Bug#775866: marked as done (vlc: multiple vulnerabilities)

[Debian Bug Tracking System]

Your message dated Thu, 05 Feb 2015 19:33:01 +0000
with message-id <e1yjsaf-0004a7...@franck.debian.org>
and subject line Bug#775866: fixed in vlc 2.0.3-5+deb7u2
has caused the Debian Bug report #775866,
regarding vlc: multiple vulnerabilities
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
775866: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775866
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: vlc
Version: 2.1.5-1
Severity: grave
Tags: security
Justification: user security hole

Hi,

multiple vulnerabilities were reported against vlc 2.1.5. The complete
mail is at http://seclists.org/oss-sec/2015/q1/187 but at least the
following vulnerabilities are fixed in vlc master branch:

* Buffer overflow in updater:
  
https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14
* Buffer overflow in mp4 demuxer:
  
https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39
* Potential buffer overflow in Schroedinger Encoder
  
https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5
* Invalid memory access in rtp code:
  
https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97
* Null-pointer dereference in dmo codec:
  
https://github.com/videolan/vlc/commit/229c385a79d48e41687fae8b4dfeaeef9c8c3eb7

And there are unfixed ones:

* The potential buffer overflow in the Dirac Encoder was not fixed as
  the Dirac encoder no longer exists in the master branch.
* The potential invalid writes in modules/services_discovery/sap.c and
  modules/access/ftp.c were not fixed as I did not provide a
  trigger. Note, that the code looks very similar to the confirmed bug
  in rtp_packetize_xiph_config, and so I leave it to you to decide
  whether you want to patch this.

CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so a
DSA might be needed.

Regards,
-- 
Yves-Alexis

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: vlc
Source-Version: 2.0.3-5+deb7u2

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 775...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <gh...@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 01 Feb 2015 11:53:45 +0100
Source: vlc
Binary: libvlc-dev libvlc5 libvlccore-dev libvlccore5 vlc vlc-data vlc-dbg 
vlc-nox vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify 
vlc-plugin-pulse vlc-plugin-sdl vlc-plugin-svg vlc-plugin-zvbi
Architecture: source amd64 all
Version: 2.0.3-5+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Alessandro Ghedini <gh...@debian.org>
Description: 
 libvlc-dev - development files for libvlc
 libvlc5    - multimedia player and streamer library
 libvlccore-dev - development files for libvlccore
 libvlccore5 - base library for VLC and its modules
 vlc        - multimedia player and streamer
 vlc-data   - Common data for VLC
 vlc-dbg    - debugging symbols for vlc
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-fluidsynth - FluidSynth plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-notify - LibNotify plugin for VLC
 vlc-plugin-pulse - PulseAudio plugin for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svg - SVG plugin for VLC
 vlc-plugin-zvbi - VBI teletext plugin for VLC
Closes: 775866
Changes: 
 vlc (2.0.3-5+deb7u2) wheezy-security; urgency=high
 .
   * Fix multiple vulnerabilities (Closes: #775866):
     - Fix potential buffer overflow in the Dirac and Schroedinger encoders
       as per CVE-2014-9629
     - Fix buffer overflow when parsing string boxes in the MP4 demuxer
       as per CVE-2014-9626, CVE-2014-9627, CVE-2014-9628
     - Fix possible invalid memory access in the RTP code as per CVE-2014-9630
   * Set urgency=high accordingly
Checksums-Sha1: 
 3ba10f05dd7f3289261ac85338d5af6aa2ec035b 4853 vlc_2.0.3-5+deb7u2.dsc
 cf4dc7b22684b01222a7a2e14972fa5b9de14c7b 65013 vlc_2.0.3-5+deb7u2.debian.tar.gz
 27d55de2c986d2caf287f0b2122447c50aff432a 59610 
libvlc-dev_2.0.3-5+deb7u2_amd64.deb
 dc3fde0367438dd89449d4745b91241ce07c5db8 39248 libvlc5_2.0.3-5+deb7u2_amd64.deb
 a0ab20338a7a669d97f25e65871c775fd25e01e4 505462 
libvlccore-dev_2.0.3-5+deb7u2_amd64.deb
 61a809c6cf362d9e83d6d8f3d2e31975922c555a 357012 
libvlccore5_2.0.3-5+deb7u2_amd64.deb
 c07313774ee7a8e2a0c659a701f8ca7029a10ec7 1051662 vlc_2.0.3-5+deb7u2_amd64.deb
 49b0a5fe43f59287e98abf82b789d73a7fba57d3 5120376 
vlc-data_2.0.3-5+deb7u2_all.deb
 6bc9837ea9cf51bdeb3339b3f455d1c2900551d4 13269808 
vlc-dbg_2.0.3-5+deb7u2_amd64.deb
 9425fd123a63bd1a450f2f1b1ef6e16050108f0d 2557258 
vlc-nox_2.0.3-5+deb7u2_amd64.deb
 6f110318bda90749f937607764203a302b93073f 5494 
vlc-plugin-fluidsynth_2.0.3-5+deb7u2_amd64.deb
 9bba3e9f5187919f6cdc755d6e9b43b9fecb8e05 10508 
vlc-plugin-jack_2.0.3-5+deb7u2_amd64.deb
 b4fb5462c9b51922611491d2f6a600a4bdc99a97 5618 
vlc-plugin-notify_2.0.3-5+deb7u2_amd64.deb
 ad2f0f6fe3ff1a9593fbcb89c2229a0a817da986 16784 
vlc-plugin-pulse_2.0.3-5+deb7u2_amd64.deb
 dbe381e362282ab9b7d9f21d8c2d5e7799c6ee53 8104 
vlc-plugin-sdl_2.0.3-5+deb7u2_amd64.deb
 298e25ecaca4607a40b121c7b46a6a6790d427c3 6318 
vlc-plugin-svg_2.0.3-5+deb7u2_amd64.deb
 28f058af8b20d3f1340aadecd1d607217b363a47 8042 
vlc-plugin-zvbi_2.0.3-5+deb7u2_amd64.deb
Checksums-Sha256: 
 1121ff16c7fbc14a8e6373da17b0afc9e72688eb430e8f25907334626a8a7140 4853 
vlc_2.0.3-5+deb7u2.dsc
 ca0f806a7e1d9fb3c6547a9373f03322209c69722608d5d2c2e88fadac1744ab 65013 
vlc_2.0.3-5+deb7u2.debian.tar.gz
 b58228987642acdddd00888d5e4fe2e9c962081c6ed2966a9667d774d6e8fd16 59610 
libvlc-dev_2.0.3-5+deb7u2_amd64.deb
 da5cca6d7ed0cd67ab8fadcde91ddfafa5217a68f8638088a25183bdab11d698 39248 
libvlc5_2.0.3-5+deb7u2_amd64.deb
 59a14f262f73151e07169f1d3cd231d6f6e7a957cbd79f6d8bf73774f010932f 505462 
libvlccore-dev_2.0.3-5+deb7u2_amd64.deb
 c28f8b895a5d342522be9906acfee80ba9e795aab3c7ef8f00b65e190dc1c415 357012 
libvlccore5_2.0.3-5+deb7u2_amd64.deb
 3bd56e6e32fe544f9a573c9021400a766c2c4b2fc5b6710a0079300b3997f030 1051662 
vlc_2.0.3-5+deb7u2_amd64.deb
 679d2a64db56f5e41d5e66f54bad6de2b579e0c566216b2e79380da19556c12c 5120376 
vlc-data_2.0.3-5+deb7u2_all.deb
 e7fb13d69f7ae71607cfad9ae5660e41c1689387ebb51aec203048d41ece3175 13269808 
vlc-dbg_2.0.3-5+deb7u2_amd64.deb
 55b65ad895467ab78cb8320bb794221e0daed25a265eaac8ef1609099b2bc742 2557258 
vlc-nox_2.0.3-5+deb7u2_amd64.deb
 6c7a7bcaa5f72f974131b800386a298b47631f46ae62d1d90263018b94e4ce1d 5494 
vlc-plugin-fluidsynth_2.0.3-5+deb7u2_amd64.deb
 1f5c1b8491c25ea58de3fa732ddd694772506192fbace36d6ee81212d4516491 10508 
vlc-plugin-jack_2.0.3-5+deb7u2_amd64.deb
 6727fc897a3f8c7070e89697de46754e8802439e9e26e39ef3d146d712ecf9af 5618 
vlc-plugin-notify_2.0.3-5+deb7u2_amd64.deb
 c34c309ff61c30680976e9c255276995ec17b5cb0086da4f18f8eb061657bca4 16784 
vlc-plugin-pulse_2.0.3-5+deb7u2_amd64.deb
 3bdd895910a82a414c3e1d5f3b594216f4f5cd5ac8aa49501a20d79681ce61cc 8104 
vlc-plugin-sdl_2.0.3-5+deb7u2_amd64.deb
 9b7b4ecf4fdfd2ecd7621be57cba60dc90c4445cf44b71360853f97e3e2b4990 6318 
vlc-plugin-svg_2.0.3-5+deb7u2_amd64.deb
 7a76e86bc5ec17a5cd4dc695b2bcb10d4bcd588f8dee4d06ce777bbd077fac83 8042 
vlc-plugin-zvbi_2.0.3-5+deb7u2_amd64.deb
Files: 
 1b452feb68579df37eecce6a09cc5923 4853 video optional vlc_2.0.3-5+deb7u2.dsc
 c7d5dbd08c7fc1efa3434c54458ef277 65013 video optional 
vlc_2.0.3-5+deb7u2.debian.tar.gz
 c7a9ef7536cdec01da96dd6d623a2cf7 59610 libdevel optional 
libvlc-dev_2.0.3-5+deb7u2_amd64.deb
 701d64e575ea1c4b063682b7d506a492 39248 libs optional 
libvlc5_2.0.3-5+deb7u2_amd64.deb
 2c683ecf7e8657bef297790e2d9bf7ca 505462 libdevel optional 
libvlccore-dev_2.0.3-5+deb7u2_amd64.deb
 0caaf0791b360ef0147a0ac00544aad1 357012 libs optional 
libvlccore5_2.0.3-5+deb7u2_amd64.deb
 148a85f65ff2a0ef3905bbac946bf91c 1051662 video optional 
vlc_2.0.3-5+deb7u2_amd64.deb
 a25c0e7e5e9e789101351ab00285592a 5120376 video optional 
vlc-data_2.0.3-5+deb7u2_all.deb
 b461a1b7fc7fc255323828ecc39452d8 13269808 debug extra 
vlc-dbg_2.0.3-5+deb7u2_amd64.deb
 15a1893e7bfdcc9462e1fd115a40a7a5 2557258 video optional 
vlc-nox_2.0.3-5+deb7u2_amd64.deb
 f3144a810f91007800900c411b1b834f 5494 video optional 
vlc-plugin-fluidsynth_2.0.3-5+deb7u2_amd64.deb
 e87bae33231da142f02aa7219d4b4fed 10508 video optional 
vlc-plugin-jack_2.0.3-5+deb7u2_amd64.deb
 ec1bd804081a43bb99eab17d1592f4fc 5618 video optional 
vlc-plugin-notify_2.0.3-5+deb7u2_amd64.deb
 69ae7a071bd5b4eebacb823531b57485 16784 video optional 
vlc-plugin-pulse_2.0.3-5+deb7u2_amd64.deb
 362e3fecb65f876036329735f5f3de40 8104 video optional 
vlc-plugin-sdl_2.0.3-5+deb7u2_amd64.deb
 a991e4cfd83fb42c2a7a0074d608e7e5 6318 video optional 
vlc-plugin-svg_2.0.3-5+deb7u2_amd64.deb
 e5f9f96d13e7f6bace7f228ba7949003 8042 video optional 
vlc-plugin-zvbi_2.0.3-5+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUzzkjAAoJEK+lG9bN5XPL2s8P/1FiiPqFOq+aUc2mG1R0srD/
K45TPhUbp1SSIN0IRkUaCTanTjl54FMZRnwl8CQsgw9YFuAr9jnjEmWA92plFWSv
HFSL7K8T1XIDhquL2jy+fI9KhPB8kYS+wuU3jxt2ND26AJ5Gew7506JTsx2rtvBc
rcaIj0gjI2rdqLCZhAXAjOjWjuNtlCvhSzLQeS84XP727TCzmtlB02ul9QHHDPXv
3IraITq2c18jeIse2wI9xIGg8yjtnzNEp0CPKFyNt7SidytEt0tgl2lb3BsfGy7h
GGmBIvxs6pJVLPA/ba9cRGBSXeCDhhi1GWI5/Ffiewg6l+jXBv+t58JQrBmcnh0+
XFrCB8SguPg+0WIiZ3CN1MvVsB5ON2+c1PxnhklY9Lo2zLdbdg9BQt7kRKx7vHoK
Gbw7DCtpeEjU1YI15TCl/lUkf59FA4jQcUUAOiiLls65JO9z8T7xn8S6lNXr7Ocj
2BGoWB1D+7K+AkizzuKINxS9nfUDf3APnZNQo5xazNyMxTE+8aC9J69tH6rBkJwM
4+thAzCosVn+gBh/a2F3pjRD8Gz5Anh6+J/b3SsPJsYnT1sEzBEtJE7MUxaG4lnP
C0D7YwmHf8VdNyK6ZjmG4gyIgJY54CIwjIv0aQ7xmr0KjswdhbGlREzTOqvHu5ER
HIQgtITFJ/XQ8IXOdb2K
=2UmH
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers