Debian Bug report logs -
#502726
vlc: CVE-2008-4654 stack-based buffer overflow in ty parsing
Reported by: Remi Denis-Courmont <rdenis@simphalempin.com>
Date: Sun, 19 Oct 2008 13:21:01 UTC
Severity: grave
Tags: experimental, fixed-upstream, security, upstream
Found in version vlc/0.8.6.h-4
Fixed in version vlc/0.9.4-2
Done: Christophe Mutricy <xtophe@videolan.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#502726; Package vlc-nox.
(Sun, 19 Oct 2008 13:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Remi Denis-Courmont <rdenis@simphalempin.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sun, 19 Oct 2008 13:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: vlc-nox
Version: 0.8.6.h-4
Severity: grave
File: libty_plugin
Tags: security
Justification: user security hole
VLC versions 0.8.2 through 0.9.4 are prone to an exploitable
stack-based buffer overflow in the TY (TiVo) file parser.
See also http://www.videolan.org/security/sa0809.html
N.B.: please give me the CVE ID if you allocate one.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (100, 'unstable'), (100, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.27 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages vlc-nox depends on:
ii liba52-0.7.4 0.7.4-11 library for decoding ATSC A/52 str
ii libasound2 1.0.16-2 ALSA library
ii libavahi-client3 0.6.23-2 Avahi client library
ii libavahi-common3 0.6.23-2 Avahi common library
ii libavc1394-0 0.5.3-1+b1 control IEEE 1394 audio/video devi
ii libavcodec51 0.svn20080206-14 ffmpeg codec library
ii libavformat52 0.svn20080206-14 ffmpeg file format library
ii libavutil49 0.svn20080206-14 ffmpeg utility library
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libcdio7 0.78.2+dfsg1-3 library to read and control CD-ROM
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libdvbpsi4 0.1.5-3.1 library for MPEG TS and DVB PSI ta
ii libdvdnav4 4.1.2-3 DVD navigation library
ii libdvdread3 0.9.7-11 library for reading DVDs
ii libebml0 0.7.7-3.1 access library for the EBML format
ii libfaad0 2.6.1-3.1 freeware Advanced Audio Decoder -
ii libflac8 1.2.1-1.2 Free Lossless Audio Codec - runtim
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libfribidi0 0.10.9-1 Free Implementation of the Unicode
ii libgcc1 1:4.3.2-1 GCC support library
ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr
ii libgnutls26 2.4.2-1 the GNU TLS library - runtime libr
ii libhal1 0.5.11-5 Hardware Abstraction Layer - share
ii libid3tag0 0.15.1b-10 ID3 tag reading library from the M
ii libiso9660-5 0.78.2+dfsg1-3 library to work with ISO9660 files
ii liblircclient0 0.8.3-3 infra-red remote control support -
ii libmad0 0.15.1b-3 MPEG audio decoder library
ii libmatroska0 0.8.1-1.1 extensible open standard audio/vid
ii libmodplug0c2 1:0.8.4-2 shared libraries for mod music bas
ii libmpcdec3 1.2.2-1 Musepack (MPC) format library
ii libmpeg2-4 0.4.1-3 MPEG1 and MPEG2 video decoder libr
ii libncurses5 5.6+20081011-1 shared libraries for terminal hand
ii libogg0 1.1.3-4 Ogg Bitstream Library
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libpostproc51 0.svn20080206-14 ffmpeg video postprocessing librar
ii libraw1394-8 1.3.0-4 library for direct access to IEEE
ii libsmbclient 2:3.2.3-3 shared library that allows applica
ii libspeex1 1.2~rc1-1 The Speex codec runtime library
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii libsysfs2 2.1.0-5 interface library to sysfs
ii libtheora0 1.0~beta3-1 The Theora Video Compression Codec
ii libtwolame0 0.3.12-1 MPEG Audio Layer 2 encoding librar
ii libvcdinfo0 0.7.23-4 library to extract information fro
ii libvlc0 0.8.6.h-4 multimedia player and streamer lib
ii libvorbis0a 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libxml2 2.6.32.dfsg-4 GNOME XML library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
vlc-nox recommends no packages.
vlc-nox suggests no packages.
