vlc: CVE-2018-19857

Debian Bug report logs - #915760
vlc: CVE-2018-19857

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: vlc: CVE-2018-19857

Date: Thu, 06 Dec 2018 17:20:21 +0100

Source: vlc
Version: 3.0.4-3
Severity: important
Tags: patch security upstream

Hi,

The following vulnerability was published for vlc.

CVE-2018-19857[0]:
| The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player
| 3.0.4 may read memory from an uninitialized pointer when processing
| magic cookies in CAF files, because a ReadKukiChunk() cast converts a
| return value to an unsigned int even if that value is negative. This
| could result in a denial of service and/or a potential infoleak.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19857
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19857
[1] https://dyntopia.com/advisories/013-vlc
[2] https://git.videolan.org/?p=vlc.git;a=commit;h=0cc5ea748ee5ff7705dde61ab15dff8f58be39d0

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 915760-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>

To: 915760-close@bugs.debian.org

Subject: Bug#915760: fixed in vlc 3.0.4-4

Date: Sun, 09 Dec 2018 21:27:25 +0000

Source: vlc
Source-Version: 3.0.4-4

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 915760@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 09 Dec 2018 21:02:57 +0100
Source: vlc
Binary: vlc libvlc-dev libvlc5 libvlccore-dev libvlccore9 libvlc-bin vlc-bin vlc-data vlc-l10n vlc-plugin-base vlc-plugin-access-extra vlc-plugin-video-output vlc-plugin-video-splitter vlc-plugin-visualization vlc-plugin-skins2 vlc-plugin-qt vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-svg vlc-plugin-samba vlc-plugin-zvbi
Architecture: source
Version: 3.0.4-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
 libvlc-bin - tools for VLC's base library
 libvlc-dev - development files for libvlc
 libvlc5    - multimedia player and streamer library
 libvlccore-dev - development files for libvlccore
 libvlccore9 - base library for VLC and its modules
 vlc        - multimedia player and streamer
 vlc-bin    - binaries from VLC
 vlc-data   - common data for VLC
 vlc-l10n   - translations for VLC
 vlc-plugin-access-extra - multimedia player and streamer (extra access plugins)
 vlc-plugin-base - multimedia player and streamer (base plugins)
 vlc-plugin-fluidsynth - FluidSynth plugin for VLC
 vlc-plugin-jack - JACK audio plugins for VLC
 vlc-plugin-notify - LibNotify plugin for VLC
 vlc-plugin-qt - multimedia player and streamer (Qt plugin)
 vlc-plugin-samba - Samba plugin for VLC
 vlc-plugin-skins2 - multimedia player and streamer (Skins2 plugin)
 vlc-plugin-svg - SVG plugin for VLC
 vlc-plugin-video-output - multimedia player and streamer (video output plugins)
 vlc-plugin-video-splitter - multimedia player and streamer (video splitter plugins)
 vlc-plugin-visualization - multimedia player and streamer (visualization plugins)
 vlc-plugin-zvbi - transitional dummy package
Closes: 915760
Changes:
 vlc (3.0.4-4) unstable; urgency=medium
 .
   * debian/patches: Apply upstream patch to fix integer underflow
     (CVE-2018-19857). (Closes: #915760)
Checksums-Sha1:
 1e614e2408dd789c462df61345d1a3762b7aa3b5 6183 vlc_3.0.4-4.dsc
 4e38442a3b6d73cea846d619728dc2652843e64c 66392 vlc_3.0.4-4.debian.tar.xz
Checksums-Sha256:
 590b0bdea7960a8df7707ad87160e24dc692d2e538a85329c13587c041a4f8a1 6183 vlc_3.0.4-4.dsc
 d91e4b07261d39698bc5c9e16153ccdf6566d8fd7b2bf9a5d5777ece235d9a0a 66392 vlc_3.0.4-4.debian.tar.xz
Files:
 140205c5c2692410bacf8e0ecfa3949c 6183 video optional vlc_3.0.4-4.dsc
 db43113a15355b120b811e9a6d0e2d46 66392 video optional vlc_3.0.4-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlwNeEwACgkQafL8UW6n
GZNrDg/9FTMtB4QFckqIQq0LISgPRHvGkF5CeUipNCgJP8uXIRl2EnllYlRiF4U5
rwXBwdSsGIflCuoM7BF9g3rQpHBrFsAClsDtIhfgExIwKf5IZLxGhZzdj1sohk6v
Sxx8/qkrzTU+fEQy9YW8ojObslaQK2PiJV8aqjEZpa5WAu6YJkWgO/y1usUOr5mg
Wt5q2q/rWVI77wITs4mG8c6cZJs+gaaDrXqcIWJJIH+frodQUF9VAcMQz9YBPUR1
D0jcJRsDWLgK7IJZVj0SpZjNQpsdMRTH2eaJBFpqIBD32puVbPxuDfFt5x1kP23R
hF+qgrgkx1GgRNzTzYwTEQezY+8C1yT5+NtmkBUdMB7W5j5PJ77f44O1WSXTiuV6
v1rvRSGjwwDO6/AndYeenzsSmPH+qXmKL5KjSIbN8AoWwuzieJa0LQLCXSfmqfyg
3ApWv4zwwypo02kg58AKj7dNwzgumMnkc1emv44UWxYUbEMOydFNb71ZWcrtM546
L9wrufyAPItZlqhdSImYxw6BXgF0mad4kC+HqUfZAuAJ3wWCu08ac+aM1iLUvKZ+
jxxWN4x8sy/vEaMlwyURl1XhbsO697zZyXigGC3gEpAhshvRmrsI1Ak5XqO1qkOH
6I43L9seu1ye4Nr+lYee463sJX6RCaxtbM/tJyo7MBdsRadMd28=
=+vZP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.