Am Dienstag, den 04.12.2012, 22:45 +0100 schrieb Moritz Muehlenhoff:
> On Mon, Nov 26, 2012 at 12:47:51AM +0100, Julien Cristau wrote:
> > On Thu, Nov 8, 2012 at 18:44:42 +0100, Benjamin Drung wrote:
> >
> > > Package: release.debian.org
> > > Severity: normal
> > > User: release.debian....@packages.debian.org
> > > Usertags: unblock
> > >
> > > Please unblock package vlc
> > >
> > > The 2.0.4 release is a bug-fix only release of upstream 2.0.x branch.
> > > It fixes a lot of bugs, which only a few where reported against
> > > Debian/Ubuntu.
> > > The 2.0.4 release adds support for Opus besides the bug fixes. I enabled
> > > the sftp access and Opus codec plugin, because Opus is standardized and
> > > should be supported out-of-the box.
> > >
> > - The diff was so big it never made it to the mailing list.
> > - A freeze is not the time to be enabling new features. Standardized or
> > not.
>
> The isolated security fix can be found here:
> http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=47d4631ac62900484fac206abdfc33a2920b07bf
Thanks for isolating the fix. I have prepared a debdiff for
testing-proposed-updates (attached).
--
Benjamin Drung
Debian & Ubuntu Developer
diff -Nru vlc-2.0.3/debian/changelog vlc-2.0.3/debian/changelog
--- vlc-2.0.3/debian/changelog 2012-10-04 21:40:56.000000000 +0200
+++ vlc-2.0.3/debian/changelog 2012-12-06 15:19:43.000000000 +0100
@@ -1,3 +1,10 @@
+vlc (2.0.3-4) testing; urgency=low
+
+ * SECURITY UPDATE: denial of service via crafted PNG file (Closes: #692130)
+ - CVE-2012-5470
+
+ -- Benjamin Drung <bdr...@debian.org> Thu, 06 Dec 2012 15:19:37 +0100
+
vlc (2.0.3-3) unstable; urgency=low
* debian/vlc.postinst: Fix directory to symlink upgrade in postinst.
diff -Nru vlc-2.0.3/debian/patches/CVE-2012-5470.patch vlc-2.0.3/debian/patches/CVE-2012-5470.patch
--- vlc-2.0.3/debian/patches/CVE-2012-5470.patch 1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.0.3/debian/patches/CVE-2012-5470.patch 2012-12-06 12:20:21.000000000 +0100
@@ -0,0 +1,38 @@
+From 47d4631ac62900484fac206abdfc33a2920b07bf Mon Sep 17 00:00:00 2001
+From: Edward Wang <edward.c.w...@compdigitec.com>
+Date: Sun, 14 Oct 2012 18:58:18 -0400
+Subject: [PATCH] png: Check length before read
+
+Signed-off-by: Jean-Baptiste Kempf <j...@videolan.org>
+(cherry picked from commit b3b751cb99df71e3c0a18bcb38b4691cf98265fe)
+
+Signed-off-by: Jean-Baptiste Kempf <j...@videolan.org>
+---
+ modules/codec/png.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/modules/codec/png.c b/modules/codec/png.c
+index acd5694..ced4016 100644
+--- a/modules/codec/png.c
++++ b/modules/codec/png.c
+@@ -91,12 +91,14 @@ static int OpenDecoder( vlc_object_t *p_this )
+ static void user_read( png_structp p_png, png_bytep data, png_size_t i_length )
+ {
+ block_t *p_block = (block_t *)png_get_io_ptr( p_png );
+- png_size_t i_read = __MIN( p_block->i_buffer, i_length );
++ if( i_length > p_block->i_buffer ) {
++ png_error( p_png, "not enough data" );
++ return;
++ }
++
+ memcpy( data, p_block->p_buffer, i_length );
+ p_block->p_buffer += i_length;
+ p_block->i_buffer -= i_length;
+-
+- if( i_length != i_read ) png_error( p_png, "not enough data" );
+ }
+
+ static void user_error( png_structp p_png, png_const_charp error_msg )
+--
+1.7.10.4
+
diff -Nru vlc-2.0.3/debian/patches/series vlc-2.0.3/debian/patches/series
--- vlc-2.0.3/debian/patches/series 2012-10-04 20:36:13.000000000 +0200
+++ vlc-2.0.3/debian/patches/series 2012-12-06 12:23:23.000000000 +0100
@@ -2,3 +2,4 @@
link-vlc-cache-gen-with-c++.patch
link-vlc-with-c++.patch
bp-fix-hang-caused-by-notify.patch
+CVE-2012-5470.patch
