Your message dated Sat, 28 May 2011 23:41:59 +0300
with message-id <201105282341.59810.r...@remlab.net>
and subject line
has caused the Debian Bug report #616156,
regarding Subject: vlc: VLC bookmark buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
616156: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616156
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: vlc
Version: 1.1.3-1squeeze3
Severity: important
Tags: security
"VLC media player is vulnerable to a buffer overflow attack when processing
.mp3 file and its metadata. It fails to perform boundry checks when creating a
bookmark from the malicious media file playing, resulting in a crash,
overwriting ECX register. While the evil .mp3 is playing, you go Playback >
Bookmarks > Manage bookmarks > Create."
I have requested CVE-identifier for this vulnerability:
http://www.openwall.com/lists/oss-security/2011/03/02/3
Sample evil-file "freezed" my X and I needed to restart whole X to get control
over GUI. I can give debug-information/logs if needed.
Can someone update tracker TEMP-0000000-57DB88? Note "obscure exploit scenario,
not reproducible" is not true in my opinion.
References:
http://osvdb.org/show/osvdb/62728
Best regards,
Henri Salo
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages vlc depends on:
ii libaa1 1.4p5-38 ascii art library
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib
ii libfribidi0 0.19.2-1 Free Implementation of the Unicode
ii libgcc1 1:4.4.5-8 GCC support library
ii libgl1-mesa-glx [libgl1 7.7.1-4 A free implementation of the OpenG
ii libqtcore4 4:4.6.3-4 Qt 4 core module
ii libqtgui4 4:4.6.3-4 Qt 4 GUI module
ii libsdl-image1.2 1.2.10-2+b2 image loading library for Simple D
ii libsdl1.2debian 1.2.14-6.1 Simple DirectMedia Layer
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii libtar 1.2.11-6 C library for manipulating tar arc
ii libvlccore4 1.1.3-1squeeze3 base library for VLC and its modul
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libx11-xcb1 2:1.3.3-4 Xlib/XCB interface library
ii libxcb-keysyms1 0.3.6-1 utility libraries for X C Binding
ii libxcb-randr0 1.6-1 X C Binding, randr extension
ii libxcb-shm0 1.6-1 X C Binding, shm extension
ii libxcb-xv0 1.6-1 X C Binding, xv extension
ii libxcb1 1.6-1 X C Binding
ii libxext6 2:1.1.2-1 X11 miscellaneous extension librar
ii ttf-freefont 20090104-7 Freefont Serif, Sans and Mono True
ii vlc-nox 1.1.3-1squeeze3 multimedia player and streamer (wi
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages vlc recommends:
ii vlc-plugin-notify 1.1.3-1squeeze3 LibNotify plugin for VLC
ii vlc-plugin-pulse 1.1.3-1squeeze3 PulseAudio plugin for VLC
Versions of packages vlc suggests:
pn mozilla-plugin-vlc <none> (no description available)
pn videolan-doc <none> (no description available)
Versions of packages vlc-nox depends on:
ii liba52-0.7.4 0.7.4-14 library for decoding ATSC A/52 str
ii libasound2 1.0.23-2.1 shared library for ALSA applicatio
ii libass4 0.9.9-1 library for SSA/ASS subtitles rend
ii libavahi-client3 0.6.27-2+squeeze1 Avahi client library
ii libavahi-common3 0.6.27-2+squeeze1 Avahi common library
ii libavc1394-0 0.5.3-1+b2 control IEEE 1394 audio/video devi
ii libavcodec52 4:0.5.2-6 ffmpeg codec library
ii libavformat52 4:0.5.2-6 ffmpeg file format library
ii libavutil49 4:0.5.2-6 ffmpeg utility library
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libcaca0 0.99.beta17-1 colour ASCII art library
ii libcddb2 1.3.2-2 library to access CDDB data - runt
ii libcdio10 0.81-4 library to read and control CD-ROM
ii libdbus-1-3 1.2.24-4 simple interprocess messaging syst
ii libdc1394-22 2.1.2-3 high level programming interface f
ii libdca0 0.0.5-3 decoding library for DTS Coherent
ii libdirac-encoder0 1.0.2-3 open and royalty free high quality
ii libdvbpsi6 0.1.7-1 library for MPEG TS and DVB PSI ta
ii libdvdnav4 4.1.3-7 DVD navigation library
ii libdvdread4 4.1.3-10 library for reading DVDs
ii libebml0 0.7.7-3.1 access library for the EBML format
ii libfaad2 2.7-6 freeware Advanced Audio Decoder -
ii libflac8 1.2.1-2+b1 Free Lossless Audio Codec - runtim
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-2.1 FreeType 2 font engine, shared lib
ii libfribidi0 0.19.2-1 Free Implementation of the Unicode
ii libgcc1 1:4.4.5-8 GCC support library
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libgpg-error0 1.6-1 library for common error values an
ii libkate1 0.3.7-3 Kate is a codec for karaoke and te
ii liblircclient0 0.8.3-5 infra-red remote control support -
ii liblua5.1-0 5.1.4-5 Simple, extensible, embeddable pro
ii libmad0 0.15.1b-5 MPEG audio decoder library
ii libmatroska0 0.8.1-1.1 extensible open standard audio/vid
ii libmodplug1 1:0.8.8.1-1 shared libraries for mod music bas
ii libmpcdec6 2:0.1~r459-1 MusePack decoder - library
ii libmpeg2-4 0.4.1-3 MPEG1 and MPEG2 video decoder libr
ii libmtp8 1.0.3-1 Media Transfer Protocol (MTP) libr
ii libncursesw5 5.7+20100313-5 shared libraries for terminal hand
ii libogg0 1.2.0~dfsg-1 Ogg bitstream library
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libpostproc51 4:0.5.2-6 ffmpeg video postprocessing librar
ii libproxy0 0.3.1-2 automatic proxy configuration mana
ii libraw1394-11 2.0.5-2 library for direct access to IEEE
ii libschroedinger-1 1.0.9-2 library for encoding/decoding of D
ii libshout3 2.2.2-5+b1 MP3/Ogg Vorbis broadcast streaming
ii libsmbclient 2:3.5.6~dfsg-3squeeze2 shared library for communication w
ii libspeex1 1.2~rc1-1 The Speex codec runtime library
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii libswscale0 4:0.5.2-6 ffmpeg video scaling library
ii libtag1c2a 1.6.3-1 TagLib Audio Meta-Data Library
ii libtheora0 1.1.1+dfsg.1-3 The Theora Video Compression Codec
ii libtwolame0 0.3.12-1 MPEG Audio Layer 2 encoding librar
ii libudev0 164-3 libudev shared library
ii libupnp3 1:1.6.6-5 Portable SDK for UPnP Devices, ver
ii libv4l-0 0.8.0-1 Collection of video4linux support
ii libvcdinfo0 0.7.23-4+b2 library to extract information fro
ii libvlc5 1.1.3-1squeeze3 multimedia player and streamer lib
ii libvlccore4 1.1.3-1squeeze3 base library for VLC and its modul
ii libvorbis0a 1.3.1-1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.3.1-1 The Vorbis General Audio Compressi
ii libxml2 2.7.8.dfsg-2 GNOME XML library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages libvlc5 depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libvlccore4 1.1.3-1squeeze3 base library for VLC and its modul
Versions of packages libvlccore4 depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libdbus-1-3 1.2.24-4 simple interprocess messaging syst
ii vlc-data 1.1.3-1squeeze3 Common data for VLC
Versions of packages vlc is related to:
pn libavutil50 <none> (no description available)
pn libavutil51 <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
tags 616156 - moreinfo
fixed 616156 1.1.3-1
thanks
Closing based on comments.
--
RĂ©mi Denis-Courmont
http://www.remlab.net/
http://fi.linkedin.com/in/remidenis
--- End Message ---
_______________________________________________
pkg-multimedia-maintainers mailing list
pkg-multimedia-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
