SRU request for VLC 2.0.2/2.0.3

Bug #1025713 reported by Sam_ on 2012-07-17
278
This bug affects 3 people
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Quantal
High
Unassigned

Bug Description

Please provide VLC 2.0.2 also for Precise LTS 12.04.
VLC 2.0.2 incl. lots of bug fixes in particular it closes a security hole (ogg buffer overflow).
References.
http://changelogs.ubuntu.com/changelogs/pool/universe/v/vlc/vlc_2.0.2-1/changelog
http://www.videolan.org/vlc/releases/2.0.2.html
https://secunia.com/advisories/49835/

vlc:
  Installed: 2.0.1-4
  Candidate: 2.0.1-4
  Version table:
 *** 2.0.1-4 0

Rémi Denis-Courmont (rdenis) wrote :

I'd rather recommend taking 2.0.3, which is nearly identical to 2.0.2 as far as Linux is concerned. Basically, it has two minor security fixes:
2752db79396f332a187689a60bfcf6b1fe83b4fc
4cfc4e981e706f1b220c102899ec469ff00c2857
three bug fixes:
25667b7e87141887f057d4422668067408817015 (compatiblity with numerous broken IP camera firmwares)
74632021986be07f4afe48347167b84f60b04d5b (avformat)
ac526dbdc0eef846feabad69fea1fc85731b218a (audio scrobbling)
and updated translations.

Alternatively, you could backport the five hashes above and discard the translations.

Bryce Harrington (bryce) wrote :

The 2.0.2 release has a large number of changes over 2.0.1 (the website says over 500 commits), although from the NEWS file it does sound like this is almost entirely bug fixes. Unfortunately vlc does not have an MRE granted for it in Ubuntu so this would not qualify for an ordinary SRU. See https://wiki.ubuntu.com/StableReleaseUpdates for the SRU policy; generally SRUs are for individual, specific bug fixes to reproducible defects.

However, given how much care it appears VLC put into making 2.0.2 a bug-fix-only release, and that they include a test suite, I would rather suggest looking at requesting a MRE for VLC. See https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions for the MRE process.

Aside from that, the security fixes are almost certainly going to be acceptable via Ubuntu Security.

The other three fixes rdenis suggests sound doable as individual srus, but we'd need to have test cases (and probably separate bug reports) for each.

Bryce Harrington (bryce) on 2012-07-23
Changed in vlc (Ubuntu):
status: New → Triaged
importance: Undecided → High
summary: - SRU request for VLC 2.0.2
+ SRU request for VLC 2.0.2/2.0.3
Changed in vlc (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
Benjamin Drung (bdrung) wrote :

I synced vlc 2.0.3-1 from Debian unstable to quantal.

VLC 2.0.2 closes nine Launchpad bugs. I intend to request a MRE for VLC, but currently didn't find the time to do it. The test suite for VLC is small and currently not run when building the package. The test suite succeeds on a local build, but one test fails if it it is run in a chroot. Help on debugging it is appreciated. The test suite can be run by adding dh_auto_test to the override_dh_auto_test target.

Changed in vlc (Ubuntu Quantal):
status: Triaged → Fix Released
Benjamin Drung (bdrung) wrote :

Here's a debdiff against the quantal package for SRUing VLC to precise-security-proposed.

Jamie Strandboge (jdstrand) wrote :

CVE-2012-0904, CVE-2012-2396 and CVE-2012-3377 are listed as affecting precise, but the debdiff only mentions CVE-2012-3377. Can you comment on the other two?

Benjamin Drung (bdrung) wrote :

CVE-2012-2396 is a security bug in taglib (that is fixed in taglib 1.7.2-1), but not in the vlc source code.

Benjamin Drung (bdrung) wrote :

I tried the exploit for CVE-2012-0904 [1]. VLC 2.0.1-4 did not crash. It failed to open the .amr file:

[0x7f6a70c01bc8] avformat demux error: Could not open : Operation not permitted
[0x7f6a70c01bc8] ps demux error: cannot peek
[0x7f6aa0000b78] main input error: no suitable demux module for `[...]/b00f.amr'

[1] http://www.exploit-db.com/exploits/18309/

Bryce Harrington (bryce) wrote :

bdrung, you mentioned this fixed nine ubuntu bugs; which bug #'s are those? Might be worth including them in the changelog entry?

Jamie Strandboge (jdstrand) wrote :

Ok, I have updated the CVE tracker with the information on CVE-2012-0904 and CVE-2012-2396. I agree with Bryce on adding the bug references to the changelog. Once that is done, please resubscribe ubuntu-security-sponsors and we'll build this in ubuntu-security-proposed (and if ubuntu-sru approves, copy to precise-proposed).

Changed in vlc (Ubuntu Precise):
status: Triaged → In Progress
assignee: nobody → Benjamin Drung (bdrung)
Jamie Strandboge (jdstrand) wrote :

Benjamin pointed out that using the appropriate -v will gives all the bugs. I am preparing the upload to ubuntu-security-proposed now.

Changed in vlc (Ubuntu Precise):
assignee: Benjamin Drung (bdrung) → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Reviewing the changelog, this looks like all bug fixes on Linux. ACK.

Jamie Strandboge (jdstrand) wrote :
security vulnerability: no → yes
tags: added: security-verification
Changed in vlc (Ubuntu Precise):
assignee: Jamie Strandboge (jdstrand) → nobody
Jamie Strandboge (jdstrand) wrote :

Pocket copied vlc to proposed. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
removed: security-verification
Changed in vlc (Ubuntu Precise):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

To ubuntu-sru: if this passes the verification process, please also pocket copy to security. Thanks!

Sam_ (and-sam) wrote :

Installed from proposed. The terminal states the previous version in contrary to the "About" dialog (screenshot).
## bug 998729 is still present.

I've attempt to open playlist -> My Computer -> My Music and double click on a folder which contents a few .mp3 and .ogg files.
Result nothing happens. Try to close the playlist dialog with window button brings up 'force quit' dialog.
VLC window disappears. The quit dialog on panel icon doesn't terminate, VLC needs to be killed by pid.
Terminal output:
vlc
VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547)
[0x2020bb8] dbus interface: listening on dbus as: org.mpris.MediaPlayer2.vlc
[0x1fcd138] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
libdvdnav: Using dvdnav version 4.2.0
libdvdread: Encrypted DVD support unavailable.
************************************************
** **
** No css library available. See **
** /usr/share/doc/libdvdread4/README.css **
** for more information. **
** **
************************************************
libdvdread: Couldn't find device name.
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.IFO.
libdvdnav: vm: failed to read VIDEO_TS.IFO
libdvdnav: Using dvdnav version 4.2.0
libdvdread: Encrypted DVD support unavailable.
************************************************
** **
** No css library available. See **
** /usr/share/doc/libdvdread4/README.css **
** for more information. **
** **
************************************************
libdvdread: Couldn't find device name.
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.IFO.
libdvdnav: vm: failed to read VIDEO_TS.IFO
Killed

## There is no DVD in the Music folder and no DVD at all on this computer.

Should this be filed as a new bug?

~$ apt-cache policy vlc
vlc:
  Installed: 2.0.3-0ubuntu0.12.04.1
  Candidate: 2.0.3-0ubuntu0.12.04.1
  Version table:
 *** 2.0.3-0ubuntu0.12.04.1 0
        500 http://archive.ubuntu.com/ubuntu/ precise-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     2.0.1-4 0
        500 http://archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages

Benjamin Drung (bdrung) wrote :

Have you updated all vlc binary packages (like libvlc, vlc-data, and so on)? "vlc --version" should say VLC-Version 2.0.3 Twoflower (2.0.2-93-g77aa89e). Did this issue happened in the previous vlc version too or not (i.g. is it a regression)?

Rémi Denis-Courmont (rdenis) wrote :

Playing an encrypted DVD without decryption library is not possible. This is not a regression.

And bug 998729 is not supposed to be fixed by 2.0.3 update anyway.

Sam_ (and-sam) wrote :
Download full text (5.9 KiB)

Benjamin, yes all packages were installed and the DVD issue is also with 2.0.1.
Rémi, I didn't attempt to play any DVD neither en- nor decrypted.

So far the playlist is unusable since 12.04 and was fine in 11.10.

It also doesn't open per media dialog, neither file nor directory.
(Although 2.0.3 is installed it states 2.0.1)
This is the output when attempting to open a file or directory per media dialog.
~$ vlc
VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547)
[0x20fabb8] dbus interface: listening on dbus as: org.mpris.MediaPlayer2.vlc
[0x20a7138] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.

## Purged 2.0.3 and installed 2.0.1 again to test the DVD mystery.

~$ vlc --version
VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547)
VLC version 2.0.1 Twoflower (2.0.1-0-gf432547)
Compiled by buildd on crested.buildd (Apr 3 2012 18:33:14)
Compiler: gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu3)

~$ vlc
VLC media player 2.0.1 Twoflower (revision 2.0.1-0-gf432547)
[0xe1cd68] dbus interface: listening on dbus as: org.mpris.MediaPlayer2.vlc
[0xdc7138] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
libdvdnav: Using dvdnav version 4.2.0
libdvdread: Encrypted DVD support unavailable.
************************************************
** **
** No css library available. See **
** /usr/share/doc/libdvdread4/README.css **
** for more information. **
** **
************************************************
libdvdread: Couldn't find device name.
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.IFO.
libdvdnav: vm: failed to read VIDEO_TS.IFO
libdvdnav: Using dvdnav version 4.2.0
libdvdread: Encrypted DVD support unavailable.
************************************************
** **
** No css library available. See **
** /usr/share/doc/libdvdread4/README.css **
** for more information. **
** **
************************************************
libdvdread: Couldn't find device name.
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.IFO failed
libdvdnav:DVDOpenFilePath:findDVDFile /VIDEO_TS/VIDEO_TS.BUP failed
libdvdread: Can't open file VIDEO_TS.IFO.
libdvdnav: vm: failed to read VIDEO_TS.IFO
Killed.

## Enable proposed again and upgrade to 2.0.3.

~$ sudo apt-get install vlc/precise-proposed
Reading package lists... Done
Building dependency tree
Reading state information... Done
Selected version '2.0.3-0ubuntu0.12.04.1' (Ubuntu:12.04/precise-proposed [amd64]) for 'vlc'
The following extra packages will be installed:
  libvlccore5 vlc-data vlc-nox vlc-plugin-notify vlc-plugin-pulse
Suggested packages:
  videolan-doc
The following packages will be upgraded:
  libvlccore5 vlc vlc-data vlc-nox vlc-plugin-notify vlc-plugin-pulse
6 upgraded, 0 newly installed, 0 to remove and 80...

Read more...

Benjamin Drung (bdrung) wrote :

Please run "sudo apt-get install libvlc5/precise-proposed" and then retry "vlc --version".

Your DVD playback related issue is unrelated to this SRU then. Please open a new bug report for it.

Sam_ (and-sam) wrote :

When 2.0.1 wasn't installed and upgraded by 2.0.3 then the installation of 2.0.3 contents more packages and the version is displayed correctly.

~$ sudo apt-get install vlc/precise-proposed
The following NEW packages will be installed:
  libcddb2 libcrystalhd3 libdvbpsi7 libebml3 libiso9660-8 libmatroska5 libresid-builder0c2a libsdl-image1.2 libsidplay2 libupnp3 libvcdinfo0 libvlc5 libvlccore5 vlc
  vlc-data vlc-nox vlc-plugin-notify vlc-plugin-pulse
0 upgraded, 18 newly installed, 0 to remove and 61 not upgraded.

~$ vlc --version
VLC media player 2.0.3 Twoflower (revision 2.0.2-93-g77aa89e)
VLC version 2.0.3 Twoflower (2.0.2-93-g77aa89e)
Compiled by buildd on allspice.buildd (Jul 24 2012 22:39:22)
Compiler: gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

Benjamin Drung (bdrung) wrote :

I am using vlc 2.0.3-0ubuntu0.12.04.1 since nearly a week without noticing any regressions. No OMG Ubuntu! reader testing VLC [1] did report a regression.

[1] http://www.omgubuntu.co.uk/2012/07/latest-stable-vlc-heading-to-ubuntu-12-04-help-test-it-now

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 2.0.3-0ubuntu0.12.04.1

---------------
vlc (2.0.3-0ubuntu0.12.04.1) precise-security; urgency=low

  * New bug-fixing upstream release (LP: #1025713).
  * SECURITY UPDATE: Heap-based buffer overflow in the Ogg_DecodePacket function
    in the OGG demuxer (modules/demux/ogg.c) in VideoLAN VLC media player before
    2.0.2 allows remote attackers to cause a denial of service (application
    crash) and possibly execute arbitrary code via a crafted OGG file.
    - CVE-2012-3377

vlc (2.0.2-2) unstable; urgency=low

  * Add missing epoch to libqt4-dev build dependency.
  * Drop libggi2-dev from build dependencies (not needed any more).
    (Closes: #680237)
  * The dependency ttf-freefont was renamed to fonts-freefont-ttf.

vlc (2.0.2-1) unstable; urgency=medium

  [ Edward Wang ]
  * New upstream release (Closes: #679625, #664279, LP: #689122, #936488,
    #942126, #971106, #972615, #973051, #987231, #995003, #998538).
    - Fix Ogg Heap buffer overflow. Thanks to Hugo Beauzée-Luyssen
  * Add the crystalhd plugin to the vlc distribution.
  * libcaca_plugin.so now depends on X11 in this release, so it must
    be installed under vlc (versus vlc-nox).

  [ Reinhard Tartler ]
  * Urgency set to medium because a security issue is fixed in this release

  [ Benjamin Drung ]
  * Add new plugins to vlc-nox:
    - crystalhd (Linux amd64 and i386 only)
    - directfb
    - fbosd (Linux only)
    - omxil (Linux only)
  * Add build dependencies for new plugins.
  * Add new symbols to libvlccore5.
  * Switch to debhelper 8.
 -- Benjamin Drung <email address hidden> Tue, 24 Jul 2012 00:44:39 +0200

Changed in vlc (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Bug attachments