On 16 Aug, Reinhard Tartler wrote : > Control: tag -1 upstream > > On Mon, Feb 3, 2014 at 10:08 AM, Raphael Geissert <geiss...@debian.org> wrote: > > Package: vlc > > Severity: important > > Tags: security > > > > Hi, > > > > vlc uses libtar to unpack skins, however, its use on untrusted data > > exposes it to CVE-2013-4420 (#731860). > > > > Changing the behaviour of libtar appears to be problematic because > > some applications have relied on the, lack of, path sanitation (cf. > > https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html > > and the follow-ups). > > What appears to be the safe way to handle this issue is making sure > > that libtar is not used on untrusted data without file path validation > > - that would mean that vlc would have to check for every file that is > > about to be extracted that none contains a ../, and something similar > > for symlinks. > > > > Alternatively, vlc could just use tar(1) to unpack the tarballs, or > > drop support for skins or skins in tarballs. > > > > What do you think? > > > > This should probably be forwarded to upstream. > > I totally agree. > > J-B, do you have any opinion on this issue?
I would build with --disable-libtar. This feature is not supported on the other platforms anyway... With my kindest regards, -- Jean-Baptiste Kempf http://www.jbkempf.com/ - +33 672 704 734 Sent from my Electronic Device _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
