vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors

fixed in gutsy

vlc (0.8.6.release.c-0ubuntu1) gutsy; urgency=low

  * SECURITY UPDATE: Format string injection in multiple plugins could
    lead to arbitrary code execution and/or DoS.
  * New upstream security and bugfix release, 0.8.6c (LP: #121511).
  * References
    CVE-2007-0256
    CVE-2007-3316
  * debian/patches/: Remove 020_flac.diff and 030_CVE-2007-0017.diff
    (subsumed by new upstream release).
  * debian/vlc-nox.install: Add libtelx_plugin.so (fixes FTBFS).

 -- Daniel T Chen <email address hidden> Mon, 25 Jun 2007 01:53:37 -0400

Updated packages for Debian Oldstable (Sarge), Stable (Etch) and Unstable (Sid) have been announced on Debian's security mailing list and are already available. The according Debian Security Advisory should soon be available at

http://www.debian.org/security/2007/dsa-1332

(link provides 404 at the time of this writing)

Please provide fixed packages for the stable Ubuntu releases as soon as possible.

Seems like the fixed packages for dapper got released; I got them yesterday evening via dapper-security.

Curiously, /usr/share/doc/vlc/changelog.Debian.gz doesn't refer or even mention this bug report or it's CVE references, so I'm wondering what got fixed in the new packages...?

The vlc dapper released a few days ago (0.8.4.debian-1ubuntu6.1) was actually an old fix (bug 78610) that had gotten stuck in the security build queue. If you're interested in creating debdiffs and testing fixes for the issues in this report, I'd be happy to apply them and get them uploaded. Thanks!

I'm sorry, but I fear deb-packaging is beyond my scope (just not to say "abilities"...) for the time being :-(
So I'll stick to reporting bugs as they come to my knowledge for now.

I'm working on patches for Dapper, Edgy and Feisty, but it's taking a bit of digging, because vlc upstream doesn't actually bother to publish patches. Thanks vlc upstream.
Here's a Debian bug link for -0256, because LP doesn't like having multiple Debian tasks. Thanks LP.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407290

The documentation on these vulnerabilites is *absolutely shocking*, so I'm attaching the bits here as I find them.

Upstream bug for -0256:
http://trac.videolan.org/vlc/ticket/992

-3468 is fixed in upstream commit 20445.

-0256 was backported in commit 18587.

http://trac.videolan.org/vlc/changeset/20443 looks like it probably fixes CVE-2007-3467, but I'm really not sure. It is related, within a day of the notification, and I can't see anything else that might have fixed it.

I'm wondering if it wouldn't be better to just backport the current VLC to the stable releases' backports repositories if it's not possible to publish security updates in time. Better to have a "leap" in versions than to leave users behind with vulnerable software. But then there would have to be some kind of announcement that backports not only contain newer versions of software, but also security-related updates.

I've subscribed Emanuele Gentili to this bug. Since he's provided updated packages for VLC just some time ago (see Bug #195949), it would be great if he could take a look at this one.

New vulnerabilities classified as moderately critical by secunia in VLC were discovered and fixed in 0.8.6h http://secunia.com/advisories/30560/ . All VLC versions prior to 0.8.6h are subject to this vulnerability. Perhaps that the ubuntu security team should change the bug title and consider 0.8.6h for all ubuntu releases.

Closing Edgy as it is end-of-lifed.

Feisty also needs to close, but can't close it as 'Wont Fix', could someone please do this?

Are you serious? This bug has been present in Dapper for such a long time, yet nobody cares to fix it. How can you call your LTS releases 'enterprise-ready' when this kind of monstrous vulnerabilities are left unpatched for years?

@Tiberiu:

VLC is in multiverse/universe pocket...therefore it's not supported by package definition of Canonical....

Only main and restricted are supported...everything else is community effort...which is demandable.

Feel free to provide debdiffs for the dapper package...we are happy to review them...

Kind regards,

\sh

Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid.

Dapper server support is until June 2011, so it can be fixed.