Debian Bug report logs -
#932131
vlc: CVE-2019-13602
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 15 Jul 2019 17:15:01 UTC
Severity: important
Tags: security, upstream
Found in versions vlc/3.0.7.1-1, vlc/3.0.7-0+deb9u1, vlc/3.0.7-1
Fixed in version vlc/3.0.7.1-2
Done: Sebastian Ramacher <sramacher@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#932131; Package src:vlc.
(Mon, 15 Jul 2019 17:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>.
(Mon, 15 Jul 2019 17:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: vlc
Version: 3.0.7.1-1
Severity: important
Tags: security upstream
Control: found -1 3.0.7-1
Control: found -1 3.0.7-0+deb9u1
Hi,
The following vulnerability was published for vlc.
CVE-2019-13602[0]:
| An Integer Underflow in MP4_EIA608_Convert() in
| modules/demux/mp4/mp4.c in VideoLAN VLC media player through 3.0.7.1
| allows remote attackers to cause a denial of service (heap-based
| buffer overflow and crash) or possibly have unspecified other impact
| via a crafted .mp4 file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-13602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13602
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions vlc/3.0.7-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 15 Jul 2019 17:15:05 GMT) (full text, mbox, link).
Marked as found in versions vlc/3.0.7-0+deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Mon, 15 Jul 2019 17:15:05 GMT) (full text, mbox, link).
Reply sent
to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility.
(Mon, 15 Jul 2019 18:39:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 15 Jul 2019 18:39:04 GMT) (full text, mbox, link).
Message #14 received at 932131-close@bugs.debian.org (full text, mbox, reply):
Source: vlc
Source-Version: 3.0.7.1-2
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 932131@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Jul 2019 19:55:05 +0200
Source: vlc
Architecture: source
Version: 3.0.7.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 932131
Changes:
vlc (3.0.7.1-2) unstable; urgency=medium
.
* debian/: Remove obsolete maintscripts.
* debian/control:
- Remove obsolete transitional package.
- Remove obsolete Breaks+Replaces.
- Bump Standards-Version.
* debian/patches: Apply upstream patches to
- unbreak rendering in subsvtt.
- fix integer underflows in mp4. (CVE-2019-13602) (Closes: #932131)
Checksums-Sha1:
4079a2ce1dbe552fd498b05dd1bdf4ec9398c094 6377 vlc_3.0.7.1-2.dsc
f59d0dea46ccf90c153df98ef4a4fa4c83bb95d7 64296 vlc_3.0.7.1-2.debian.tar.xz
Checksums-Sha256:
d6c8804fcca8ec2d64c741b0187d12005426dc9edea4125feae9a79a7852ebfe 6377 vlc_3.0.7.1-2.dsc
e3bf6c8c16d59aa35caae349dd9398d55f43e76f605443a4e705d05b77f0bf79 64296 vlc_3.0.7.1-2.debian.tar.xz
Files:
ae872decab91bb343536dff2c48e8594 6377 video optional vlc_3.0.7.1-2.dsc
12bb2c674ea886309b100a714518fb6b 64296 video optional vlc_3.0.7.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAl0sxNMACgkQafL8UW6n
GZMkfA/8CjR2SzACk0bg7Fp4n0TY7xPk66tixWJQWIj+fREuT5M8t4rvPOvPaiJX
vGKkt8wlocaLQQBst8HnMMRgsBM89FRFwZQfn4jKXWpUHGRuN+x/wylmWMhhHg44
3rijvRSbT42nxf3XbRB0vQ2v/Nlw7+zhneJEZVJFWXtsPTtgzRXlklGn/YZ+a1Af
lItuI7bTfK/r8JmODuJOnsbFYFsJYbD4K3t8TI1lKgdhrmOO0Z67sRSzOiJp0WE6
xqHm06IrdQlU2oeIRwv8VrCHhnlzGGdxTFsZHRKtpV/qTDi+rg+t3quyB4eNnH+B
1oH4J56LAspqiDp6OWDqXb1QPKf9lQ/Doy4UgkJKcJq3LqrIGp85lxQxttTSBbm9
I4nxAoeAPRQVviDTfG2Y7WM/7SX6FVuB2qbc4yBAiPaGuZ90+rOkhLyX0oKEi8qI
swnSWO6h5Rob8CqtVjNLRjMc873CWczq4Lk//q14OMB1Q3qA/h9rJMiSbg3HcPBN
66R4c1ld7fAKeTXrUNE+Yd8ymGRX+wah5IXTxFdIMNOPtWRWjcQpUVVpgU4BJ3Kc
zA6FEUkTxQoKQQ5mCBp+ST5lbtdgoea3A4ayySEj7RolTEtKdZ13Dy4B9DH6iVGW
kq9Kh9eZul509dAsYRHTUprh0ptQNNKT5CWwg/5DAHq6cdd1esU=
=dK+7
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jul 16 11:21:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon