CVE-2007-0256: vlc: Media Player Unspecified Denial Of Service Vulnerability

Debian Bug report logs - #407290
CVE-2007-0256: vlc: Media Player Unspecified Denial Of Service Vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alex de Oliveira Silva <enerv@host.sk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2007-0256: vlc: Media Player Unspecified Denial Of Service Vulnerability

Date: Wed, 17 Jan 2007 09:12:07 -0300

Package: vlc
Version: 0.8.6.a.debian-1
Severity: important
Tags: security

VLC Media Player is prone to a denial-of-service vulnerability because
it fails to sufficiently handle user-supplied data.
Exploiting this issue can allow an attacker to crash the application,
effectively denying service to the user.
Version 0.8.6a is vulnerable; other versions may also be affected.

Reference:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0256
http://www.securityfocus.com/bid/22003

Note:
Please mention the CVE id in the changelog.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)


regards,
-- 
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `- 

Message #10 received at 407290@bugs.debian.org (full text, mbox, reply):

From: Rémi Denis-Courmont <rdenis@simphalempin.com>

To: control@bugs.debian.org, 407290@bugs.debian.org

Subject: #407290 fixed upstream

Date: Tue, 19 Jun 2007 22:02:24 +0300

[Message part 1 (text/plain, inline)]

tags 407290 + fixed-upstream
thanks

Fixed in upstream VLC release 0.8.6b.

-- 
Rémi Denis-Courmont
http://www.remlab.net/

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 407290-close@bugs.debian.org (full text, mbox, reply):

From: Sam Hocevar (Debian packages) <sam+deb@zoy.org>

To: 407290-close@bugs.debian.org

Subject: Bug#407290: fixed in vlc 0.8.6.c-1

Date: Tue, 26 Jun 2007 00:47:05 +0000

Source: vlc
Source-Version: 0.8.6.c-1

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.c-1_i386.deb
libvlc0_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/libvlc0_0.8.6.c-1_i386.deb
mozilla-plugin-vlc_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-1_i386.deb
vlc-nox_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.c-1_i386.deb
vlc-plugin-alsa_0.8.6.c-1_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-1_all.deb
vlc-plugin-arts_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-1_i386.deb
vlc-plugin-esd_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-1_i386.deb
vlc-plugin-ggi_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-1_i386.deb
vlc-plugin-glide_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc-plugin-glide_0.8.6.c-1_i386.deb
vlc-plugin-sdl_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-1_i386.deb
vlc-plugin-svgalib_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-1_i386.deb
vlc_0.8.6.c-1.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.c-1.diff.gz
vlc_0.8.6.c-1.dsc
  to pool/main/v/vlc/vlc_0.8.6.c-1.dsc
vlc_0.8.6.c-1_i386.deb
  to pool/main/v/vlc/vlc_0.8.6.c-1_i386.deb
vlc_0.8.6.c.orig.tar.gz
  to pool/main/v/vlc/vlc_0.8.6.c.orig.tar.gz
wxvlc_0.8.6.c-1_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.c-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 407290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <sam+deb@zoy.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Jun 2007 01:41:02 +0200
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-glide vlc-plugin-esd mozilla-plugin-vlc vlc libvlc0 vlc-plugin-arts vlc-nox vlc-plugin-svgalib libvlc0-dev
Architecture: source i386 all
Version: 0.8.6.c-1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sam Hocevar (Debian packages) <sam+deb@zoy.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 405035 407290 417750 424915 426673 429726
Changes: 
 vlc (0.8.6.c-1) unstable; urgency=high
 .
   [ Fathi Boudra, Christophe Mutricy ]
 .
   * New upstream release (Closes: #424915):
     + multiple format string vulnerabilities (VideoLAN-SA-0207).
       (Closes: #429726)
     + media player unspecified Denial Of Service vulnerability (CVE-2007-0256).
       (Closes: #407290)
     + missing includes to fix FTBFS with GCC 4.3.0. (Closes: #417750)
     + fullscreen opens a normal window instead of going fullscreen on amd64.
       (Closes: #405035)
     + fix building with libflac8. (Closes: #426673)
     + The following patches are no longer necessary:
       105_audio_format_crash.diff
       106_xshm_check.diff
       107_gcc-4.3.diff
       108_flac-1.1.3.diff
 .
   * Install libtelx_plugin.so in vlc-nox package.
Files: 
 5fe4f3a8b85e84d7f5e1c5c035be3364 2706 graphics optional vlc_0.8.6.c-1.dsc
 e0644b2981e21fcda77f3563376750b9 16457106 graphics optional vlc_0.8.6.c.orig.tar.gz
 e5ba7d726ad8ab1336c223fa713e412d 33221 graphics optional vlc_0.8.6.c-1.diff.gz
 68f9b1c64dd62815d8c72b839223fc0c 774 graphics optional vlc-plugin-alsa_0.8.6.c-1_all.deb
 56a76cbdaf5db870c181e1b90003da07 770 graphics optional wxvlc_0.8.6.c-1_all.deb
 3af0a5a74753aa17d7fe1e7501b520e9 1143084 graphics optional vlc_0.8.6.c-1_i386.deb
 c27dc1d1d16000676d89cd19ccab5d5d 4664768 net optional vlc-nox_0.8.6.c-1_i386.deb
 278034a61532f2dc6ff47f8e9ace38c6 460956 libs optional libvlc0_0.8.6.c-1_i386.deb
 28d4458c01ed90129227f71c28e8b8db 509376 libdevel optional libvlc0-dev_0.8.6.c-1_i386.deb
 e15a8474063fcb3135e31e3060bf4c10 4714 graphics optional vlc-plugin-esd_0.8.6.c-1_i386.deb
 02719b9afc1678d773c56da8ac648dff 10486 graphics optional vlc-plugin-sdl_0.8.6.c-1_i386.deb
 8269ecfebef7130f54f6f7a6ea939021 5722 graphics optional vlc-plugin-ggi_0.8.6.c-1_i386.deb
 33a391fda65ce74d367f0bac337b9c08 4020 graphics optional vlc-plugin-glide_0.8.6.c-1_i386.deb
 0c22b7fb918eac0cf1fbb234e8625d14 3998 graphics optional vlc-plugin-arts_0.8.6.c-1_i386.deb
 fc3ff7ebfe43e5d604c02cdaa5386aaa 36382 graphics optional mozilla-plugin-vlc_0.8.6.c-1_i386.deb
 a19cb4d7cb1bdeefad22a26f0e081c5d 4424 graphics optional vlc-plugin-svgalib_0.8.6.c-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGgF00fPP1rylJn2ERAlXfAJ9gO34bheNgN6pfx+q/hMonP73GwQCaAyH1
az8Ry2C0uplpl+nC9ukhAdU=
=nj3J
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.