Denial of service via crafted PNG file

This bug is fixed by upstream in release 2.0.4. Therefore Ubuntu 12.10 is not affected.

Hello Marc, or anyone else affected,

Accepted vlc into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/vlc/2.0.4-0ubuntu0.12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Is this a proposal to backport VLC 2.0.4 in LTS? PulseAudio support in VLC 2.0.4 is BROKEN. Please do not do that.

If you want VLC 2.0.4 there, you really really really should add the following patches (from vlc-2.0.git):

PulseAudio fixes:
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=0554a01551ae49613062c2d96701d277000e4109
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=9701837bb454c682ba5697e665d79d6e51ae305d

Security fixes:
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=f1bd800ee42c8e64f8ba75366f0c20e0d3876ac3
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=74ff87cc141bc1b88a38ee90f95b3d935c938a56
http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=8e8b02ff1720eb46dabe2864e79d47b40a2792d5
(depends on http://git.videolan.org/?p=vlc/vlc-2.0.git;a=commit;h=e5075a80e1000eca63076c8a657262feb2579e02 )

Arguably, you should just take the tip of vlc-2.0.git or convince upstream to ship a version 2.0.5...

Yes, it's the plan to get 2.0.4 into Ubuntu 12.04.

Due to your intervention, I think poking upstream to release 2.0.5 (and getting this into precise) is the best solution.

Based on the above comments, I've removed this SRU from -proposed.

I have prepared 2.0.5 (which includes the additional security fix for VideoLAN-SA-1301) for precise-security and quantal-security. You can get the source tarballs via:

git clone -b precise git://git.debian.org/git/pkg-multimedia/vlc.git
cd vlc
uscan --force
git-buildpackage -S

The quantal package can be retrieved by checking out the quantal branch instead of the precise branch.

Please let me know if you want the source tarball in a different way (the debdiff is too big for being useful). Here's the link to the fixed additional security issue: http://www.videolan.org/security/sa1301.html

Benjamin, thanks for working on this issue.

However, the security-sponsors process is intended to get security fixes into the stable releases; upgrading vlc in its entirety from 2.0.3 or 2.0.4 to 2.0.5, with all the other unrelated changes that are included, would be better handled through the SRU process: https://wiki.ubuntu.com/StableReleaseUpdates

If you do not wish to do the SRU, you could prepare a smaller patch that addresses only specific security issues. This could result in a debdiff of reasonable size, one that facilities review of the changes.

I have unsubscribed ubuntu-security-sponsors; please re-subscribe ubuntu-security-sponsors once a debdiff is available for review.

Thank you

Benjamin, thanks for alerting me to the provisional microrelease exception (mre) for vlc: https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions

I have submitted two new packages for building in -security, for 12.04 LTS and 12.10, that include the new upstream tarball and your debian/changelog entries.

This bug was fixed in the package vlc - 2.0.5-0ubuntu0.12.04.1

---------------
vlc (2.0.5-0ubuntu0.12.04.1) precise-security; urgency=low

  * New bug-fixing upstream release.
    - Fix hang caused by the notify plugin. (Closes: #662628, LP: #970447)
    - Fix crashes (LP: #947156, #958462, #960020, #979490, #1033682)
    - Correct default encoding for Hebrew subtitles (LP: #1051552)
  * SECURITY UPDATE: denial of service via crafted PNG file (LP: #1084054)
    - CVE-2012-5470
  * SECURITY UPDATE: Buffer overflows in freetype renderer and HTML subtitle
    parser can cause a denial of service (process termination) and possibly
    execute arbitrary code.
    - VideoLAN-SA-1301
 -- Benjamin Drung <email address hidden> Sat, 05 Jan 2013 14:47:33 +0100

Thanks.

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.