Denial of service via crafted PNG file

Bug #1084054 reported by Marc Deslauriers on 2012-11-28
284
This bug affects 3 people
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Oneiric
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned

Bug Description

CVE References

Changed in vlc (Ubuntu Raring):
status: New → Fix Released
Changed in vlc (Ubuntu Lucid):
status: New → Confirmed
Changed in vlc (Ubuntu Precise):
status: New → Confirmed
Changed in vlc (Ubuntu Quantal):
status: New → Confirmed
Changed in vlc (Ubuntu Oneiric):
status: New → Confirmed
Benjamin Drung (bdrung) wrote :

This bug is fixed by upstream in release 2.0.4. Therefore Ubuntu 12.10 is not affected.

Changed in vlc (Ubuntu Quantal):
status: Confirmed → Fix Released
summary: - Denial of service via crafter PNG file
+ Denial of service via crafted PNG file

Hello Marc, or anyone else affected,

Accepted vlc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/vlc/2.0.4-0ubuntu0.12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in vlc (Ubuntu Precise):
status: Confirmed → Fix Committed
tags: added: verification-needed
Rémi Denis-Courmont (rdenis) wrote :

Is this a proposal to backport VLC 2.0.4 in LTS? PulseAudio support in VLC 2.0.4 is BROKEN. Please do not do that.

If you want VLC 2.0.4 there, you really really really should add the following patches (from vlc-2.0.git):

PulseAudio fixes:
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=0554a01551ae49613062c2d96701d277000e4109
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=9701837bb454c682ba5697e665d79d6e51ae305d

Security fixes:
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=f1bd800ee42c8e64f8ba75366f0c20e0d3876ac3
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=74ff87cc141bc1b88a38ee90f95b3d935c938a56
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=8e8b02ff1720eb46dabe2864e79d47b40a2792d5
(depends on http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=e5075a80e1000eca63076c8a657262feb2579e02 )

Arguably, you should just take the tip of vlc-2.0.git or convince upstream to ship a version 2.0.5...

Benjamin Drung (bdrung) wrote :

Yes, it's the plan to get 2.0.4 into Ubuntu 12.04.

Due to your intervention, I think poking upstream to release 2.0.5 (and getting this into precise) is the best solution.

Adam Conrad (adconrad) wrote :

Based on the above comments, I've removed this SRU from -proposed.

Changed in vlc (Ubuntu Precise):
status: Fix Committed → Confirmed
Benjamin Drung (bdrung) wrote :

I have prepared 2.0.5 (which includes the additional security fix for VideoLAN-SA-1301) for precise-security and quantal-security. You can get the source tarballs via:

git clone -b precise git://git.debian.org/git/pkg-multimedia/vlc.git
cd vlc
uscan --force
git-buildpackage -S

The quantal package can be retrieved by checking out the quantal branch instead of the precise branch.

Benjamin Drung (bdrung) wrote :

Please let me know if you want the source tarball in a different way (the debdiff is too big for being useful). Here's the link to the fixed additional security issue: http://www.videolan.org/security/sa1301.html

Seth Arnold (seth-arnold) wrote :

Benjamin, thanks for working on this issue.

However, the security-sponsors process is intended to get security fixes into the stable releases; upgrading vlc in its entirety from 2.0.3 or 2.0.4 to 2.0.5, with all the other unrelated changes that are included, would be better handled through the SRU process: https://wiki.ubuntu.com/StableReleaseUpdates

If you do not wish to do the SRU, you could prepare a smaller patch that addresses only specific security issues. This could result in a debdiff of reasonable size, one that facilities review of the changes.

I have unsubscribed ubuntu-security-sponsors; please re-subscribe ubuntu-security-sponsors once a debdiff is available for review.

Thank you

Changed in vlc (Ubuntu Precise):
status: Confirmed → Fix Committed
Seth Arnold (seth-arnold) wrote :

Benjamin, thanks for alerting me to the provisional microrelease exception (mre) for vlc: https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions

I have submitted two new packages for building in -security, for 12.04 LTS and 12.10, that include the new upstream tarball and your debian/changelog entries.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 2.0.5-0ubuntu0.12.04.1

---------------
vlc (2.0.5-0ubuntu0.12.04.1) precise-security; urgency=low

  * New bug-fixing upstream release.
    - Fix hang caused by the notify plugin. (Closes: #662628, LP: #970447)
    - Fix crashes (LP: #947156, #958462, #960020, #979490, #1033682)
    - Correct default encoding for Hebrew subtitles (LP: #1051552)
  * SECURITY UPDATE: denial of service via crafted PNG file (LP: #1084054)
    - CVE-2012-5470
  * SECURITY UPDATE: Buffer overflows in freetype renderer and HTML subtitle
    parser can cause a denial of service (process termination) and possibly
    execute arbitrary code.
    - VideoLAN-SA-1301
 -- Benjamin Drung <email address hidden> Sat, 05 Jan 2013 14:47:33 +0100

Changed in vlc (Ubuntu Precise):
status: Fix Committed → Fix Released
Benjamin Drung (bdrung) wrote :

Thanks.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Changed in vlc (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Changed in vlc (Ubuntu Lucid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers