vlc in Hardy needs a security update

Bug #238873 reported by Bryan Fullerton on 2008-06-10
278
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
High
William Grant
Dapper
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Unassigned
Hardy
High
William Grant
Intrepid
High
William Grant

Bug Description

Binary package hint: vlc

Please upgrade vlc and related packages to 0.8.6h (or whatever is current when you get to this) as there are numerous security issues fixed since 0.8.6e that ships with Hardy.

http://wiki.videolan.org/Changelog/0.8.6f
http://wiki.videolan.org/Changelog/0.8.6g
http://wiki.videolan.org/Changelog/0.8.6h

http://isc.sans.org/diary.html?storyid=4549

Thanks,
Bryan

Changed in vlc:
importance: Undecided → Medium
status: New → Confirmed

Changes between 0.8.6f and 0.8.6g
Security updates

    * Removed VLC variable settings from Mozilla and ActiveX (CVE-2007-6683, VideoLAN-SA-0804)
    * Removed loading plugins from the current directory (CVE-2008-2147, VideoLAN-SA-0805)
    * Updated libpng on Windows and Mac OS X (CVE-2008-1382)
    * Fixed libid3tag denial of service (CVE-2008-2109)
    * Fixed libvorbis vulnerabilities (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423)
    * Fixed speex insufficient boundary check (CVE-2008-1686, oCERT-2008-004)

William Grant (wgrant) wrote :

0.8.6f itself fixes CVE-2007-6681 (properly), CVE-2008-0073, CVE-2008-1489 and CVE-2008-1769.

The Speex issue (CVE-2008-1686) is part of bug #218652, but I'll handle it here.

VLC is so secure.

fyo (fyo) wrote :

Considering the security vulnerabilities, this should really be marked high or above.

Even from a general usability standpoint, "e" is one of the worst VLC versions in recent memory. Numerous bugs related to AAC, mjpeg and pretty much everything else. Loads of people report sound stuttering while working fine in totem player and mplayer.

I really, really hope "f" makes it into Hardy, especially considering the LTS nature of it...

William Grant (wgrant) wrote :

Indeed, the status should be high. I'm not sure why it wasn't before.

Changed in vlc:
importance: Medium → High
status: Confirmed → Triaged
importance: Undecided → High
status: New → Triaged
William Grant (wgrant) wrote :

Now to find changesets for all of them:

 - CVE-2007-6681: 338264a2e56e3f780957817665b7ec8fa41dd6ff
 - CVE-2007-6683: b426b192c7712eaa08c5f55d08ef648226d6d421
 - CVE-2008-0073: 8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029
 - CVE-2008-1489: 09572892df7e72c0d4e598c0b5e076cf330d8b0a
 - CVE-2008-1686: c1c81073e661f7d80197711ab11753e1e170b44c
 - CVE-2008-1769: cf489d7bff3c1b36b2d5501ecf21129c78104d98
 - CVE-2008-1881: 94baded6eff88e39c98b6e3572826f16f21ceec3
 - CVE-2008-2147: c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181

CVE-2008-1881 is the fixed fix for CVE-2007-6681.

All of the CVEs I've removed from this bug are bugs in libraries with which our vlc is dynamically linked.

William Grant (wgrant) on 2008-06-24
Changed in vlc:
assignee: nobody → wgrant
status: Triaged → In Progress
William Grant (wgrant) wrote :

Also, one more:
 - CVE-2008-1768: 3a6282755277ba9321d405c635e50da935d258a6, edca13e259472872fdfd456cf3ef4a21d1262c11, 783ab03c7bd8ddedcd3dc5bad18efc70a4c57aaa, 18eb4fd5a75b6429d1d7058a8967696be701a00b

William Grant (wgrant) wrote :
William Grant (wgrant) on 2008-07-06
Changed in vlc:
assignee: nobody → wgrant
status: Triaged → In Progress

William Grant <email address hidden> writes:

> ** Changed in: vlc (Ubuntu Intrepid)
> Assignee: (unassigned) => William Grant (wgrant)
> Status: Triaged => In Progress

FYI, I uploaded a new vlc to unstable today. You might want to merge
that package instead of doing the work independently.

--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4

Hold the phone, VLC just release 0.8.6i stating that 0.8.6h and below have a security vulnerability: http://www.videolan.org/security/sa0806.html

William Grant (wgrant) wrote :

That'd be:
 - CVE-2008-2430: 3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1

Already fixed in Debian, which I'm merging from, so will be in Intrepid in a couple of minutes.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 0.8.6.release.h-1ubuntu1

---------------
vlc (0.8.6.release.h-1ubuntu1) intrepid; urgency=low

  * Merge from Debian unstable. (LP: #238873, #243450, #245563)
    Remaining changes:
    - Add PulseAudio support.
    - Enable (and build-depend on) x264 support.
    - Add Xb-Npp-.* fields to mozilla-plugin-vlc, for the Firefox plugin
      finder service.
    - Clean up debian/vlc.desktop.
    - Make vlc recommend vlc-plugin-pulse.
    - Install link to plugin in xulrunner 1.9 plugin directory.
    - Build against xul rather then iceape.
    - Rename the upstream tarball to match old Ubuntu convention.
    - Modify Maintainer value to match the DebianMaintainerField
      specification.

 -- William Grant <email address hidden> Sun, 06 Jul 2008 21:53:26 +1000

Changed in vlc:
status: In Progress → Fix Released
William Grant (wgrant) wrote :

The right Hardy fix this time.

Jamie Strandboge (jdstrand) wrote :

Thanks for your debdiff William! I'm processing it now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1

---------------
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1) hardy-security; urgency=low

  * SECURITY UPDATE: multiple denials of service, arbitrary code execution and
    arbitrary file overwriting vulnerabilities. (LP: #238873)
    - debian/patches/032_CVE-2007-6683.diff: Assume unsafe Mozilla variable
      settings. Fixes file overwriting. Patch from upstream git.
    - debian/patches/033_CVE-2008-0073.diff: Check that the RTSP stream ID
      isn't too large. Fixes arbitrary code execution. Patch from upstream git.
    - debian/patches/034_CVE-2008-1686.diff: Check that the Speex header mode
      is positive. Fixes arbitrary code execution. Patch from upstream git.
    - debian/patches/038_CVE-2008-1768.diff: Fix a buffer overflow in the MP4
      decoder, and an integer overflow in both the Cinepak and Real decoders.
      Patches from upstream git.
    - debian/patches/035_CVE-2008-1769.diff: Perform an appropriate boundary
      check on frames in Cinepak streams. Fixes denial of service. Patch from
      upstream git.
    - debian/patches/036_CVE-2008-1881.diff: Fix subtitle format strings.
      Properly fixes CVE-2007-6681, an arbitrary code execution vulnerability.
      Patch from upstream git.
    - debian/patches/037_CVE-2008-2147.diff: Only search for plugins in the
      normal path. Fixes arbitrary code execution. Patch from upstream git.
    - debian/patches/038_CVE-2008-2430.diff: Fix integer overflow in the WAV
      demuxer. Fixes arbitrary code execution. Path from upstream git.
    - References:
      + CVE-2007-6681
      + CVE-2007-6683
      + CVE-2008-0073
      + CVE-2008-1686
      + CVE-2008-1768
      + CVE-2008-1769
      + CVE-2008-1881
      + CVE-2008-2147
      + CVE-2008-2430

 -- William Grant <email address hidden> Sun, 13 Jul 2008 10:45:55 +1000

Changed in vlc:
status: In Progress → Fix Released
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in vlc:
status: New → Won't Fix
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in vlc (Ubuntu Gutsy):
status: New → Won't Fix
Saivann Carignan (oxmosys) wrote :

Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid.

Changed in vlc (Ubuntu Dapper):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers