Debian Bug report logs -
#692130
vlc: CVE-2012-5470
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 2 Nov 2012 14:21:02 UTC
Severity: grave
Tags: security
Fixed in versions 2.0.4-1, vlc/2.0.3-4
Done: Benjamin Drung <bdrung@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#692130; Package vlc.
(Fri, 02 Nov 2012 14:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Fri, 02 Nov 2012 14:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: vlc
Severity: grave
Tags: security
Justification: user security hole
Please see http://openwall.com/lists/oss-security/2012/10/24/3
Cheers,
Moritz
Reply sent
to Benjamin Drung <bdrung@debian.org>:
You have taken responsibility.
(Mon, 12 Nov 2012 22:45:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Mon, 12 Nov 2012 22:45:04 GMT) (full text, mbox, link).
Message #10 received at 692130-done@bugs.debian.org (full text, mbox, reply):
Version: 2.0.4-1
Am Freitag, den 02.11.2012, 15:16 +0100 schrieb Moritz Muehlenhoff:
> Package: vlc
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see http://openwall.com/lists/oss-security/2012/10/24/3
I downloaded the crafted png file from [1]. vlc 2.0.3-3 from testing
crashed when I opened the file. vlc 2.0.4-1 from unstable does not crash
when opening this crafted file, but prints an error on the terminal:
$ vlc crafted.png
VLC media player 2.0.4 Twoflower (revision 2.0.3-289-g6e6100a)
libpng error: not enough data
[0x7f0c64c01e38] png image decoder error: not enough data
libpng error: not enough data
[0x7f0c64c01ab8] image demux error: Failed to load the image
[1] http://www.exploit-db.com/exploits/21889/
--
Benjamin Drung
Debian & Ubuntu Developer
Reply sent
to Benjamin Drung <bdrung@debian.org>:
You have taken responsibility.
(Thu, 06 Dec 2012 21:51:09 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 06 Dec 2012 21:51:09 GMT) (full text, mbox, link).
Message #15 received at 692130-close@bugs.debian.org (full text, mbox, reply):
Source: vlc
Source-Version: 2.0.3-4
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 692130@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Drung <bdrung@debian.org> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Dec 2012 21:55:05 +0100
Source: vlc
Binary: libvlc-dev libvlc5 libvlccore-dev libvlccore5 vlc vlc-data vlc-dbg vlc-nox vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-pulse vlc-plugin-sdl vlc-plugin-svg vlc-plugin-zvbi
Architecture: source amd64 all
Version: 2.0.3-4
Distribution: testing
Urgency: low
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Benjamin Drung <bdrung@debian.org>
Description:
libvlc-dev - development files for libvlc
libvlc5 - multimedia player and streamer library
libvlccore-dev - development files for libvlccore
libvlccore5 - base library for VLC and its modules
vlc - multimedia player and streamer
vlc-data - Common data for VLC
vlc-dbg - debugging symbols for vlc
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-fluidsynth - FluidSynth plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-notify - LibNotify plugin for VLC
vlc-plugin-pulse - PulseAudio plugin for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svg - SVG plugin for VLC
vlc-plugin-zvbi - VBI teletext plugin for VLC
Closes: 692130
Changes:
vlc (2.0.3-4) testing; urgency=low
.
