Debian Bug report logs -
#502314
vlc: CVE-2008-4558 code execution via crafted xspf playlist file
Reported by: Nico Golde <nion@debian.org>
Date: Wed, 15 Oct 2008 14:33:01 UTC
Severity: grave
Tags: patch, security
Found in version vlc/0.9.2-1
Fixed in versions 0.8.1.svn20050314-1sarge3, vlc/0.9.4-1
Done: Christophe Mutricy <xtophe@chewa.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#502314; Package vlc.
(Wed, 15 Oct 2008 14:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Wed, 15 Oct 2008 14:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: vlc
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.
CVE-2008-4558[0]:
| Array index error in VLC media player 0.9.2 allows remote attackers to
| overwrite arbitrary memory and execute arbitrary code via an XSPF
| playlist file with a negative identifier tag, which passes a signed
| comparison.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4558
http://security-tracker.debian.net/tracker/CVE-2008-4558
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#502314; Package vlc.
(Wed, 15 Oct 2008 15:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Wed, 15 Oct 2008 15:54:03 GMT) (full text, mbox, link).
Message #10 received at 502314@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
forgot the patch.
http://git.videolan.org/?p=vlc.git;a=commit;h=6d3c22f29e650b0d10b2116fe3145194d20b8b56
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug no longer marked as found in version 0.8.6.h-4.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 15 Oct 2008 15:57:03 GMT) (full text, mbox, link).
Bug marked as found in version 0.9.2-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 15 Oct 2008 16:18:02 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.8.1.svn20050314-1sarge3.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 15 Oct 2008 16:24:03 GMT) (full text, mbox, link).
Bug marked as found in version 0.9.2-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 15 Oct 2008 16:24:05 GMT) (full text, mbox, link).
Bug no longer marked as found in version 0.8.6-svn20061012.debian-5.1+etch4.
Request was from Christophe Mutricy <xtophe@videolan.org>
to control@bugs.debian.org.
(Sat, 18 Oct 2008 15:15:05 GMT) (full text, mbox, link).
Reply sent
to Christophe Mutricy <xtophe@chewa.net>:
You have taken responsibility.
(Sat, 18 Oct 2008 15:21:04 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Oct 2008 15:21:04 GMT) (full text, mbox, link).
Message #25 received at 502314-done@bugs.debian.org (full text, mbox, reply):
Package: vlc
Version: 0.9.4-1
It was fixed upstream in 0.9.3
--
Xtophe
Le Wed 15 Oct 08 à 16:30 +0200, Nico Golde a écrit :
> Package: vlc
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for vlc.
>
> CVE-2008-4558[0]:
> | Array index error in VLC media player 0.9.2 allows remote attackers to
> | overwrite arbitrary memory and execute arbitrary code via an XSPF
> | playlist file with a negative identifier tag, which passes a signed
> | comparison.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4558
> http://security-tracker.debian.net/tracker/CVE-2008-4558
>
> --
> Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
> For security reasons, all text in this mail is double-rot13 encrypted.
> _______________________________________________
> pkg-multimedia-maintainers mailing list
> pkg-multimedia-maintainers@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Nov 2008 07:26:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:09:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon