Package: vlc Severity: important Tags: security Hi,
vlc uses libtar to unpack skins, however, its use on untrusted data exposes it to CVE-2013-4420 (#731860). Changing the behaviour of libtar appears to be problematic because some applications have relied on the, lack of, path sanitation (cf. https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html and the follow-ups). What appears to be the safe way to handle this issue is making sure that libtar is not used on untrusted data without file path validation - that would mean that vlc would have to check for every file that is about to be extracted that none contains a ../, and something similar for symlinks. Alternatively, vlc could just use tar(1) to unpack the tarballs, or drop support for skins or skins in tarballs. What do you think? This should probably be forwarded to upstream. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
