Debian Bug report logs -
#467652
vlc: CVE-2008-0984 arbitrary code execution via crafted mp4 file
Reported by: Axel Beckert <beckert@phys.ethz.ch>
Date: Tue, 26 Feb 2008 18:00:08 UTC
Severity: grave
Tags: etch, patch, security
Found in versions vlc/0.8.6.c-6, vlc/0.8.6-svn20061012.debian-5etch4
Fixed in versions vlc/0.8.6.e-1, vlc/0.8.6.c-6+lenny1, 0.8.6.e-1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#467652
; Package vlc
.
(full text, mbox, link).
Acknowledgement sent to Remi Denis-Courmont <rdenis@simphalempin.com>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: vlc
Version: 0.8.6.c-6
Severity: grave
Tags: security
Justification: user security hole
"VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer)
suffers from an arbitrary memory overwrite vulnerability when using
specially crafted (invalid) MP4 input files.
If successful, a malicious third party could trigger execution of
arbitrary code within the context of the VLC media player, or otherwise
crash the player instance.
Exploitation of the MP4 demuxer problem requires the user to explicitly
open a specially crafted file."
See also http://www.videolan.org/security/sa0802.html
This also affects Etch.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (100, 'unstable'), (100, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24.2 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages vlc depends on:
ii libaa1 1.4p5-34 ascii art library
ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit
ii libc6 2.7-8 GNU C Library: Shared libraries
ii libcaca0 0.99.beta13b-4 colour ASCII art library
ii libcairo2 1.4.14-1 The Cairo 2D vector graphics libra
ii libcdio7 0.78.2+dfsg1-2 library to read and control CD-ROM
ii libcucul0 0.99.beta13b-4 low-level Unicode character drawin
ii libdbus-1-3 1.1.4-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.74-1 simple interprocess messaging syst
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libfribidi0 0.10.9-1 Free Implementation of the Unicode
ii libgcc1 1:4.3-20080219-1 GCC support library
ii libgl1-mesa-glx [libgl 7.0.3~rc2-1 A free implementation of the OpenG
ii libglib2.0-0 2.14.6-1 The GLib library of C routines
ii libglu1-mesa [libglu1] 7.0.3~rc2-1 The OpenGL utility library (GLU)
ii libgtk2.0-0 2.12.8-1 The GTK+ graphical user interface
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libiso9660-5 0.78.2+dfsg1-2 library to work with ISO9660 files
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n
ii libpango1.0-0 1.18.4-1 Layout and rendering of internatio
ii libpng12-0 1.2.15~beta5-3 PNG library - runtime
ii libsdl-image1.2 1.2.6-3 image loading library for Simple D
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libstdc++6 4.3-20080219-1 The GNU Standard C++ Library v3
ii libtar 1.2.11-4 C library for manipulating tar arc
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii libvcdinfo0 0.7.23-4 library to extract information fro
ii libvlc0 0.8.6.c-6 multimedia player and streamer lib
ii libwxbase2.6-0 2.6.3.2.2-2 wxBase library (runtime) - non-GUI
ii libwxgtk2.6-0 2.6.3.2.2-2 wxWidgets Cross-platform C++ GUI t
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar
ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library
ii libxosd2 2.2.14-1.5 X On-Screen Display library - runt
ii libxv1 1:1.0.3-1 X11 Video extension library
ii ttf-dejavu-core 2.23-1 Vera font family derivate with add
ii vlc-nox 0.8.6.c-6 multimedia player and streamer (wi
ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime
vlc recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#467652
; Package vlc
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 467652@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 467652 + patch
thanks
Hi,
a CVE id for this issue is currently pending.
The patch can is on:
http://www.videolan.org/patches/vlc-0.8.6-CORE-2008-0130.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Tags added: patch
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Tue, 26 Feb 2008 18:33:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#467652
; Package vlc
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #17 received at 467652@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 467652 vlc: CVE-2008-0984 arbitrary code execution via crafted mp4 file
thanks
Hi,
use CVE-2008-0984 as the CVE id. Please mention it in the
changelog if you fix this issue.