-- no debconf information
Tags added: upstream, fixed-upstream
Request was from Rémi Denis-Courmont <rdenis@simphalempin.com>
to control@bugs.debian.org.
(Sun, 19 Oct 2008 13:33:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#502726; Package vlc-nox.
(Sun, 19 Oct 2008 16:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sun, 19 Oct 2008 16:30:03 GMT) (full text, mbox, link).
Message #12 received at 502726@bugs.debian.org (full text, mbox, reply):
Hi Remi,
* Remi Denis-Courmont <rdenis@simphalempin.com> [2008-10-19 17:44]:
> VLC versions 0.8.2 through 0.9.4 are prone to an exploitable
> stack-based buffer overflow in the TY (TiVo) file parser.
>
> See also http://www.videolan.org/security/sa0809.html
are you sure that this is the case in 0.8.6.h-4?
>
> N.B.: please give me the CVE ID if you allocate one.
I requested a CVE id and will forward it to you then.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#502726; Package vlc-nox.
(Sun, 19 Oct 2008 16:39:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sun, 19 Oct 2008 16:39:02 GMT) (full text, mbox, link).
Message #17 received at 502726@bugs.debian.org (full text, mbox, reply):
Hi Remi,
* Remi Denis-Courmont <rdenis@simphalempin.com> [2008-10-19 17:44]:
> VLC versions 0.8.2 through 0.9.4 are prone to an exploitable
> stack-based buffer overflow in the TY (TiVo) file parser.
>
> See also http://www.videolan.org/security/sa0809.html
Are you sure that 0.8.6.h-4 in unstable is affected?
Looking at
http://git.videolan.org/?p=vlc.git;a=blob;f=modules/demux/ty.c;h=65a408f67a363747f7308a8a858a6dad50e54e67;hb=26d92b87bba99b5ea2e17b7eaa39c462d65e9133
the overflow happens because of the integer conversion in 8
+ i_map_size or if i_map_size + 8 exceeds mst_buf.
I had a look at the code in 0.8.6.h-4 and didn't see
something similar. Only static size reads with correct
sizes.
Can you confirm that this does not affect 0.8.6.h-4 and if
not, what do I miss?
> N.B.: please give me the CVE ID if you allocate one.
I requested one and will forward it to you.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#502726; Package vlc-nox.
(Sun, 19 Oct 2008 16:51:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Rémi Denis-Courmont <rdenis@simphalempin.com>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Sun, 19 Oct 2008 16:51:08 GMT) (full text, mbox, link).
Message #22 received at 502726@bugs.debian.org (full text, mbox, reply):
tags 502726 + experimental
thanks
Le dimanche 19 octobre 2008 19:35:25 Nico Golde, vous avez écrit :
> > See also http://www.videolan.org/security/sa0809.html
>
> Are you sure that 0.8.6.h-4 in unstable is affected?
> Looking at
> http://git.videolan.org/?p=vlc.git;a=blob;f=modules/demux/ty.c;h=65a408f67a
>363747f7308a8a858a6dad50e54e67;hb=26d92b87bba99b5ea2e17b7eaa39c462d65e9133
> the overflow happens because of the integer conversion in 8
> + i_map_size or if i_map_size + 8 exceeds mst_buf.
> I had a look at the code in 0.8.6.h-4 and didn't see
> something similar. Only static size reads with correct
> sizes.
>
> Can you confirm that this does not affect 0.8.6.h-4 and if
> not, what do I miss?
Probably so. Unfortunately, I have no samples.
--
Rémi Denis-Courmont
http://www.remlab.net/
Tags added: experimental
Request was from Rémi Denis-Courmont <rdenis@simphalempin.com>
to control@bugs.debian.org.
