Your message dated Mon, 31 Mar 2008 09:03:25 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#473057: fixed in vlc 0.8.6.c-6+lenny3 has caused the Debian Bug report #473057, regarding vlc: CVE-2008-0073 code execution via crafted rtsp stream to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 473057: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473057 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: vlc Severity: grave Tags: security patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for vlc. CVE-2008-0073CVE-2008-0073[0]: | Array index error in the sdpplin_parse function in | input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP | servers to execute arbitrary code via a large streamid SDP parameter. It turned out that vlc is also using that code in modules/access/rtsp/real_sdpplin.c Find a patch for the above issue on: http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=12cb075fba8ea09813fc35e0c731d2a64265b637;style=raw If you fix this vulnerability please also include the CVE id in your changelog entry. For further information: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0073CVE-2008-0073 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgpnzbsU3G7Km.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: vlc Source-Version: 0.8.6.c-6+lenny3 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb libvlc0_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny3_amd64.deb mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb vlc-nox_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny3_amd64.deb vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb vlc_0.8.6.c-6+lenny3.diff.gz to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.diff.gz vlc_0.8.6.c-6+lenny3.dsc to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3.dsc vlc_0.8.6.c-6+lenny3_amd64.deb to pool/main/v/vlc/vlc_0.8.6.c-6+lenny3_amd64.deb wxvlc_0.8.6.c-6+lenny3_all.deb to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny3_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Fri, 28 Mar 2008 13:51:48 +0100 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack Architecture: source all amd64 Version: 0.8.6.c-6+lenny3 Distribution: testing-security Urgency: high Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]> Changed-By: Nico Golde <[EMAIL PROTECTED]> Description: libvlc0 - multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc - multimedia player and streamer vlc-nox - multimedia player and streamer (without X support) vlc-plugin-alsa - dummy transitional package vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svgalib - SVGAlib video output plugin for VLC wxvlc - dummy transitional package Closes: 472635 473057 Changes: vlc (0.8.6.c-6+lenny3) testing-security; urgency=high . * Non-maintainer upload by the Security Team. * This update addresses the following security issues: - CVE-2008-1489: an integer overflow in the MP4_ReadBox_rdrf function that can be triggered via crafted atom size values could possibly lead to arbitrary code execution (Closes: #472635). - CVE-2008-0073: possible code execution via a crafted rtsp stream with a large streamid SDP parameter (Closes: #473057). Files: a154adf5e340c056d48f690aea8d2aac 2713 graphics optional vlc_0.8.6.c-6+lenny3.dsc 80193f533ef47d30463d3dfb2f79d491 39426 graphics optional vlc_0.8.6.c-6+lenny3.diff.gz 68f059b691db7422cd3b0aef65594b9d 804 graphics optional vlc-plugin-alsa_0.8.6.c-6+lenny3_all.deb 237c2429244caeff612ed430d9977ba3 798 graphics optional wxvlc_0.8.6.c-6+lenny3_all.deb 31aa2f01b3d7702476b432a5c33775bf 1159496 graphics optional vlc_0.8.6.c-6+lenny3_amd64.deb 01b7c4316e0c923e4ff0c0764efa0e48 4719008 net optional vlc-nox_0.8.6.c-6+lenny3_amd64.deb b633eb8ee19a3aefb4b7efa577de87ed 473634 libs optional libvlc0_0.8.6.c-6+lenny3_amd64.deb c7555dec2c1d9f32789a11622a367a8e 539922 libdevel optional libvlc0-dev_0.8.6.c-6+lenny3_amd64.deb 8e5eca4e237d7489976784d791c8edc5 4544 graphics optional vlc-plugin-esd_0.8.6.c-6+lenny3_amd64.deb 8c68f3ad13e185f37d6a5fafbadac038 11656 graphics optional vlc-plugin-sdl_0.8.6.c-6+lenny3_amd64.deb 9f2cc3af1b9a375bbaa615ead68b568d 6222 graphics optional vlc-plugin-ggi_0.8.6.c-6+lenny3_amd64.deb a10c33e116f82037b4b9a4d577fdac51 4192 graphics optional vlc-plugin-arts_0.8.6.c-6+lenny3_amd64.deb 81a6fe49b87cf4934e84d4365813bb70 38152 graphics optional mozilla-plugin-vlc_0.8.6.c-6+lenny3_amd64.deb 5d9f64f2d20bee2eadb9f492e34c2469 4812 graphics optional vlc-plugin-svgalib_0.8.6.c-6+lenny3_amd64.deb 60926a4e3dc3c4b0878396df1923bfa2 4882 graphics optional vlc-plugin-jack_0.8.6.c-6+lenny3_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH74mSHYflSXNkfP8RAiYqAJ9aluODB9pwQ+jsGpMit2a6javNQgCgtioc YB4CoZ1NOadL79cYo79d+oY= =HB2M -----END PGP SIGNATURE-----
--- End Message ---