Your message dated Sat, 29 Mar 2008 21:32:20 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#473057: fixed in vlc 0.8.6.e-2
has caused the Debian Bug report #473057,
regarding vlc: CVE-2008-0073 code execution via crafted rtsp stream
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
473057: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473057
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.
CVE-2008-0073CVE-2008-0073[0]:
| Array index error in the sdpplin_parse function in
| input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP
| servers to execute arbitrary code via a large streamid SDP parameter.
It turned out that vlc is also using that code in
modules/access/rtsp/real_sdpplin.c
Find a patch for the above issue on:
http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=12cb075fba8ea09813fc35e0c731d2a64265b637;style=raw
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073CVE-2008-0073
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp9r8tuhJrf6.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.e-2
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.e-2_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2_i386.deb
libvlc0_0.8.6.e-2_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6.e-2_i386.deb
mozilla-plugin-vlc_0.8.6.e-2_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2_i386.deb
vlc-nox_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6.e-2_i386.deb
vlc-plugin-alsa_0.8.6.e-2_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2_all.deb
vlc-plugin-arts_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2_i386.deb
vlc-plugin-esd_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2_i386.deb
vlc-plugin-ggi_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2_i386.deb
vlc-plugin-glide_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6.e-2_i386.deb
vlc-plugin-jack_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2_i386.deb
vlc-plugin-sdl_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2_i386.deb
vlc-plugin-svgalib_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2_i386.deb
vlc_0.8.6.e-2.diff.gz
to pool/main/v/vlc/vlc_0.8.6.e-2.diff.gz
vlc_0.8.6.e-2.dsc
to pool/main/v/vlc/vlc_0.8.6.e-2.dsc
vlc_0.8.6.e-2_i386.deb
to pool/main/v/vlc/vlc_0.8.6.e-2_i386.deb
wxvlc_0.8.6.e-2_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.e-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christophe Mutricy <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Mar 2008 15:04:28 +0000
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all i386
Version: 0.8.6.e-2
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Christophe Mutricy <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 473057
Changes:
vlc (0.8.6.e-2) unstable; urgency=high
.
[ Christophe Mutricy ]
* Acknowledge NMU by Nico Golde. Thanks
* New patch taken from upstream to fix an arbitrary code execution.
CVE-2008-0073 (Closes: #473057)
* New patch to fix FTBS in MKV module
.
[ Loic Minier ]
* Mention CVE id in 0.8.6.e-1.1.
Files:
c7f8e971229405a217a91396bf69fafb 2699 graphics optional vlc_0.8.6.e-2.dsc
99d80d7630c63dd293ad446c7a09a6b4 37233 graphics optional vlc_0.8.6.e-2.diff.gz
591f2459b06b246ce29608ee1c07c415 798 graphics optional
vlc-plugin-alsa_0.8.6.e-2_all.deb
cb7bc86c62160366e2de629333906743 790 graphics optional wxvlc_0.8.6.e-2_all.deb
eeebd280f645547cafa1c9bb8d72f594 1147426 graphics optional
vlc_0.8.6.e-2_i386.deb
c23ce639df7718898181ed655c35bd5d 4829972 net optional
vlc-nox_0.8.6.e-2_i386.deb
c1f05b91dd30f4b1207d0da14e20514a 480114 libs optional
libvlc0_0.8.6.e-2_i386.deb
8194cff84ee49932a75ea021d8f155fc 510914 libdevel optional
libvlc0-dev_0.8.6.e-2_i386.deb
970146b684c7adcb76d77ffb55995596 4796 graphics optional
vlc-plugin-esd_0.8.6.e-2_i386.deb
e98556a025e5552334e6174cb633a2bb 10882 graphics optional
vlc-plugin-sdl_0.8.6.e-2_i386.deb
fbdbcfe1dde5a08d20e7bda5260e2132 5922 graphics optional
vlc-plugin-ggi_0.8.6.e-2_i386.deb
fa477fd9fb231f35aaf514f16177a723 4180 graphics optional
vlc-plugin-glide_0.8.6.e-2_i386.deb
504ff9686c66af56c4eaaa3fae6463a7 4010 graphics optional
vlc-plugin-arts_0.8.6.e-2_i386.deb
06245b1089c504954e99895cd7a5ce31 37830 graphics optional
mozilla-plugin-vlc_0.8.6.e-2_i386.deb
76ec1f97832fd1cac67cea1929208100 4526 graphics optional
vlc-plugin-svgalib_0.8.6.e-2_i386.deb
1e0f4f648b49b5bcfc4df78de8a9ae24 4786 graphics optional
vlc-plugin-jack_0.8.6.e-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH7rGT4VUX8isJIMARAqW9AKCpeASAiMOvhLAA7lqytNTOGbxsTwCfVuxp
wINCSC0a6xLQLjzCvlo1pnA=
=YTN3
-----END PGP SIGNATURE-----
--- End Message ---