Bug 8159 - vlc new security issues (buffer overflows) fixed upstream (SA-1301 and SA-1302)
: vlc new security issues (buffer overflows) fixed upstream (SA-1301 and SA-1302)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-19 22:40 CET by David Walser
Modified: 2013-02-06 22:38 CET (History)
3 users (show)

See Also:
Source RPM: vlc-2.0.3-2.2.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-11-19 22:40:48 CET
As Mageia 1 contained the vlc-plugin-ggi and vlc-plugin-svgalib subpackages from the vlc SRPM, and they were dropped before Mageia 2, those subpackages should have been obsoleted (probably in vlc-plugin-common would have been best).

See https://bugs.mageia.org/show_bug.cgi?id=8048#c10 for more.
Comment 1 David Walser 2013-01-30 01:14:30 CET
Fixed packages uploaded for Mageia 2 and Cauldron.

Advisory
--------

This update removes the vlc-plugin-ggi and vlc-plugin-svgalib packages from
Mageia 1 that no longer exist in Mageia 2.

Updated RPMs:
vlc-2.0.3-2.3.mga2
libvlc5-2.0.3-2.3.mga2
libvlccore5-2.0.3-2.3.mga2
libvlc-devel-2.0.3-2.3.mga2
vlc-plugin-common-2.0.3-2.3.mga2
vlc-plugin-zvbi-2.0.3-2.3.mga2
vlc-plugin-kate-2.0.3-2.3.mga2
vlc-plugin-libass-2.0.3-2.3.mga2
vlc-plugin-lua-2.0.3-2.3.mga2
vlc-plugin-ncurses-2.0.3-2.3.mga2
vlc-plugin-lirc-2.0.3-2.3.mga2
svlc-2.0.3-2.3.mga2
vlc-plugin-aa-2.0.3-2.3.mga2
vlc-plugin-sdl-2.0.3-2.3.mga2
vlc-plugin-shout-2.0.3-2.3.mga2
vlc-plugin-opengl-2.0.3-2.3.mga2
vlc-plugin-projectm-2.0.3-2.3.mga2
vlc-plugin-theora-2.0.3-2.3.mga2
vlc-plugin-twolame-2.0.3-2.3.mga2
vlc-plugin-fluidsynth-2.0.3-2.3.mga2
vlc-plugin-gme-2.0.3-2.3.mga2
vlc-plugin-schroedinger-2.0.3-2.3.mga2
vlc-plugin-speex-2.0.3-2.3.mga2
vlc-plugin-flac-2.0.3-2.3.mga2
vlc-plugin-dv-2.0.3-2.3.mga2
vlc-plugin-mod-2.0.3-2.3.mga2
vlc-plugin-mpc-2.0.3-2.3.mga2
vlc-plugin-pulse-2.0.3-2.3.mga2
vlc-plugin-jack-2.0.3-2.3.mga2
vlc-plugin-bonjour-2.0.3-2.3.mga2
vlc-plugin-upnp-2.0.3-2.3.mga2
vlc-plugin-gnutls-2.0.3-2.3.mga2
vlc-plugin-libnotify-2.0.3-2.3.mga2

Source RPM:
vlc-2.0.3-2.3.mga2.src.rpm
Comment 2 David Walser 2013-01-30 02:17:33 CET
Note that these packages exist in tainted too (thanks Funda).
Comment 3 David Walser 2013-02-01 02:12:29 CET
I just discovered two upstream security advisories:
http://www.videolan.org/security/sa1301.html
http://www.videolan.org/security/sa1302.html

The second one gives a direct link to the git commit that fixed it:
http://git.videolan.org/?p=vlc.git;a=commit;h=b31ce523331aa3a6e620b68cdfe3f161d519631e

The first one just says they were on November 17, which sounds like these 3:
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=74ff87cc141bc1b88a38ee90f95b3d935c938a56
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=e5075a80e1000eca63076c8a657262feb2579e02
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=8e8b02ff1720eb46dabe2864e79d47b40a2792d5

So those are the patches I added (had to rediff the last one).

SA-1301 didn't affect Cauldron as we have 2.0.5 there (fixed in 2.0.4).

SA-1302 did affect Cauldron, as it was fixed after 2.0.5.

SA-1301 and SA-1302 both affect Mageia 2.

Patched packages uploaded for Mageia 2 and Cauldron.

Advisory:
========================

Updated vlc packages fix security vulnerabilities:

VLC media player 2.0.4 and earlier are vulnerable to buffer overflows in
the freetype renderer and HTML subtitle parser. When parsing a specially
crafted file, a buffer overflow might occur. If successful, a malicious third
party could trigger an invalid memory access, leading to a crash of VLC or
arbitratry code execution (VideoLAN-SA-1301).

VLC media player 2.0.5 and earlier are vulnerable to a buffer overflow in the
ASF demuxer. When parsing a specially crafted ASF movie, a buffer overflow
might occur. If successful, a malicious third party could trigger an invalid
memory access, leading to a crash of VLC media player's process. In some
cases attackers might exploit this issue to execute arbitrary code within the
context of the application but this information is not confirmed
(VideoLAN-SA-1302).

Additionally, this update removes the vlc-plugin-ggi and vlc-plugin-svgalib
packages from Mageia 1 that no longer exist in Mageia 2.

References:
http://www.videolan.org/security/sa1301.html
http://www.videolan.org/security/sa1302.html
========================

Updated packages in {core,tainted}/updates_testing:
========================
vlc-2.0.3-2.4.mga2
libvlc5-2.0.3-2.4.mga2
libvlccore5-2.0.3-2.4.mga2
libvlc-devel-2.0.3-2.4.mga2
vlc-plugin-common-2.0.3-2.4.mga2
vlc-plugin-zvbi-2.0.3-2.4.mga2
vlc-plugin-kate-2.0.3-2.4.mga2
vlc-plugin-libass-2.0.3-2.4.mga2
vlc-plugin-lua-2.0.3-2.4.mga2
vlc-plugin-ncurses-2.0.3-2.4.mga2
vlc-plugin-lirc-2.0.3-2.4.mga2
svlc-2.0.3-2.4.mga2
vlc-plugin-aa-2.0.3-2.4.mga2
vlc-plugin-sdl-2.0.3-2.4.mga2
vlc-plugin-shout-2.0.3-2.4.mga2
vlc-plugin-opengl-2.0.3-2.4.mga2
vlc-plugin-projectm-2.0.3-2.4.mga2
vlc-plugin-theora-2.0.3-2.4.mga2
vlc-plugin-twolame-2.0.3-2.4.mga2
vlc-plugin-fluidsynth-2.0.3-2.4.mga2
vlc-plugin-gme-2.0.3-2.4.mga2
vlc-plugin-schroedinger-2.0.3-2.4.mga2
vlc-plugin-speex-2.0.3-2.4.mga2
vlc-plugin-flac-2.0.3-2.4.mga2
vlc-plugin-dv-2.0.3-2.4.mga2
vlc-plugin-mod-2.0.3-2.4.mga2
vlc-plugin-mpc-2.0.3-2.4.mga2
vlc-plugin-pulse-2.0.3-2.4.mga2
vlc-plugin-jack-2.0.3-2.4.mga2
vlc-plugin-bonjour-2.0.3-2.4.mga2
vlc-plugin-upnp-2.0.3-2.4.mga2
vlc-plugin-gnutls-2.0.3-2.4.mga2
vlc-plugin-libnotify-2.0.3-2.4.mga2

from vlc-2.0.3-2.4.mga2.src.rpm
Comment 4 claire robinson 2013-02-03 16:41:57 CET
ASF PoC: https://trac.videolan.org/vlc/ticket/8024
Other PoC: https://trac.videolan.org/vlc/ticket/7860
Comment 5 claire robinson 2013-02-05 11:37:04 CET
It's actually two separate srpms, just mentioning so we don't forget to push the tainted one.
vlc-2.0.3-2.4.mga2.src.rpm
vlc-2.0.3-2.4.mga2.tainted.src.rpm


Testing complete mga2 64

Before
------
$ vlc buggy.asf
VLC media player 2.0.3 Twoflower (revision 2.0.2-93-g77aa89e)
[0x766178] dbus interface: listening on dbus as: org.mpris.MediaPlayer2.vlc
[0x698108] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[0x9b6528] qt4 interface error: Unable to load extensions module
Segmentation fault (core dumped)

$ vlc POC.swf

lots of errors and vlc window flickers, time remaining is obviously wrong etc.

After
-----
buggy.asf segfault is cured.

POC.swf appears the same but reading a bit I think it is probably not as simple as this. No crash at least.


Repeated with vlc from tainted updates testing with similar results.
Comment 6 claire robinson 2013-02-05 13:17:07 CET
Testing complete mga2 32 also

Validating

Advisory:
========================

Updated vlc packages fix security vulnerabilities:

VLC media player 2.0.4 and earlier are vulnerable to buffer overflows in
the freetype renderer and HTML subtitle parser. When parsing a specially
crafted file, a buffer overflow might occur. If successful, a malicious third
party could trigger an invalid memory access, leading to a crash of VLC or
arbitratry code execution (VideoLAN-SA-1301).

VLC media player 2.0.5 and earlier are vulnerable to a buffer overflow in the
ASF demuxer. When parsing a specially crafted ASF movie, a buffer overflow
might occur. If successful, a malicious third party could trigger an invalid
memory access, leading to a crash of VLC media player's process. In some
cases attackers might exploit this issue to execute arbitrary code within the
context of the application but this information is not confirmed
(VideoLAN-SA-1302).

Additionally, this update removes the vlc-plugin-ggi and vlc-plugin-svgalib
packages from Mageia 1 that no longer exist in Mageia 2.

References:
http://www.videolan.org/security/sa1301.html
http://www.videolan.org/security/sa1302.html
========================

SRPMs
vlc-2.0.3-2.4.mga2.src.rpm
vlc-2.0.3-2.4.mga2.tainted.src.rpm

Depchecked core release to tainted updates testing - ok

Could sysadmin please push from core & tainted updates_testing to updates

Thanks!
Comment 7 Thomas Backlund 2013-02-06 22:38:56 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0022

Note You need to log in before you can comment on or make changes to this bug.