vlc: CVE-2008-029[5,6] multiple vulnerabilities in embedded xine copy

Debian Bug report logs - #461544
vlc: CVE-2008-029[5,6] multiple vulnerabilities in embedded xine copy

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server

Date: Sat, 19 Jan 2008 13:46:13 +0100

[Message part 1 (text/plain, inline)]

Package: vlc
Version: 0.8.6-svn20061012.debian-5etch4
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.

CVE-2008-0296[0]:
| Heap-based buffer overflow in the libaccess_realrtsp plugin in
| VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow
| remote RTSP servers to cause a denial of service (application crash)
| or execute arbitrary code via a long string.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

I contacted upstream for a patch of this.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christophe Mutricy <xtophe@nxtelevision.com>

To: Nico Golde <nion@debian.org>, 461544@bugs.debian.org

Cc: submit@bugs.debian.org

Subject: Re: Bug#461544: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server

Date: Sun, 20 Jan 2008 23:18:10 +0100

> 
> I contacted upstream for a patch of this.

Hmmm, your mail hasn't reach us (or was mistakely deleted in moderation
or I haven't look well enough)

Anayway, here's a patch:
http://trac.videolan.org/vlc/changeset/24440


> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296
Btw, there is also CVE-2008-0295 but i don't really see the difference
between 295 and 296 as they refer to the same advisory of Luigi Auriemma

-- 
Xtophe

Message #22 received at 461544@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Christophe Mutricy <xtophe@nxtelevision.com>, 461544@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#461544: vlc: CVE-2008-0296 arbitrary code execution via crafted RTSP server

Date: Mon, 21 Jan 2008 13:56:28 +0100

[Message part 1 (text/plain, inline)]

retitle 461544 vlc: CVE-2008-029[5,6] multiple vulnerabilities in embedded xine copy
thanks

Hi Christophe,
* Christophe Mutricy <xtophe@nxtelevision.com> [2008-01-21 11:41]:
> > I contacted upstream for a patch of this.
> 
> Hmmm, your mail hasn't reach us (or was mistakely deleted in moderation
> or I haven't look well enough)

Strange, glad to see that you follow the bug tracker.

> Anayway, here's a patch:
> http://trac.videolan.org/vlc/changeset/24440

Thanks!

> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296
> Btw, there is also CVE-2008-0295 but i don't really see the difference
> between 295 and 296 as they refer to the same advisory of Luigi Auriemma

Yes this was still on our TODO list :)

CVE-2008-0295[0]:
| Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in
| the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and
| earlier, allows user-assisted remote attackers to cause a denial of
| service (crash) or execute arbitrary code via long Session Description
| Protocol (SDP) data.


Mitre usually splits different vulnerabilities to different 
CVE ids.

Kind regards
Nico

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0295
    http://security-tracker.debian.net/tracker/CVE-2008-0295

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #29 received at 461544@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 461544@bugs.debian.org

Subject: intend to NMU

Date: Mon, 21 Jan 2008 16:07:40 +0100

[Message part 1 (text/plain, inline)]

Hi,
attached is a patch for an NMU to fix both CVE ids.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.c-5_0.8.6.c-5.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[vlc-0.8.6.c-5_0.8.6.c-5.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #38 received at 461544-close@bugs.debian.org (full text, mbox, reply):

From: Loic Minier <lool@dooz.org>

To: 461544-close@bugs.debian.org

Subject: Bug#461544: fixed in vlc 0.8.6.c-6

Date: Mon, 21 Jan 2008 16:02:06 +0000

Source: vlc
Source-Version: 0.8.6.c-6

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6_i386.deb
libvlc0_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/libvlc0_0.8.6.c-6_i386.deb
mozilla-plugin-vlc_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6_i386.deb
vlc-nox_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.c-6_i386.deb
vlc-plugin-alsa_0.8.6.c-6_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6_all.deb
vlc-plugin-arts_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6_i386.deb
vlc-plugin-esd_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6_i386.deb
vlc-plugin-ggi_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6_i386.deb
vlc-plugin-glide_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-plugin-glide_0.8.6.c-6_i386.deb
vlc-plugin-jack_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6_i386.deb
vlc-plugin-sdl_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6_i386.deb
vlc-plugin-svgalib_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6_i386.deb
vlc_0.8.6.c-6.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.c-6.diff.gz
vlc_0.8.6.c-6.dsc
  to pool/main/v/vlc/vlc_0.8.6.c-6.dsc
vlc_0.8.6.c-6_i386.deb
  to pool/main/v/vlc/vlc_0.8.6.c-6_i386.deb
wxvlc_0.8.6.c-6_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.c-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 461544@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Loic Minier <lool@dooz.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 21 Jan 2008 16:16:51 +0100
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-jack vlc-plugin-glide vlc-plugin-esd mozilla-plugin-vlc vlc libvlc0 vlc-plugin-arts vlc-nox vlc-plugin-svgalib libvlc0-dev
Architecture: source all i386
Version: 0.8.6.c-6
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Loic Minier <lool@dooz.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 461544
Changes: 
 vlc (0.8.6.c-6) unstable; urgency=high
 .
   [ Nico Golde ]
   * This update addresses the following security issues (Closes: #461544).
     - CVE-2008-0295: Heap-based buffer overflow in real_sdpplin.c
       which could lead to user-assisted arbitrary code execution
       via crafted SDP data.
     - CVE-2008-0296: Heap-based buffer overflow in libaccess_realrtsp plugin
       which might lead to arbitrary code execution via a crafted RTSP server.
 .
   [ Loic Minier ]
   * Merge above changes by Nico Golde.
Files: 
 e50a9490e7e1fcd18bd0f848e74c5fef 2699 graphics optional vlc_0.8.6.c-6.dsc
 05872186a1153d140e968e759c50324c 38376 graphics optional vlc_0.8.6.c-6.diff.gz
 9d76a8765d3790405eca65095ce48dd2 798 graphics optional vlc-plugin-alsa_0.8.6.c-6_all.deb
 518b07cc03a70ac8a3adaadb76f92c72 794 graphics optional wxvlc_0.8.6.c-6_all.deb
 d9b3bd005e14104fae64e4a1e6e9adea 1146550 graphics optional vlc_0.8.6.c-6_i386.deb
 cde49ce6411fd67a0e92e1dadfb92ddc 4696340 net optional vlc-nox_0.8.6.c-6_i386.deb
 976e58bd4e45949ea370b7e12a30f1b7 467448 libs optional libvlc0_0.8.6.c-6_i386.deb
 43b9f2256ccb427b5536ae4807f212a3 510808 libdevel optional libvlc0-dev_0.8.6.c-6_i386.deb
 161ba0e0b73c4d4a9338037d65f92974 4820 graphics optional vlc-plugin-esd_0.8.6.c-6_i386.deb
 43220f5ae796bae0dbef832dd0c2a66d 10886 graphics optional vlc-plugin-sdl_0.8.6.c-6_i386.deb
 f9ced529c365713b5eb80943203c7ead 5928 graphics optional vlc-plugin-ggi_0.8.6.c-6_i386.deb
 686898766e26255daa64b591e4e4d438 4190 graphics optional vlc-plugin-glide_0.8.6.c-6_i386.deb
 d8c1933adf898b1f89ca765d9445af2a 4068 graphics optional vlc-plugin-arts_0.8.6.c-6_i386.deb
 2b434fe5c4659227939d501e1282e211 37768 graphics optional mozilla-plugin-vlc_0.8.6.c-6_i386.deb
 d1ff9a60f3770dd88dacc11449a4e3c1 4526 graphics optional vlc-plugin-svgalib_0.8.6.c-6_i386.deb
 41808e79cc54517f89d60a79a66631eb 4798 graphics optional vlc-plugin-jack_0.8.6.c-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHlL8s4VUX8isJIMARArboAJ9ldXpIgO/Ca6Y1BrZgjOaMqr78zgCfTIB5
ujpzwWYA9qU+I8B0rSmz7gI=
=gztA
-----END PGP SIGNATURE-----

Message #43 received at 461544-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 461544-close@bugs.debian.org

Subject: Bug#461544: fixed in vlc 0.8.6.c-4.1~lenny2

Date: Wed, 23 Jan 2008 12:02:04 +0000

Source: vlc
Source-Version: 0.8.6.c-4.1~lenny2

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.c-4.1~lenny2_i386.deb
libvlc0_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/libvlc0_0.8.6.c-4.1~lenny2_i386.deb
mozilla-plugin-vlc_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-4.1~lenny2_i386.deb
vlc-nox_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-alsa_0.8.6.c-4.1~lenny2_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-4.1~lenny2_all.deb
vlc-plugin-arts_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-esd_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-ggi_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-glide_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc-plugin-glide_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-sdl_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-4.1~lenny2_i386.deb
vlc-plugin-svgalib_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-4.1~lenny2_i386.deb
vlc_0.8.6.c-4.1~lenny2.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.c-4.1~lenny2.diff.gz
vlc_0.8.6.c-4.1~lenny2.dsc
  to pool/main/v/vlc/vlc_0.8.6.c-4.1~lenny2.dsc
vlc_0.8.6.c-4.1~lenny2_i386.deb
  to pool/main/v/vlc/vlc_0.8.6.c-4.1~lenny2_i386.deb
wxvlc_0.8.6.c-4.1~lenny2_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.c-4.1~lenny2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 461544@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 22 Jan 2008 07:38:58 +0100
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-glide vlc-plugin-esd mozilla-plugin-vlc vlc libvlc0 vlc-plugin-arts vlc-nox vlc-plugin-svgalib libvlc0-dev
Architecture: source all i386
Version: 0.8.6.c-4.1~lenny2
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 461544
Changes: 
 vlc (0.8.6.c-4.1~lenny2) testing-security; urgency=high
 .
   * Non-maintainer upload by security team.
   * This update addresses the following security issues (Closes: #461544).
     - CVE-2008-0295: Heap-based buffer overflow in real_sdpplin.c
       which could lead to user-assisted arbitrary code execution
       via crafted SDP data.
     - CVE-2008-0296: Heap-based buffer overflow in libaccess_realrtsp plugin
       which might lead to arbitrary code execution via a crafted RTSP server.
Files: 
 77abf62acf397464da7e6b7caf630610 2729 graphics optional vlc_0.8.6.c-4.1~lenny2.dsc
 9ad689ee746749c38f8897c4346ab5db 37626 graphics optional vlc_0.8.6.c-4.1~lenny2.diff.gz
 2274f4a142781d73e4e9cdf87c36e6fc 804 graphics optional vlc-plugin-alsa_0.8.6.c-4.1~lenny2_all.deb
 64be32a764536595461832f554f7e57f 798 graphics optional wxvlc_0.8.6.c-4.1~lenny2_all.deb
 5e4890a2a64fc3374bf4c855e81519c6 1143294 graphics optional vlc_0.8.6.c-4.1~lenny2_i386.deb
 d70f5a7a49e11d12e7fbdd0ad909554f 4707590 net optional vlc-nox_0.8.6.c-4.1~lenny2_i386.deb
 89ec86aa15df5a10aa73077e55e7fa3d 466542 libs optional libvlc0_0.8.6.c-4.1~lenny2_i386.deb
 94e03a1c80de4d284241f0c058be8878 511470 libdevel optional libvlc0-dev_0.8.6.c-4.1~lenny2_i386.deb
 52b5a7f11937d5aca9205ad8bcbe67f9 4824 graphics optional vlc-plugin-esd_0.8.6.c-4.1~lenny2_i386.deb
 0ab8054ca2fea60b096736e42b6d78ae 10888 graphics optional vlc-plugin-sdl_0.8.6.c-4.1~lenny2_i386.deb
 a8370785e1478d7cd84cf049aa9723c9 5936 graphics optional vlc-plugin-ggi_0.8.6.c-4.1~lenny2_i386.deb
 47b1cb193012a799a62bd617b28c781a 4200 graphics optional vlc-plugin-glide_0.8.6.c-4.1~lenny2_i386.deb
 55a3b190ce62d88fce5140336e66bd18 4080 graphics optional vlc-plugin-arts_0.8.6.c-4.1~lenny2_i386.deb
 7ec8550c50ba6dde5cf61dc31e286995 37786 graphics optional mozilla-plugin-vlc_0.8.6.c-4.1~lenny2_i386.deb
 0eb0c4e2ffd5a0094b8307e2cf7b0baf 4540 graphics optional vlc-plugin-svgalib_0.8.6.c-4.1~lenny2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHlfd3HYflSXNkfP8RApdMAJ4za4PSffs2qBSABlIH12DL2Ain5gCeIoMo
F8XuOvYGjxjfb1hNpkRq7YA=
=Ytpp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.