Kind regards
Nico
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `vlc: CVE-2008-0984 arbitrary code execution via crafted mp4 file' from `vlc: arbitrary memory overwrite in the MP4 demuxer'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org
.
(Tue, 26 Feb 2008 19:54:07 GMT) (full text, mbox, link).
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Remi Denis-Courmont <rdenis@simphalempin.com>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #24 received at 467652-close@bugs.debian.org (full text, mbox, reply):
Source: vlc
Source-Version: 0.8.6.c-6+lenny1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny1_i386.deb
libvlc0_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny1_i386.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny1_i386.deb
vlc-nox_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-alsa_0.8.6.c-6+lenny1_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny1_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-esd_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-ggi_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-glide_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-jack_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-sdl_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny1_i386.deb
vlc_0.8.6.c-6+lenny1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny1.diff.gz
vlc_0.8.6.c-6+lenny1.dsc
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny1.dsc
vlc_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny1_i386.deb
wxvlc_0.8.6.c-6+lenny1_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 467652@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 27 Feb 2008 16:06:47 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all i386
Version: 0.8.6.c-6+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 467652
Changes:
vlc (0.8.6.c-6+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by security team.
* This update addresses the following security issue:
- CVE-2008-0986: A buffer overflow in the mpeg-4 demuxer
could lead to arbitrary code execution via a crafted
mp4 file (sec-CVE-2008-0984.diff; Closes: #467652).
Files:
8513f783a180c211ebd13248f36d3ad8 2713 graphics optional vlc_0.8.6.c-6+lenny1.dsc
e01b8c433658a618a947b6a4e6a48b91 38090 graphics optional vlc_0.8.6.c-6+lenny1.diff.gz
64297a74fbb648fdb32022468d77b77f 802 graphics optional vlc-plugin-alsa_0.8.6.c-6+lenny1_all.deb
14b56d6b81798bac7f9b9eb85a465143 798 graphics optional wxvlc_0.8.6.c-6+lenny1_all.deb
a5bb48d46164eaf2fe7e2861cd03f04e 1143410 graphics optional vlc_0.8.6.c-6+lenny1_i386.deb
e7f627f8bb19ca8d2b7765ebc0dea03b 4710562 net optional vlc-nox_0.8.6.c-6+lenny1_i386.deb
47fb8215f4deb6a70c65cf3a39a1f79f 467142 libs optional libvlc0_0.8.6.c-6+lenny1_i386.deb
04d74dbff9be4f70a5689a1662399b5d 511126 libdevel optional libvlc0-dev_0.8.6.c-6+lenny1_i386.deb
c077130f787c6cd2cd39611dbe1d7de4 4822 graphics optional vlc-plugin-esd_0.8.6.c-6+lenny1_i386.deb
e99291e359c16c79fb2c133d32592f9a 10880 graphics optional vlc-plugin-sdl_0.8.6.c-6+lenny1_i386.deb
0c557821de817733c193dd96f89c4d33 5932 graphics optional vlc-plugin-ggi_0.8.6.c-6+lenny1_i386.deb
7087d64190189e27e1f5afbdaf8cf850 4196 graphics optional vlc-plugin-glide_0.8.6.c-6+lenny1_i386.deb
6addbc33cbc0376fc25f56c45027a908 4072 graphics optional vlc-plugin-arts_0.8.6.c-6+lenny1_i386.deb
7463cec14bd5bcdb3cdc41635d4b59ed 37774 graphics optional mozilla-plugin-vlc_0.8.6.c-6+lenny1_i386.deb
6cca05181808b8566c6daed6f00416ad 4536 graphics optional vlc-plugin-svgalib_0.8.6.c-6+lenny1_i386.deb
cf78b623c3a0bdd23e6d9d2ce477486d 4796 graphics optional vlc-plugin-jack_0.8.6.c-6+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHxapGHYflSXNkfP8RAipMAJ9IPSd9h4dlEC4c4JQJmoEJJ8xUewCfXCL7
0WsWpKF9p5b4AmwPsujyq64=
=3iab
-----END PGP SIGNATURE-----
Reply sent to Christophe Mutricy <xtophe@videolan.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Remi Denis-Courmont <rdenis@simphalempin.com>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #29 received at 467652-close@bugs.debian.org (full text, mbox, reply):
Source: vlc
