Ubuntu
vlc package

VLC: New upstream release (0.8.6i) for hardy

Bug #262705 reported by Nicola Ferralis
20
Affects Status Importance Assigned to Milestone
vlc (Ubuntu)
Invalid
Undecided
Unassigned
Declined for Intrepid by Mario Limonciello
Hardy
Fix Released
High
William Grant

Bug Description

Binary package hint: vlc

A new upstream release of VLC is available (0.8.6.i)

Packages in Intrepid are currently still in version 0.8.6.h and they should be upgraded to the new upstream release.

From the news release:
This is a bugfix release. VLC media player 0.8.6h and earlier versions suffer from security vulnerabilities in the WAV demuxer.
This release also includes improved audio visualizations on FreeBSD and miscellaneous bug fixes in multiple modules.
http://www.videolan.org/security/sa0806.html

  Changes between 0.8.6h and 0.8.6i
Security updates

    * Fixed integer overflow in WAV demuxer (CVE-2008-2430)

Various bugfixes

    * Fixed option to use shared memory within the GLX video output module
    * Improved galaktos-based audio visualizations on FreeBSD
    * Miscellaneous bugfixes in multiple modules and in libvlc (transcode stream output, OSD menu video filter, VCD input, SAP services discovery, http control interface)
    * Updated Polish translation

See original description

Related branches

lp:ubuntu/hardy-security/vlc

CVE References

William Grant (wgrant)
Changed in vlc:
assignee: nobody → wgrant
importance: Undecided → High
status: New → Triaged
Revision history for this message
Nicola Ferralis (feranick) wrote : Re: VLC: New upstream release (0.8.6.i)

Similar bug filed for Hardy:

https://bugs.launchpad.net/ubuntu/+source/vlc/+bug/262952

Revision history for this message
Nicola Ferralis (feranick) wrote :

A security vulnerability in version 0.8.6i (and earlier) has been found:

http://www.videolan.org/security/sa0807.html

Patches are available from the source repostory.

Details
When parsing the header of an invalid TTA file, an integer overflow might happen causing an heap-based buffer overflow.
When parsing a response from an MMS server, an integer overflow might happen causing a stack-based buffer overflow.

Impact
If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player. However, because the integer overflows will cause an unusually large amount of memory to be read, a page fault is most likely to occur (segmentation fault on Unix systems, general protection fault on Windows), resulting in a termination of the VLC process.

Threat mitigation
Exploitation of this issue requires the user to explicitly open a specially crafted file, or access a malicious MMS server.

Workarounds
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Solution
VLC media player 0.9.1 addresses these issues. Patches for VLC media player 0.8.6 are available from the official VLC source code repository.

Revision history for this message
Hew (hew) wrote :

VLC 0.9.2 has been released. Perhaps it's preferable to package this new version.

JB VideoLAN (jb-videolan)
description: updated
Revision history for this message
JB VideoLAN (jb-videolan) wrote : Re: VLC: New upstream release (0.9.2)

It should be better to update to 0.8.6i (or j) in hardy.

description: updated
Mario Limonciello (superm1)
Changed in vlc:
assignee: nobody → wgrant
importance: Undecided → High
status: New → Triaged
status: Triaged → Invalid
assignee: wgrant → nobody
importance: High → Undecided
William Grant (wgrant)
Changed in vlc:
status: Triaged → In Progress
Revision history for this message
William Grant (wgrant) wrote :
Revision history for this message
William Grant (wgrant) wrote :

I've tested that it plays various things (including TTA and MMS streams), and the known exploits no longer crash it.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the patch! Fix committed to security builds.

Changed in vlc:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package vlc - 0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.2

---------------
vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.2) hardy-security; urgency=low

  * SECURITY UPDATE: multiple denials of service and arbitrary code execution
    vulnerabilities. (LP: #262705)
    - debian/patches/040_CVE-2008-3732.diff: Fix TTA integer handling. Fixes
      arbitrary code execution. Patch from upstream git.
    - debian/patches/041_CVE-2008-3794.diff: Fix MMS integer handling. Fixes
      arbitrary code execution. Patch from upstream git.
    - References:
      + http://www.videolan.org/security/sa0807.html
      + CVE-2008-3732
      + CVE-2008-3794

 -- William Grant <email address hidden> Sun, 21 Sep 2008 14:00:25 +1000

Changed in vlc:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.