(Sun, 19 Oct 2008 16:51:10 GMT) (full text, mbox, link).
Reply sent
to Christophe Mutricy <xtophe@videolan.org>:
You have taken responsibility.
(Tue, 21 Oct 2008 01:21:05 GMT) (full text, mbox, link).
Notification sent
to Remi Denis-Courmont <rdenis@simphalempin.com>:
Bug acknowledged by developer.
(Tue, 21 Oct 2008 01:21:05 GMT) (full text, mbox, link).
Message #29 received at 502726-close@bugs.debian.org (full text, mbox, reply):
Source: vlc
Source-Version: 0.9.4-2
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc-dev_0.9.4-2_i386.deb
to pool/main/v/vlc/libvlc-dev_0.9.4-2_i386.deb
libvlc2_0.9.4-2_i386.deb
to pool/main/v/vlc/libvlc2_0.9.4-2_i386.deb
libvlccore-dev_0.9.4-2_i386.deb
to pool/main/v/vlc/libvlccore-dev_0.9.4-2_i386.deb
libvlccore0_0.9.4-2_i386.deb
to pool/main/v/vlc/libvlccore0_0.9.4-2_i386.deb
mozilla-plugin-vlc_0.9.4-2_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.9.4-2_i386.deb
vlc-data_0.9.4-2_all.deb
to pool/main/v/vlc/vlc-data_0.9.4-2_all.deb
vlc-dbg_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-dbg_0.9.4-2_i386.deb
vlc-nox_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-nox_0.9.4-2_i386.deb
vlc-plugin-arts_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.9.4-2_i386.deb
vlc-plugin-esd_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.9.4-2_i386.deb
vlc-plugin-ggi_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.9.4-2_i386.deb
vlc-plugin-jack_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-plugin-jack_0.9.4-2_i386.deb
vlc-plugin-pulse_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-plugin-pulse_0.9.4-2_i386.deb
vlc-plugin-sdl_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.9.4-2_i386.deb
vlc-plugin-svgalib_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.9.4-2_i386.deb
vlc_0.9.4-2.diff.gz
to pool/main/v/vlc/vlc_0.9.4-2.diff.gz
vlc_0.9.4-2.dsc
to pool/main/v/vlc/vlc_0.9.4-2.dsc
vlc_0.9.4-2_i386.deb
to pool/main/v/vlc/vlc_0.9.4-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 502726@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christophe Mutricy <xtophe@videolan.org> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 20 Oct 2008 23:23:46 +0200
Source: vlc
Binary: vlc vlc-dbg vlc-nox libvlccore0 libvlc2 libvlccore-dev libvlc-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack vlc-plugin-pulse vlc-data
Architecture: source all i386
Version: 0.9.4-2
Distribution: experimental
Urgency: low
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Christophe Mutricy <xtophe@videolan.org>
Description:
libvlc-dev - development files for VLC
libvlc2 - multimedia player and streamer library
libvlccore-dev - development files for VLC
libvlccore0 - multimedia player and streamer library
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-data - Common data for VLC
vlc-dbg - debugging symbols for vlc
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-pulse - PulseAudio plugin for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
Closes: 502726
Changes:
vlc (0.9.4-2) experimental; urgency=low
.
* Fix buffer overflow in Tivo demuxer
+ Closes: #502726, VideoLAN SA-0809
+ 402_tivo_overflow.diff taken from upstream
* Better xinerama fullscreen behaviour
+ 401_detect_xinerama_fullscreen.diff taken from upstream
* Builddepends on libcursesw5-dev rather than libcurses5-dev
for proper wide char handling
Checksums-Sha1:
50774df816b50a6930fff4a65f0287149350135b 3214 vlc_0.9.4-2.dsc
932fd7bd0563a48b56e037cad23f9bcc85b69f5f 47557 vlc_0.9.4-2.diff.gz
c76170d1a52ceea6692ebf19402e6c91f2f484cb 4998422 vlc-data_0.9.4-2_all.deb
f38df5a50a2c581973db29c2242e479a457bd3c4 1644708 vlc_0.9.4-2_i386.deb
a7dc34e5f21690362e4bebd7b9a924a993e070c0 10781126 vlc-dbg_0.9.4-2_i386.deb
629fae13d6f3257052cc9cbd68d4157ff8215b38 2703928 vlc-nox_0.9.4-2_i386.deb
4181f5122ee6492964c0405e66beaeede29764c6 390372 libvlccore0_0.9.4-2_i386.deb
5a7051f1c24d875e3aa09a4b39f9dd47fbd743d1 46348 libvlc2_0.9.4-2_i386.deb
6805bc1531be6ca49af189b0ce75e88868cc1248 525670 libvlccore-dev_0.9.4-2_i386.deb
c8b0adefa9f89e5947c54b278e7437ea63272a5e 61872 libvlc-dev_0.9.4-2_i386.deb
e19e8fcc95c536c13515f0ae82fea76716157327 4702 vlc-plugin-esd_0.9.4-2_i386.deb
e7834451b6ad326ff38e241be0ab8a7aede33f53 11610 vlc-plugin-sdl_0.9.4-2_i386.deb
4d92937fa25320cd57fe3a479d758b337bca085b 5962 vlc-plugin-ggi_0.9.4-2_i386.deb
d2f8f10ef38c03d646125c937f1fffa97e69e0f0 3944 vlc-plugin-arts_0.9.4-2_i386.deb
201ab0e2fcc2e5c546b519cc1c8b50e80c871288 38098 mozilla-plugin-vlc_0.9.4-2_i386.deb
4cb9cb672c740cde08af4c89a53a274006eda47e 4548 vlc-plugin-svgalib_0.9.4-2_i386.deb
9558763cd73a71794524d7c610e7d14efef1308b 10706 vlc-plugin-jack_0.9.4-2_i386.deb
57e8253265560965f237e04ee413cf69ccb741b3 6872 vlc-plugin-pulse_0.9.4-2_i386.deb
Checksums-Sha256:
b9c7096fce2558824929d00b6614a707c31303ccc2aafe8cb162385426026e18 3214 vlc_0.9.4-2.dsc
3b8ba5e1fd9a46bc5d63a28af3c4ddcca17748989a424a98ddb9ca3cbe5478a8 47557 vlc_0.9.4-2.diff.gz
0343f32f01938fe3c407cdcf6bcd55c7b935579f5ed6ad63910a21f825de3e8f 4998422 vlc-data_0.9.4-2_all.deb
71331eec52b37b467aacad89f9ef3166b7ae97768aea40009bd224b40790c94a 1644708 vlc_0.9.4-2_i386.deb
79a88d0673c06357cae5f12f0577c3bebe91d69872c709c485f4f6327a225387 10781126 vlc-dbg_0.9.4-2_i386.deb
87d2e525a397175910f0faa53cff4d69eedcb8b3948b4d5037ba55981d76e2c2 2703928 vlc-nox_0.9.4-2_i386.deb
70ec7f154c4e99f12c367f6057d56cf8e68b4c1f3982f5a955e0c6336f1736de 390372 libvlccore0_0.9.4-2_i386.deb
39dccc8bc6d791aeb014dc82c41be0e4ac9732b8eac6d76def7953f570df8397 46348 libvlc2_0.9.4-2_i386.deb
c513d4db075f226dd3d879f76fe99906f96aa29b259473b2a085730eb640e408 525670 libvlccore-dev_0.9.4-2_i386.deb
3e5805f07d297c56a3badeed5941bd81187b88d6035c758102bf0e5af24dade6 61872 libvlc-dev_0.9.4-2_i386.deb
