Your message dated Fri, 11 Jan 2008 15:47:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#458318: fixed in vlc 0.8.6.c-4.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: vlc
Version: 0.8.6.c-4
Severity: grave
Tags: security
Justification: user security hole
These pages
http://mailman.videolan.org/pipermail/vlc-devel/2007-December/037726.html
https://trac.videolan.org/vlc/ticket/1371
describe a security issue which allows to write to arbitrary files with
mozilla-plugin-vlc.
According to http://www.securityfocus.com/archive/1/485488/30/0/threaded , there
are two more unfixed security issues in vlc:
A] buffer-overflow in the handling of the subtitles
B] format string in the web interface
AFAIK there are no CVE ids for these issues yet.
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.c-4.1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.c-4.1_i386.deb
libvlc0_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6.c-4.1_i386.deb
mozilla-plugin-vlc_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-4.1_i386.deb
vlc-nox_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6.c-4.1_i386.deb
vlc-plugin-alsa_0.8.6.c-4.1_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-4.1_all.deb
vlc-plugin-arts_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-4.1_i386.deb
vlc-plugin-esd_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-4.1_i386.deb
vlc-plugin-ggi_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-4.1_i386.deb
vlc-plugin-glide_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6.c-4.1_i386.deb
vlc-plugin-sdl_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-4.1_i386.deb
vlc-plugin-svgalib_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-4.1_i386.deb
vlc_0.8.6.c-4.1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.c-4.1.diff.gz
vlc_0.8.6.c-4.1.dsc
to pool/main/v/vlc/vlc_0.8.6.c-4.1.dsc
vlc_0.8.6.c-4.1_i386.deb
to pool/main/v/vlc/vlc_0.8.6.c-4.1_i386.deb
wxvlc_0.8.6.c-4.1_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.c-4.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 11 Jan 2008 15:05:10 +0100
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-glide
vlc-plugin-esd mozilla-plugin-vlc vlc libvlc0 vlc-plugin-arts vlc-nox
vlc-plugin-svgalib libvlc0-dev
Architecture: source all i386
Version: 0.8.6.c-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 458318
Changes:
vlc (0.8.6.c-4.1) unstable; urgency=high
.
* Non-maintainer upload by security team.
* This update addresses the following security issues
(CVE ids pending; Closes: #458318):
- Fix format string issue in internal webserver that could lead to
to arbitrary code execution (sec-httpd_formatstring.diff).
- Disable m3u EXTVLCOPT parsing if no command line option is specified
(--m3u-extvlcopt) to prevent browser plugins to control stream output
and thus overwriting arbitrary files of the user running vlc
(sec-vlcopt_support.diff).
- Fix stack-based buffer overflow in subtitle parsing
(sec-subtitle_buffer_overflow.diff).
- Fix NULL pointer dereference in the rtsp/rtp module by checking return
of the httpd_MsgGet function (sec-rtsp_remote_dos.diff).
Files:
c16b380dbe38a294c9ac30cd600c817e 2715 graphics optional vlc_0.8.6.c-4.1.dsc
62ee59bd4d5177cefa3fa2bac26d1862 37190 graphics optional
vlc_0.8.6.c-4.1.diff.gz
612091db15f3f1591c65eb686661478c 796 graphics optional
vlc-plugin-alsa_0.8.6.c-4.1_all.deb
7df04f80118287d0652cfc3e356ee50a 792 graphics optional
wxvlc_0.8.6.c-4.1_all.deb
3dea20d4cc93be6c2ca0216b28b53007 1147258 graphics optional
vlc_0.8.6.c-4.1_i386.deb
26ddc8e7e124cf95934e29e36fc711c3 4704844 net optional
vlc-nox_0.8.6.c-4.1_i386.deb
33fe6db53726d40f2a0d757665836a55 466188 libs optional
libvlc0_0.8.6.c-4.1_i386.deb
d662a2c15453e9727300fe5e41dd4e65 510656 libdevel optional
libvlc0-dev_0.8.6.c-4.1_i386.deb
cba0f0620ded0802d0ff827d4be344f5 4818 graphics optional
vlc-plugin-esd_0.8.6.c-4.1_i386.deb
197230204dd7e1429eda74a38cb216a0 10884 graphics optional
vlc-plugin-sdl_0.8.6.c-4.1_i386.deb
e23e5ebbd0749d87df796eddcf6d9aae 5936 graphics optional
vlc-plugin-ggi_0.8.6.c-4.1_i386.deb
c1e0a991ce6d6d48c6562bccdd645360 4192 graphics optional
vlc-plugin-glide_0.8.6.c-4.1_i386.deb
935554fef0f34754614c98e0240fee66 4074 graphics optional
vlc-plugin-arts_0.8.6.c-4.1_i386.deb
d24ad9408b9936831b2127ebd578d517 37788 graphics optional
mozilla-plugin-vlc_0.8.6.c-4.1_i386.deb
5e3d4b12ef84fa1273fc1252aa399c5c 4530 graphics optional
vlc-plugin-svgalib_0.8.6.c-4.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHh4vmHYflSXNkfP8RAu59AJwPDzsTB5Zne8tuNVDH5dwGyCp7fwCdESVH
8h6WWhDcuKvijGYDoUiVpRs=
=M2sV
-----END PGP SIGNATURE-----
--- End Message ---