Source-Version: 0.8.6.e-1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.e-1_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.e-1_i386.deb
libvlc0_0.8.6.e-1_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6.e-1_i386.deb
mozilla-plugin-vlc_0.8.6.e-1_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-1_i386.deb
vlc-nox_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6.e-1_i386.deb
vlc-plugin-alsa_0.8.6.e-1_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-1_all.deb
vlc-plugin-arts_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-1_i386.deb
vlc-plugin-esd_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-1_i386.deb
vlc-plugin-ggi_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-1_i386.deb
vlc-plugin-glide_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6.e-1_i386.deb
vlc-plugin-jack_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-1_i386.deb
vlc-plugin-sdl_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-1_i386.deb
vlc-plugin-svgalib_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-1_i386.deb
vlc_0.8.6.e-1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.e-1.diff.gz
vlc_0.8.6.e-1.dsc
to pool/main/v/vlc/vlc_0.8.6.e-1.dsc
vlc_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc_0.8.6.e-1_i386.deb
vlc_0.8.6.e.orig.tar.gz
to pool/main/v/vlc/vlc_0.8.6.e.orig.tar.gz
wxvlc_0.8.6.e-1_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.e-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 467652@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christophe Mutricy <xtophe@videolan.org> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 25 Feb 2008 23:35:24 +0000
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all i386
Version: 0.8.6.e-1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Christophe Mutricy <xtophe@videolan.org>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 404361 467652
Changes:
vlc (0.8.6.e-1) unstable; urgency=high
.
[ Christophe Mutricy ]
* New security upstream release
- CORE-2008-0130, VideoLAN-SA-0802, CVE-2008-0986: Arbitrary memory
overwrite in the MP4 demuxer (Closes: #467652)
- Others security fixes already included in the Debian package
- Xshm detection fix (Closes: #404361)
- Alsa 5.1 fixes
- DTS to S/PDIF fixes
* patches/
- delete the uneeded sec-* patches
- delete 100_no_wx_update.diff as the update "feature" has been removed
upstream
.
[ Loic Minier ]
* Urgency high for security bugfix.
Files:
5d94304e331dd86c5053444f73992b69 2699 graphics optional vlc_0.8.6.e-1.dsc
e4b64e38b95e84a52b51dd433ba66972 16285612 graphics optional vlc_0.8.6.e.orig.tar.gz
9ad35158c8af3ddd0ec5550a1ae2dd1e 35337 graphics optional vlc_0.8.6.e-1.diff.gz
50f3751dcc0c775e3a267bb2043c39bc 798 graphics optional vlc-plugin-alsa_0.8.6.e-1_all.deb
662e930519bea013709b6769f7cbd053 790 graphics optional wxvlc_0.8.6.e-1_all.deb
24e9792e460cbefa00cb42c8d76e7c5e 1147424 graphics optional vlc_0.8.6.e-1_i386.deb
32ace1fc868428220327e9ab5528e2f3 4829932 net optional vlc-nox_0.8.6.e-1_i386.deb
da38894f2661a5f1519f0653bbcc8ff3 479994 libs optional libvlc0_0.8.6.e-1_i386.deb
f008833ec10d3747ba2faf2746eef88f 510944 libdevel optional libvlc0-dev_0.8.6.e-1_i386.deb
91dcd3f1f90961d16ecc4626d2485fca 4798 graphics optional vlc-plugin-esd_0.8.6.e-1_i386.deb
be52cf60b46f0196683f300b3de52a77 10890 graphics optional vlc-plugin-sdl_0.8.6.e-1_i386.deb
a7238d20c2c8472d094c81873a32e067 5926 graphics optional vlc-plugin-ggi_0.8.6.e-1_i386.deb
2b507a54b7f600839c190d36a51bd85c 4186 graphics optional vlc-plugin-glide_0.8.6.e-1_i386.deb
9879a969481f7f3efcd14b94a72ad47c 4068 graphics optional vlc-plugin-arts_0.8.6.e-1_i386.deb
567509257baa9f47583a797e8d0a38cd 37838 graphics optional mozilla-plugin-vlc_0.8.6.e-1_i386.deb
2ea52013d0a5954b82691dfcb2f2d343 4528 graphics optional vlc-plugin-svgalib_0.8.6.e-1_i386.deb
716bf915fe466a24f8c966f533896491 4788 graphics optional vlc-plugin-jack_0.8.6.e-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHxsPv4VUX8isJIMARAsZbAKCEOG6p6MKqD23UlU9G0PpW7CIjQACfTXtM
bseLwnsYal2ZiydN54W73Q0=
=JVIZ
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#467652
; Package vlc
.
(full text, mbox, link).
Acknowledgement sent to Axel Beckert <beckert@phys.ethz.ch>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #34 received at 467652@bugs.debian.org (full text, mbox, reply):
reopen 467652 !
found 467652 0.8.6-svn20061012.debian-5etch4
tag 467652 +etch
thanks
I have no exploit for CVE-2008-0984 available to proof that vlc in
Etch is vulnerable, but since the official patch applies to the vlc
source in Etch without problems, it is very likely that vlc in Etch is
also affected.
Kind regards, Axel Beckert
--
Axel Beckert <beckert@phys.ethz.ch> support: +41 44 633 2668
IT Support Group, HPR E 86.1 voice: +41 44 633 4189
Departement Physik, ETH Zurich fax: +41 44 633 1239
CH-8093 Zurich, Switzerland http://nic.phys.ethz.ch/
Bug reopened, originator set to Axel Beckert <beckert@phys.ethz.ch>.
Request was from Axel Beckert <beckert@phys.ethz.ch>
to control@bugs.debian.org
.
(Tue, 04 Mar 2008 10:06:15 GMT) (full text, mbox, link).
Bug marked as found in version 0.8.6-svn20061012.debian-5etch4.
Request was from Axel Beckert <beckert@phys.ethz.ch>
to control@bugs.debian.org
.
(Tue, 04 Mar 2008 10:06:15 GMT) (full text, mbox, link).
Tags added: etch
Request was from Axel Beckert <beckert@phys.ethz.ch>
to control@bugs.debian.org
.
(Tue, 04 Mar 2008 10:06:16 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.8.6.e-1.
Request was from Axel Beckert <beckert@phys.ethz.ch>
to control@bugs.debian.org
.
(Tue, 04 Mar 2008 11:30:07 GMT) (full text, mbox, link).
Bug marked as fixed in version 0.8.6.c-6+lenny1.
Request was from Axel Beckert <beckert@phys.ethz.ch>
to control@bugs.debian.org
.
(Tue, 04 Mar 2008 11:30:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
:
Bug#467652
; Package vlc
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #49 received at 467652@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Axel Beckert <beckert@phys.ethz.ch> [2008-03-04 12:57]:
> reopen 467652 !
> found 467652 0.8.6-svn20061012.debian-5etch4
> tag 467652 +etch
> thanks
>
> I have no exploit for CVE-2008-0984 available to proof that vlc in
> Etch is vulnerable, but since the official patch applies to the vlc
> source in Etch without problems, it is very likely that vlc in Etch is
> also affected.
PoC: http://nion.modprobe.de/la.mov
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent
to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(Sun, 02 Nov 2008 12:21:15 GMT) (full text, mbox, link).
Notification sent
to Axel Beckert <beckert@phys.ethz.ch>
:
Bug acknowledged by developer.
(Sun, 02 Nov 2008 12:21:16 GMT) (full text, mbox, link).
Message #54 received at 467652-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 0.8.6.e-1
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Feb 2009 08:15:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:16:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.