Hello, Dan Rosenberg has discovered that improper input validation in the MKV (and Webm) demux module could lead to corrupt memory and arbitrary code execution. PoC MKV targetted at windows make possible to start calc.exe. (CVE-2011-0531, VideoLAN-SA-1102[1])
VLC 1.1.7 fixes this issue. I have taken the upstream patch and prepared an upload in our git[2] in the squeeze branch. Also attached is a debdiff. Regards [1] http://www.videolan.org/security/sa1102.html [2] git://git.debian.org/pkg-multimedia/vlc.git -- Xtophe
diff -Nru vlc-1.1.3/debian/changelog vlc-1.1.3/debian/changelog --- vlc-1.1.3/debian/changelog 2011-01-24 22:14:41.000000000 +0100 +++ vlc-1.1.3/debian/changelog 2011-02-07 23:40:23.000000000 +0100 @@ -1,8 +1,21 @@ +vlc (1.1.3-1squeeze3) stable-security; urgency=high + + * Fix MKV improper input validation + - VideoLAN-SA-1102, CVE-2011-0531 + - thanks to Steve Lhomme + * Add CVE reference to previous vulnerability + * Set urgency to high + + -- Christophe Mutricy <xtophe@penduick> Wed, 02 Feb 2011 22:36:57 +0000 + vlc (1.1.3-1squeeze2) unstable; urgency=medium - * Fix heap overflow in CDG decoder - thanks to Dan Rosenberg - * Fix heap corruption in some XML based subtitles decoder - thanks to - Harry Sintonen + * Fix heap overflow in CDG decoder + - CVE-2011-0021, VideoLAN-SA-1101 + - thanks to Dan Rosenberg + * Fix heap corruption in some XML based subtitles decoder + - CVE-2011-0531 + - thanks to Harry Sintonen * Set urgency to medium -- Christophe Mutricy <xto...@videolan.org> Mon, 24 Jan 2011 22:13:57 +0100 diff -Nru vlc-1.1.3/debian/patches/mkv-input-validation.diff vlc-1.1.3/debian/patches/mkv-input-validation.diff --- vlc-1.1.3/debian/patches/mkv-input-validation.diff 1970-01-01 01:00:00.000000000 +0100 +++ vlc-1.1.3/debian/patches/mkv-input-validation.diff 2011-02-03 00:02:43.000000000 +0100 @@ -0,0 +1,17 @@ +Subject: the ID could be OK but the class mismatching +Author: Steve Lhomme <slho...@matroska.org> +Origin: upstream, http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=commit;h=3101bb7ac8abf56080d943806d666a385c3e9e33 + +diff --git a/modules/demux/mkv/mkv.hpp b/modules/demux/mkv/mkv.hpp +index 1461d4a..8e3ec9b 100644 +--- a/modules/demux/mkv/mkv.hpp ++++ b/modules/demux/mkv/mkv.hpp +@@ -119,7 +119,7 @@ extern "C" { + + #define MKVD_TIMECODESCALE 1000000 + +-#define MKV_IS_ID( el, C ) ( EbmlId( (*el) ) == C::ClassInfos.GlobalId ) ++#define MKV_IS_ID( el, C ) ( el != NULL && typeid( *el ) == typeid( C ) ) + + + using namespace LIBMATROSKA_NAMESPACE; diff -Nru vlc-1.1.3/debian/patches/series vlc-1.1.3/debian/patches/series --- vlc-1.1.3/debian/patches/series 2011-01-24 15:18:15.000000000 +0100 +++ vlc-1.1.3/debian/patches/series 2011-02-03 00:02:43.000000000 +0100 @@ -6,3 +6,4 @@ CVE-2010-3907.diff cdg-heap-overflow.diff xml-heap-corruption.diff +mkv-input-validation.diff
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-multimedia-maintainers