7e9d362dc99fc060cd0f31cfd0a0a40eff56f813b99b4a1e5bd42d29a186433c 4702 vlc-plugin-esd_0.9.4-2_i386.deb
d29e8a65eb3a7e3894fe2cd9f112ca1d6ba9a81b82251bf3081eeb90631813cb 11610 vlc-plugin-sdl_0.9.4-2_i386.deb
ce56927254f3059132e468c7394dbf2e8c3629b1eae7b9151be5162bb8ae8c82 5962 vlc-plugin-ggi_0.9.4-2_i386.deb
62ec294764b9e72bae773dc85e2b6e4a400f0e638c40b760f9d829120f9aeef4 3944 vlc-plugin-arts_0.9.4-2_i386.deb
c898c45b321fed70770127b545feb6ec1feffed9a1bf1dcf52c32c988924fce7 38098 mozilla-plugin-vlc_0.9.4-2_i386.deb
c471046ea29d5037b2faecde409b28027ece61c18116845e5d471a73fa27a7af 4548 vlc-plugin-svgalib_0.9.4-2_i386.deb
201e02cfb9af0eb7a695659afdc2a152b3dcd0b3e66fe63c971aaeee70eda502 10706 vlc-plugin-jack_0.9.4-2_i386.deb
e64fe75137d6b669da2b0de4fd9985ecc1cd5d87ed0785ac57e37fdb8217ff1a 6872 vlc-plugin-pulse_0.9.4-2_i386.deb
Files:
a789e18fabaa2498d4f46d9d4d120ba1 3214 graphics optional vlc_0.9.4-2.dsc
02386f19e531eb5ff261bd8568a73d40 47557 graphics optional vlc_0.9.4-2.diff.gz
cfcc325718d792556a5e2c48fb24936b 4998422 graphics optional vlc-data_0.9.4-2_all.deb
ecfe32c478a5873d067f74e85612c491 1644708 graphics optional vlc_0.9.4-2_i386.deb
f44473839abf41954a50236d9cda507e 10781126 graphics extra vlc-dbg_0.9.4-2_i386.deb
1bba7faf97ea7f9321cac9f1a9b9038a 2703928 net optional vlc-nox_0.9.4-2_i386.deb
4c0740ff55715d97f7656a3e936d9b0e 390372 libs optional libvlccore0_0.9.4-2_i386.deb
30a31fff571261aaa4bfcc2ccce17df1 46348 libs optional libvlc2_0.9.4-2_i386.deb
b5fee6a1e1c369bcdf4a3677d891a77d 525670 libdevel optional libvlccore-dev_0.9.4-2_i386.deb
4bb676fae4c26311fec148421975ca3f 61872 libdevel optional libvlc-dev_0.9.4-2_i386.deb
3d94de5958bb07749a223033f5d055e8 4702 graphics optional vlc-plugin-esd_0.9.4-2_i386.deb
1fbf9bc6954cfd0020e6c33f552417ab 11610 graphics optional vlc-plugin-sdl_0.9.4-2_i386.deb
fe83f5f6da0287f60124a5b80d37d8e7 5962 graphics optional vlc-plugin-ggi_0.9.4-2_i386.deb
dc885b3b494594ce051ab39e512b932a 3944 graphics optional vlc-plugin-arts_0.9.4-2_i386.deb
104c02d19b41fe8e4665f71d279598de 38098 graphics optional mozilla-plugin-vlc_0.9.4-2_i386.deb
a373813eb611a809bf7ff164126f1d66 4548 graphics optional vlc-plugin-svgalib_0.9.4-2_i386.deb
c3d2fc4f2830d9d696e69db0f30aac6f 10706 graphics optional vlc-plugin-jack_0.9.4-2_i386.deb
1d0c6bf9105c047ca007a02e6fbe9455 6872 graphics optional vlc-plugin-pulse_0.9.4-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkj9JNIACgkQOU3FkQ7XBOqChgCgxbZebWCxBW21bJ500qLGrypP
HPEAn1bCBS2yWIs3OvNGAx0lSfLgkDjh
=JXJP
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#502726; Package vlc-nox.