* SECURITY UPDATE: denial of service via crafted PNG file (Closes: #692130)
- CVE-2012-5470
Checksums-Sha1:
a244bafc51c83a51f8f2cab50087990d7fe4b3e5 4844 vlc_2.0.3-4.dsc
fb092d2a54844ccecff8effa8abf8fd926948cc0 58849 vlc_2.0.3-4.debian.tar.gz
5b53f723c9f76da98eda8eed14b11ca83a311669 59484 libvlc-dev_2.0.3-4_amd64.deb
7df718dd42fc7392fceb1f055243534c489b0c04 39264 libvlc5_2.0.3-4_amd64.deb
5fa2043ad30a41aa6f5a61e4d2ae77bbcaf00d99 504596 libvlccore-dev_2.0.3-4_amd64.deb
e18a6da841c8550b1090ea7e28879f0e3165b0c8 356468 libvlccore5_2.0.3-4_amd64.deb
d98adbd171a998187105d9a5ee9dc5f5ff024163 1050612 vlc_2.0.3-4_amd64.deb
2ca4d89968e5bb5d2e3cc4a4a89230c86ac72eff 5104920 vlc-data_2.0.3-4_all.deb
de77495eebf061822c070823dc93fdca9985696a 13273302 vlc-dbg_2.0.3-4_amd64.deb
d2642ebb50503d92b0bfabdb28eb74a541b714b9 2550258 vlc-nox_2.0.3-4_amd64.deb
3cfdb6aa01b1f941de5a77c49bafb4f7ae47692f 5468 vlc-plugin-fluidsynth_2.0.3-4_amd64.deb
f2cde8430e69c45163199ed940473413cd1a5d1c 10476 vlc-plugin-jack_2.0.3-4_amd64.deb
b7fd73efcaa5887aee4ba21efcdf2473ac76e792 5608 vlc-plugin-notify_2.0.3-4_amd64.deb
47a414a7e5a9c2d5baced95ae7200274dceac7a3 16680 vlc-plugin-pulse_2.0.3-4_amd64.deb
94f453333d6e8c831f2b06b0e515fd4205030893 8088 vlc-plugin-sdl_2.0.3-4_amd64.deb
9d915cf99fea70f70a08859bdca2fc0a83f2cd04 6292 vlc-plugin-svg_2.0.3-4_amd64.deb
ff0a037c59ab6ac6dfcd10de91f1db4fcfe9cea3 8018 vlc-plugin-zvbi_2.0.3-4_amd64.deb
Checksums-Sha256:
e3dac665dfde3fd679958de066146fc360ece159f6c7707c2fab07081fc4b5ce 4844 vlc_2.0.3-4.dsc
f4102cc7ab5560fa147e61b5c62c1030d8ded7ec27c752c83793a0ab6d08c46d 58849 vlc_2.0.3-4.debian.tar.gz
cab38b1a8e916d31118afc579940b31199e1a9f68d29094b34908f6755f0465e 59484 libvlc-dev_2.0.3-4_amd64.deb
9c6dad68c48f8461b2a94bd01d6810e816e572c67a79371df3e531450dfbd87c 39264 libvlc5_2.0.3-4_amd64.deb
5575d274a0fa1c102126e6f33c14c9286234ad1a37cbf9519f07c82643cc1365 504596 libvlccore-dev_2.0.3-4_amd64.deb
da4b1924fbca94e640e30d3a3b36caa02ccc0171a0593b645b275b0e309e518f 356468 libvlccore5_2.0.3-4_amd64.deb
a80b44a2edbf7c5d282dfbb0230fc85e74dd9bce652c59a8be2d5201752bb9e0 1050612 vlc_2.0.3-4_amd64.deb
da12b879de8bacee2335c81ad6299b3caffe91899dc2bd43b8f671d9e1f5834d 5104920 vlc-data_2.0.3-4_all.deb
214c4d9330c0ddc92e30e195026365b03f23a1bd4216ca10b1058de411bb5902 13273302 vlc-dbg_2.0.3-4_amd64.deb
1cba1a5d32110b9299630e0023b62bca523a2efc34bf5ab8c7a04744a4206111 2550258 vlc-nox_2.0.3-4_amd64.deb
2f76927deb5229210e4afc6b06e9a9c3b977c0ee55344ca2b9d528e98952d689 5468 vlc-plugin-fluidsynth_2.0.3-4_amd64.deb
76b477b27bf996dd25fcf49d33c0456731c60b5b682865077f2c861dc28c4707 10476 vlc-plugin-jack_2.0.3-4_amd64.deb
aff4193104af885741a8100e2efef4de1a0eeaaa87195ba9862106ee61c86e94 5608 vlc-plugin-notify_2.0.3-4_amd64.deb
7dce3f52f21f3f51a96181033fb4e9c53cd0651fbdde6684c6e8bcf5374cbf7b 16680 vlc-plugin-pulse_2.0.3-4_amd64.deb
c1810d6b4ff8f7875dc8c3bc1bff72d095ee434dcc0edc4ca048382f31ec6bb3 8088 vlc-plugin-sdl_2.0.3-4_amd64.deb
d32ad56bd17485fcabc2ffbbfe95f7b8c037cf19a4d24a78ee1b561c9816b7b5 6292 vlc-plugin-svg_2.0.3-4_amd64.deb
44768580e85252d1966f15f46d254bd6d43ff236c37594c10be45e203b447aef 8018 vlc-plugin-zvbi_2.0.3-4_amd64.deb
Files:
162f2fbd9d2604852a3b9eb73eda47e5 4844 video optional vlc_2.0.3-4.dsc
0dd70bac2fd1b8bacbf7adcbadcb5e88 58849 video optional vlc_2.0.3-4.debian.tar.gz
5576a33914b6ea7563c6d6adb0a0376b 59484 libdevel optional libvlc-dev_2.0.3-4_amd64.deb
91d3457f28633c189ed8d294aaf2a265 39264 libs optional libvlc5_2.0.3-4_amd64.deb
6e9bcf3a9cf6641679a4a1edd98f132a 504596 libdevel optional libvlccore-dev_2.0.3-4_amd64.deb
75b7d1d9050721c55389acb8b173160a 356468 libs optional libvlccore5_2.0.3-4_amd64.deb
852aa3dc476434d81daa0632fdafbf8f 1050612 video optional vlc_2.0.3-4_amd64.deb
32e43751f7d1cf6d580d9d42b0926799 5104920 video optional vlc-data_2.0.3-4_all.deb
ec1600a937ad1ed6b3056569a0f03330 13273302 debug extra vlc-dbg_2.0.3-4_amd64.deb
1da3697a32c1fe0058d852c69e97fa8b 2550258 video optional vlc-nox_2.0.3-4_amd64.deb
522eca9080b4c389c5481456fcfe07db 5468 video optional vlc-plugin-fluidsynth_2.0.3-4_amd64.deb
a4608a73e7661207617bb65d5c67008a 10476 video optional vlc-plugin-jack_2.0.3-4_amd64.deb
4f5136cd5763a77b87bdb9dd35cd3a94 5608 video optional vlc-plugin-notify_2.0.3-4_amd64.deb
4b9ab96fb81817b622484be22309a0f6 16680 video optional vlc-plugin-pulse_2.0.3-4_amd64.deb
60d1736ce627a164fd84a75fb9607d1a 8088 video optional vlc-plugin-sdl_2.0.3-4_amd64.deb
a5621eb1e36a3b29fe6fbf2d02d1762d 6292 video optional vlc-plugin-svg_2.0.3-4_amd64.deb
2b6f28bd6824e60af73d258d94917aee 8018 video optional vlc-plugin-zvbi_2.0.3-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCgAGBQJQwQ7GAAoJEBWetcTvyHdMBvMP/3wg8kOsy3moNO4nHL3oGbqD
OHzgQXsUelYqBx4FOojTCBjAAX4Oow0o9ncN4eOz22HR8jgzSRL31dzyE10O1FBR
rBdKyphjWJ0nc8s0Mn248ev2Ace9b47bfFnbYsV7ounpkKvWpegl9Rd9+AqJZyG7
9JFZgN7QUygwA8xFipWXh0157ETLJ8zLyItarlbf8od2tvwZsTRMvwvybJ9zXeSv
o3Gzl+b6lnFmo5MLueM4NWAtr8l2EJbU0cibXceo9xx7QCZfnXBhyhO4RgSj7uE3
wUIaYFSR2Wzo9ZCL8QrFSDlbgv+NF978SAgvnS6FI7WJ0XWAliVbt7JIeqEU40XB
llkHOgGrsbZH07v+3OSnxzbaa4Kxxdojw6gWfnmOArC/awLHxsUCI/1WdW8yWayx
N55M+VgWv1ONccn2tJ0TIYkKqEQApC1qA48R4bYAxASTTyJR35YDV8sIEgIwT64r
FLX1wstj218zicFR8xngMcIB3ygcjQH6EgZX4LV+rrb5SXb7EnoQw2OOrEPjxFoX
0xElf34NcXVj6a798XYwZJQ//GLdfvdBKQ0MB9m0L7i/qohYGFTo2vfua94zB2nz
j60IN7IuF4mmHYzcc3VUwiG03YN62Kz+qS9cgfRt+GGVMNMfWwVu9IKfqf8+T/xp
pPQ6Xp4PrU/rNqapRjpu
=5Auu
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 04 Jan 2013 07:26:17 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org.
(Thu, 17 Jan 2013 12:00:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#692130; Package vlc.
(Thu, 17 Jan 2013 14:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Thu, 17 Jan 2013 14:36:03 GMT) (full text, mbox, link).
Message #24 received at 692130@bugs.debian.org (full text, mbox, reply):
Package: vlc
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/692130/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 15 Feb 2013 07:25:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:30:13 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon
