Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package vlc. 2.2.0~rc2-2 fixes multiple security vulnerabilities. unblock vlc/2.2.0~rc2-2 Cheers -- Sebastian Ramacher
diff -Nru vlc-2.2.0~rc2/debian/changelog vlc-2.2.0~rc2/debian/changelog --- vlc-2.2.0~rc2/debian/changelog 2014-11-23 13:14:12.000000000 +0100 +++ vlc-2.2.0~rc2/debian/changelog 2015-01-21 22:42:06.000000000 +0100 @@ -1,3 +1,17 @@ +vlc (2.2.0~rc2-2) unstable; urgency=medium + + * debian/patches: Apply upstream patches for security vulnerabilities. + (Closes: #775866) + - codec-schroedinger-fix-potential-buffer-overflow.patch: fix potential + buffer overflow. (CVE-2014-9629) + - demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch: fix buffer + overflow in parsing of string boxes. (CVE-2014-9626, CVE-2014-9627, + CVE-2014-9628) + - stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch: don't use + VLA for user controlled data. (CVE-2014-9630) + + -- Sebastian Ramacher <sramac...@debian.org> Wed, 21 Jan 2015 22:41:57 +0100 + vlc (2.2.0~rc2-1) unstable; urgency=medium * New upstream release. diff -Nru vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch --- vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch 2015-01-21 22:57:50.000000000 +0100 @@ -0,0 +1,29 @@ +From: Fabian Yamaguchi <fyam...@gwdg.de> +Subject: [PATCH] codec: schroedinger: fix potential buffer overflow. + The variable len is a raw 32 bit value read using GetDWBE. If this + value is larger than UINT32_MAX - sizeof(eos), this will cause an + integer overflow in the subsequent call to malloc, and finally a + buffer overflow when calling memcpy. We fix this by checking len + accordingly. +Origin: upstream, http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 +Bug-Debian: https://bugs.debian.org/775866 +Last-Update: 2015-01-21 + +diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c +index f48aa2b..977afca 100644 +--- a/modules/codec/schroedinger.c ++++ b/modules/codec/schroedinger.c +@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic ) + * is appended to the sequence header to allow guard + * against poor streaming servers */ + /* XXX, should this be done using the packetizer ? */ ++ ++ if( len > UINT32_MAX - sizeof( eos ) ) ++ return NULL; ++ + p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) ); + if( !p_enc->fmt_out.p_extra ) + return NULL; +-- +2.1.4 + diff -Nru vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch --- vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch 1970-01-01 01:00:00.000000000 +0100 +++ vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch 2015-01-21 23:00:13.000000000 +0100 @@ -0,0 +1,28 @@ +From: Fabian Yamaguchi <fyam...@gwdg.de> +Subject: [PATCH] demux: mp4: fix buffer overflow in parsing of string boxes. + We ensure that pbox->i_size is never smaller than 8 to avoid an + integer underflow in the third argument of the subsequent call to + memcpy. We also make sure no truncation occurs when passing values + derived from the 64 bit integer p_box->i_size to arguments of malloc + and memcpy that may be 32 bit integers on 32 bit platforms. +Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=914462405f8e90d9b2b1184ff047fdfb1f800b48 +Bug-Debian: https://bugs.debian.org/775866 +Last-Update: 2015-01-21 + +diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c +index 19e84d3..3912e7e 100644 +--- a/modules/demux/mp4/libmp4.c ++++ b/modules/demux/mp4/libmp4.c +@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box ) + { + MP4_READBOX_ENTER( MP4_Box_data_name_t ); + ++ if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX ) ++ MP4_READBOX_EXIT( 0 ); ++ + p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */ + if( p_box->data.p_name->psz_text == NULL ) + MP4_READBOX_EXIT( 0 ); +-- +2.1.4 + diff -Nru vlc-2.2.0~rc2/debian/patches/series vlc-2.2.0~rc2/debian/patches/series --- vlc-2.2.0~rc2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ vlc-2.2.0~rc2/debian/patches/series 2015-01-21 12:30:01.000000000 +0100 @@ -0,0 +1,3 @@ +codec-schroedinger-fix-potential-buffer-overflow.patch +demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch +stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch diff -Nru vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch --- vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch 1970-01-01 01:00:00.000000000 +0100 +++ vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch 2015-01-21 23:00:35.000000000 +0100 @@ -0,0 +1,47 @@ +From: Fabian Yamaguchi <fyam...@gwdg.de> +Subject: [PATCH] stream_out: rtp: don't use VLA for user controlled data + It should fix a possible invalid memory access + . + When streaming ogg-files via rtp, an ogg-file can trigger an invalid + write access using an overly long 'configuration' string. + . + The original code attemps to allocate space to hold the string on the stack + and hence, cannot verify if allocation succeeds. Instead, we now allocate the + buffer on the heap and return if allocation fails. + . + In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where + the size depends on the local variable 'len'. The variable 'len' is + calculated at (0) to be the length of a string contained in a specially + crafted Ogg Vorbis file, and therefore, it is attacker-controlled. +Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=3199c5dd837bc641962e9c1c8d0cd2d7c9b8bb37 +Bug-Debian: https://bugs.debian.org/775866 +Last-Update: 2015-01-21 + +diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c +index baee82a..ff7ea10 100644 +--- a/modules/stream_out/rtpfmt.c ++++ b/modules/stream_out/rtpfmt.c +@@ -557,7 +557,11 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp, + char *end = strchr(start, ';'); + assert(end != NULL); + size_t len = end - start; +- char b64[len + 1]; ++ ++ char *b64 = malloc(len + 1); ++ if(!b64) ++ return VLC_EGENERIC; ++ + memcpy(b64, start, len); + b64[len] = '\0'; + +@@ -567,6 +571,7 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp, + int i_data; + + i_data = vlc_b64_decode_binary(&p_orig, b64); ++ free(b64); + if (i_data <= 9) + { + free(p_orig); +-- +2.1.4 +
signature.asc
Description: Digital signature
