.0.3-2.4.mga2 vlc-plugin-opengl-2.0.3-2.4.mga2 vlc-plugin-projectm-2.0.3-2.4.mga2 vlc-plugin-theora-2.0.3-2.4.mga2 vlc-plugin-twolame-2.0.3-2.4.mga2 vlc-plugin-fluidsynth-2.0.3-2.4.mga2 vlc-plugin-gme-2.0.3-2.4.mga2 vlc-plugin-schroedinger-2.0.3-2.4.mga2 vlc-plugin-speex-2.0.3-2.4.mga2 vlc-plugin-flac-2.0.3-2.4.mga2 vlc-plugin-dv-2.0.3-2.4.mga2 vlc-plugin-mod-2.0.3-2.4.mga2 vlc-plugin-mpc-2.0.3-2.4.mga2 vlc-plugin-pulse-2.0.3-2.4.mga2 vlc-plugin-jack-2.0.3-2.4.mga2 vlc-plugin-bonjour-2.0.3-2.4.mga2 vlc-plugin-upnp-2.0.3-2.4.mga2 vlc-plugin-gnutls-2.0.3-2.4.mga2 vlc-plugin-libnotify-2.0.3-2.4.mga2 from vlc-2.0.3-2.4.mga2.src.rpm
CC: (none) => shlomifComponent: RPM Packages => SecuritySummary: vlc should obsolete dropped plugin-ggi and plugin-svgalib subpackages => vlc new security issues (buffer overflows) fixed upstream (SA-1301 and SA-1302)
ASF PoC: https://trac.videolan.org/vlc/ticket/8024 Other PoC: https://trac.videolan.org/vlc/ticket/7860
It's actually two separate srpms, just mentioning so we don't forget to push the tainted one. vlc-2.0.3-2.4.mga2.src.rpm vlc-2.0.3-2.4.mga2.tainted.src.rpm Testing complete mga2 64 Before ------ $ vlc buggy.asf VLC media player 2.0.3 Twoflower (revision 2.0.2-93-g77aa89e) [0x766178] dbus interface: listening on dbus as: org.mpris.MediaPlayer2.vlc [0x698108] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [0x9b6528] qt4 interface error: Unable to load extensions module Segmentation fault (core dumped) $ vlc POC.swf lots of errors and vlc window flickers, time remaining is obviously wrong etc. After ----- buggy.asf segfault is cured. POC.swf appears the same but reading a bit I think it is probably not as simple as this. No crash at least. Repeated with vlc from tainted updates testing with similar results.
Whiteboard: (none) => has_procedure mga2-64-ok
Testing complete mga2 32 also Validating Advisory: ======================== Updated vlc packages fix security vulnerabilities: VLC media player 2.0.4 and earlier are vulnerable to buffer overflows in the freetype renderer and HTML subtitle parser. When parsing a specially crafted file, a buffer overflow might occur. If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC or arbitratry code execution (VideoLAN-SA-1301). VLC media player 2.0.5 and earlier are vulnerable to a buffer overflow in the ASF demuxer. When parsing a specially crafted ASF movie, a buffer overflow might occur. If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player's process. In some cases attackers might exploit this issue to execute arbitrary code within the context of the application but this information is not confirmed (VideoLAN-SA-1302). Additionally, this update removes the vlc-plugin-ggi and vlc-plugin-svgalib packages from Mageia 1 that no longer exist in Mageia 2. References: http://www.videolan.org/security/sa1301.html http://www.videolan.org/security/sa1302.html ======================== SRPMs vlc-2.0.3-2.4.mga2.src.rpm vlc-2.0.3-2.4.mga2.tainted.src.rpm Depchecked core release to tainted updates testing - ok Could sysadmin please push from core & tainted updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0022
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED