vlc in Hardy needs a security update

Changes between 0.8.6f and 0.8.6g
Security updates

    * Removed VLC variable settings from Mozilla and ActiveX (CVE-2007-6683, VideoLAN-SA-0804)
    * Removed loading plugins from the current directory (CVE-2008-2147, VideoLAN-SA-0805)
    * Updated libpng on Windows and Mac OS X (CVE-2008-1382)
    * Fixed libid3tag denial of service (CVE-2008-2109)
    * Fixed libvorbis vulnerabilities (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)
    * Fixed speex insufficient boundary check (CVE-2008-1686, oCERT-2008-004)

0.8.6f itself fixes CVE-2007-6681 (properly), CVE-2008-0073, CVE-2008-1489 and CVE-2008-1769.

The Speex issue (CVE-2008-1686) is part of bug #218652, but I'll handle it here.

VLC is so secure.

Considering the security vulnerabilities, this should really be marked high or above.

Even from a general usability standpoint, "e" is one of the worst VLC versions in recent memory. Numerous bugs related to AAC, mjpeg and pretty much everything else. Loads of people report sound stuttering while working fine in totem player and mplayer.

I really, really hope "f" makes it into Hardy, especially considering the LTS nature of it...

Indeed, the status should be high. I'm not sure why it wasn't before.

Now to find changesets for all of them:

 - CVE-2007-6681: 338264a2e56e3f780957817665b7ec8fa41dd6ff
 - CVE-2007-6683: b426b192c7712eaa08c5f55d08ef648226d6d421
 - CVE-2008-0073: 8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029
 - CVE-2008-1489: 09572892df7e72c0d4e598c0b5e076cf330d8b0a
 - CVE-2008-1686: c1c81073e661f7d80197711ab11753e1e170b44c
 - CVE-2008-1769: cf489d7bff3c1b36b2d5501ecf21129c78104d98
 - CVE-2008-1881: 94baded6eff88e39c98b6e3572826f16f21ceec3
 - CVE-2008-2147: c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181

CVE-2008-1881 is the fixed fix for CVE-2007-6681.

All of the CVEs I've removed from this bug are bugs in libraries with which our vlc is dynamically linked.

Also, one more:
 - CVE-2008-1768: 3a6282755277ba9321d405c635e50da935d258a6, edca13e259472872fdfd456cf3ef4a21d1262c11, 783ab03c7bd8ddedcd3dc5bad18efc70a4c57aaa, 18eb4fd5a75b6429d1d7058a8967696be701a00b

William Grant <email address hidden> writes:

> ** Changed in: vlc (Ubuntu Intrepid)
> Assignee: (unassigned) => William Grant (wgrant)
> Status: Triaged => In Progress

FYI, I uploaded a new vlc to unstable today. You might want to merge
that package instead of doing the work independently.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Hold the phone, VLC just release 0.8.6i stating that 0.8.6h and below have a security vulnerability: http://www.videolan.org/security/sa0806.html

That'd be:
 - CVE-2008-2430: 3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1

Already fixed in Debian, which I'm merging from, so will be in Intrepid in a couple of minutes.

This bug was fixed in the package vlc - 0.8.6.release.h-1ubuntu1

---------------
vlc (0.8.6.release.h-1ubuntu1) intrepid; urgency=low

  * Merge from Debian unstable. (LP: #238873, #243450, #245563)
    Remaining changes:
    - Add PulseAudio support.
    - Enable (and build-depend on) x264 support.
    - Add Xb-Npp-.* fields to mozilla-plugin-vlc, for the Firefox plugin
      finder service.
    - Clean up debian/vlc.desktop.
    - Make vlc recommend vlc-plugin-pulse.
    - Install link to plugin in xulrunner 1.9 plugin directory.
    - Build against xul rather then iceape.
    - Rename the upstream tarball to match old Ubuntu convention.
    - Modify Maintainer value to match the DebianMaintainerField
      specification.

 -- William Grant <email address hidden> Sun, 06 Jul 2008 21:53:26 +1000

The right Hardy fix this time.

Thanks for your debdiff William! I'm processing it now.

This bug was fixed in the package vlc - 0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1

---------------
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1) hardy-security; urgency=low

  * SECURITY UPDATE: multiple denials of service, arbitrary code execution and
    arbitrary file overwriting vulnerabilities. (LP: #238873)
    - debian/patches/032_CVE-2007-6683.diff: Assume unsafe Mozilla variable
      settings. Fixes file overwriting. Patch from upstream git.
    - debian/patches/033_CVE-2008-0073.diff: Check that the RTSP stream ID
      isn't too large. Fixes arbitrary code execution. Patch from upstream git.
    - debian/patches/034_CVE-2008-1686.diff: Check that the Speex header mode
      is positive. Fixes arbitrary code execution. Patch from upstream git.
    - debian/patches/038_CVE-2008-1768.diff: Fix a buffer overflow in the MP4
      decoder, and an integer overflow in both the Cinepak and Real decoders.
      Patches from upstream git.
    - debian/patches/035_CVE-2008-1769.diff: Perform an appropriate boundary
      check on frames in Cinepak streams. Fixes denial of service. Patch from
      upstream git.
    - debian/patches/036_CVE-2008-1881.diff: Fix subtitle format strings.
      Properly fixes CVE-2007-6681, an arbitrary code execution vulnerability.
      Patch from upstream git.
    - debian/patches/037_CVE-2008-2147.diff: Only search for plugins in the
      normal path. Fixes arbitrary code execution. Patch from upstream git.
    - debian/patches/038_CVE-2008-2430.diff: Fix integer overflow in the WAV
      demuxer. Fixes arbitrary code execution. Path from upstream git.
    - References:
      + CVE-2007-6681
      + CVE-2007-6683
      + CVE-2008-0073
      + CVE-2008-1686
      + CVE-2008-1768
      + CVE-2008-1769
      + CVE-2008-1881
      + CVE-2008-2147
      + CVE-2008-2430

 -- William Grant <email address hidden> Sun, 13 Jul 2008 10:45:55 +1000

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid.