Ubuntu
vlc package

vlc: AVI demuxer integer overflow

Bug #807488 reported by Rémi Denis-Courmont on 2011-07-08

262

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
VLC media player	Fix Released	Critical	Rémi Denis-Courmont	VLC media player 1.1.11
vlc (Debian)	Fix Released	Unknown	debbugs #633675
vlc (Ubuntu)	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Steve Beattie
Maverick	Fix Released	Undecided	Steve Beattie
Natty	Fix Released	Undecided	Steve Beattie

Bug Description

A integer underflow error when handling the "chunk_size" field within the
"strf" chunk (AVI_ChunkRead_strf() in modules/demux/avi/libavi.c) in AVI
files can be exploited to cause a heap-based buffer overflow.

Tags:

Related branches

lp:ubuntu/maverick-security/vlc

lp:ubuntu/natty-updates/vlc

lp:debian/vlc

lp:ubuntu/maverick-updates/vlc

lp:ubuntu/lucid-updates/vlc

CVE References

Rémi Denis-Courmont (rdenis) on 2011-07-08

Changed in vlc:
status:	New → Confirmed
assignee:	nobody → Rémi Denis-Courmont (rdenis)
importance:	Undecided → Critical
milestone:	none → 1.1.11
Changed in vlc (Ubuntu):
status:	New → Confirmed

Revision history for this message

Rémi Denis-Courmont (rdenis) wrote on 2011-07-11:

0002-AVI-fix-heap-buffer-overflow-CVE-2011-2588.patch Edit (1.6 KiB, text/plain)

Changed in vlc:
status:	Confirmed → Fix Committed
tags:	added: patch-forwarded-upstream

Rémi Denis-Courmont (rdenis) on 2011-07-12

tags:	added: patch-accepted-upstream removed: patch-forwarded-upstream
Changed in vlc:
status:	Fix Committed → Fix Released
visibility:	private → public

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-07-18:

This bug was fixed in the package vlc - 1.1.11-1ubuntu1

---------------
vlc (1.1.11-1ubuntu1) oneiric; urgency=low

* Merge from Debian unstable, remaining changes:
- build and install the libx264 plugin

vlc (1.1.11-1) unstable; urgency=high

  * New upstream release.
    - Fix heap overflow in RealMedia plugin (Closes: #633674, LP: #807486)
    - Fix heap overflow in AVI plugin (Closes: #633675, LP: #807488)
  * Call dh_autoreconf with --as-needed and drop 052_as-needed.patch.
  * Drop backported patches.
  * Drop libschroedinger weaken patch (upstream weakened it to 1.0.6).
  * Refresh remaining patches.
-- Benjamin Drung <email address hidden> Mon, 18 Jul 2011 11:40:18 +0200

Changed in vlc (Ubuntu):
status:	Confirmed → Fix Released

Revision history for this message

Benjamin Drung (bdrung) wrote on 2011-07-18:

vlc_1.1.9-1ubuntu1.3.debdiff Edit (3.9 KiB, text/plain)

Here's the patch for natty.

Revision history for this message

Benjamin Drung (bdrung) wrote on 2011-07-18:

vlc_1.1.4-1ubuntu1.7.debdiff Edit (3.9 KiB, text/plain)

Patch for maverick.

Revision history for this message

Benjamin Drung (bdrung) wrote on 2011-07-18:

vlc_1.0.6-1ubuntu1.8.debdiff Edit (2.3 KiB, text/plain)

And the patch for lucid.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2011-07-19:

Benjamin, thanks, I'll review.

Changed in vlc (Ubuntu Lucid):
assignee:	nobody → Steve Beattie (sbeattie)
Changed in vlc (Ubuntu Maverick):
assignee:	nobody → Steve Beattie (sbeattie)
Changed in vlc (Ubuntu Natty):
assignee:	nobody → Steve Beattie (sbeattie)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-07-21:

This bug was fixed in the package vlc - 1.1.9-1ubuntu1.3

---------------
vlc (1.1.9-1ubuntu1.3) natty-security; urgency=low

  * SECURITY UPDATE: Heap overflow in RealMedia demuxer (LP: #807486)
    - debian/patches/CVE-2011-2587.patch: real: fix heap buffer overflow,
      thanks to Rémi Denis-Courmont
    - CVE-2011-2587
    - VideoLAN-SA-1105
  * SECURITY UPDATE: Heap overflow in AVI demuxer (LP: #807488)
    - debian/patches/CVE-2011-2588.patch: AVI: fix heap buffer overflow,
      thanks to Rémi Denis-Courmont
    - CVE-2011-2588
    - VideoLAN-SA-1106
-- Benjamin Drung <email address hidden> Mon, 18 Jul 2011 15:48:36 +0200

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-07-21:

This bug was fixed in the package vlc - 1.1.4-1ubuntu1.7

---------------
vlc (1.1.4-1ubuntu1.7) maverick-security; urgency=low

Revision history for this message

Launchpad Janitor (janitor) wrote on 2011-07-21:

This bug was fixed in the package vlc - 1.0.6-1ubuntu1.8

---------------
vlc (1.0.6-1ubuntu1.8) lucid-security; urgency=low

  * SECURITY UPDATE: Heap overflow in AVI demuxer (LP: #807488)
    - debian/patches/CVE-2011-2588.patch: AVI: fix heap buffer overflow,
      thanks to Rémi Denis-Courmont
    - CVE-2011-2588
    - VideoLAN-SA-1106
-- Benjamin Drung <email address hidden> Mon, 18 Jul 2011 16:15:19 +0200

Changed in vlc (Ubuntu Lucid):
status:	New → Fix Released
Changed in vlc (Ubuntu Maverick):
status:	New → Fix Released
Changed in vlc (Ubuntu Natty):
status:	New → Fix Released

Bug Watch Updater (bug-watch-updater) on 2011-08-11

Changed in vlc (Debian):
status:	Unknown → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

debbugs #633674
[done grave upstream confirmed security fixed-upstream] Edit
debbugs #633675
[done grave upstream confirmed security fixed-upstream] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuvlc package

vlc: AVI demuxer integer overflow

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
vlc package