(Wed, 22 Oct 2008 17:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(Wed, 22 Oct 2008 17:24:04 GMT) (full text, mbox, link).
Message #34 received at 502726@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 502726 vlc: CVE-2008-4654, CVE-2008-4686 buffer overflow in ty parsing and multiple integer overflows
thanks
Hi Rémi,
* Rémi Denis-Courmont <rdenis@simphalempin.com> [2008-10-19 20:22]:
> Le dimanche 19 octobre 2008 19:35:25 Nico Golde, vous avez écrit :
> > > See also http://www.videolan.org/security/sa0809.html
> >
> > Are you sure that 0.8.6.h-4 in unstable is affected?
> > Looking at
> > http://git.videolan.org/?p=vlc.git;a=blob;f=modules/demux/ty.c;h=65a408f67a
> >363747f7308a8a858a6dad50e54e67;hb=26d92b87bba99b5ea2e17b7eaa39c462d65e9133
> > the overflow happens because of the integer conversion in 8
> > + i_map_size or if i_map_size + 8 exceeds mst_buf.
> > I had a look at the code in 0.8.6.h-4 and didn't see
> > something similar. Only static size reads with correct
> > sizes.
> >
> > Can you confirm that this does not affect 0.8.6.h-4 and if
> > not, what do I miss?
>
> Probably so. Unfortunately, I have no samples.
Here are the CVE ids:
Name: CVE-2008-4654
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4654
Reference: BUGTRAQ:20081020 [TKADV2008-010] VLC media player TiVo ty Processing Stack Overflow Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/497587/100/0/threaded
Reference: MLIST:[oss-security] 20081019 CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/19/2
Reference: MISC:http://www.trapkit.de/advisories/TKADV2008-010.txt
Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commit;h=fde9e1cc1fe1ec9635169fa071e42b3aa6436033
Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=26d92b87bba99b5ea2e17b7eaa39c462d65e9133
Reference: CONFIRM:http://www.videolan.org/security/sa0809.html
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502726
Reference: BID:31813
Reference: URL:http://www.securityfocus.com/bid/31813
Reference: FRSIRT:ADV-2008-2856
Reference: URL:http://www.frsirt.com/english/advisories/2008/2856
Reference: SECUNIA:32339
Reference: URL:http://secunia.com/advisories/32339
Reference: XF:vlcmediaplayer-ty-bo(45960)
Reference: URL:http://xforce.iss.net/xforce/xfdb/45960
Stack-based buffer overflow in the parse_master function in the Ty
demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through
0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY
media file with a header containing a crafted size value.
Name: CVE-2008-4686
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4686
Reference: MLIST:[oss-security] 20081019 CVE id request: vlc
Reference: URL:http://www.openwall.com/lists/oss-security/2008/10/19/2
Reference: CONFIRM:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d859e6b9537af2d7326276f70de25a840f554dc3
Multiple integer overflows in ty.c in the TY demux plugin (aka the
TiVo demuxer) in VideoLAN VLC media player, probably 0.9.4, allow
remote attackers to have an unknown impact via a crafted .ty file, a
different vulnerability than CVE-2008-4654.
The second one was not covered by your original bug report but this is probably
also security relevant.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `vlc: CVE-2008-4654, CVE-2008-4686 buffer overflow in ty parsing and multiple integer overflows' from `libty_plugin: vlc: exploitable buffer overflow in TY demux'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 22 Oct 2008 17:24:05 GMT) (full text, mbox, link).
Bug 502726 cloned as bug 503118.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 22 Oct 2008 17:33:03 GMT) (full text, mbox, link).
Changed Bug title to `vlc: CVE-2008-4654 stack-based buffer overflow in ty parsing' from `vlc: CVE-2008-4654, CVE-2008-4686 buffer overflow in ty parsing and multiple integer overflows'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 22 Oct 2008 17:42:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 07 Feb 2011 07:48:57 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:35:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon