Your message dated Tue, 26 Aug 2014 13:00:09 +0000 with message-id <e1xmgm5-0004nq...@franck.debian.org> and subject line Bug#737534: fixed in vlc 2.2.0~pre2-1 has caused the Debian Bug report #737534, regarding vlc: unsafe use of libtar to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 737534: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737534 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: vlc Severity: important Tags: security Hi, vlc uses libtar to unpack skins, however, its use on untrusted data exposes it to CVE-2013-4420 (#731860). Changing the behaviour of libtar appears to be problematic because some applications have relied on the, lack of, path sanitation (cf. https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html and the follow-ups). What appears to be the safe way to handle this issue is making sure that libtar is not used on untrusted data without file path validation - that would mean that vlc would have to check for every file that is about to be extracted that none contains a ../, and something similar for symlinks. Alternatively, vlc could just use tar(1) to unpack the tarballs, or drop support for skins or skins in tarballs. What do you think? This should probably be forwarded to upstream. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---Source: vlc Source-Version: 2.2.0~pre2-1 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 737...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Reinhard Tartler <siret...@tauware.de> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 16 Aug 2014 18:39:45 -0400 Source: vlc Binary: libvlc-dev libvlc5 libvlccore-dev libvlccore8 vlc vlc-data vlc-dbg vlc-nox vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-pulse vlc-plugin-sdl vlc-plugin-svg vlc-plugin-zvbi Architecture: source amd64 all Version: 2.2.0~pre2-1 Distribution: unstable Urgency: medium Maintainer: Reinhard Tartler <siret...@debian.org> Changed-By: Reinhard Tartler <siret...@tauware.de> Description: libvlc-dev - development files for libvlc libvlc5 - multimedia player and streamer library libvlccore-dev - development files for libvlccore libvlccore8 - base library for VLC and its modules vlc - multimedia player and streamer vlc-data - Common data for VLC vlc-dbg - debugging symbols for vlc vlc-nox - multimedia player and streamer (without X support) vlc-plugin-fluidsynth - FluidSynth plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-notify - LibNotify plugin for VLC vlc-plugin-pulse - PulseAudio plugin for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svg - SVG plugin for VLC vlc-plugin-zvbi - VBI teletext plugin for VLC Closes: 737534 756329 757951 758203 758382 Changes: vlc (2.2.0~pre2-1) unstable; urgency=medium . [ Sebastian Ramacher ] * debian/patches/freerdp-1.1.0-beta2-API.patch: Apply upstream patch to support FreeRDP 1.1.0-beta2 API. (Closes: #757951) . [ Reinhard Tartler ] * New upstream release. - Fixes incorrect usage of AVFrame (Closes: #756329) - Fixes compilation against newer freerdp: (Closes: #758382, 757951) * Bump requirements on libdvdnav and libdvdread * Fixes compilation against libav11 (Closes: #758203) * Drop patches merged upstream * Refresh Hurd patch * Update installation paths for several modules * Disable libtar support (Closes: #737534) * Follow upstream SONAME bump libvlccore7 -> libvlccore8 Checksums-Sha1: 0139cb0f3f096c9ccc914ed1aa11d251cf274648 4996 vlc_2.2.0~pre2-1.dsc 83ebd626919f24085340aaf45ac192cd51ba0b84 20374604 vlc_2.2.0~pre2.orig.tar.xz ddf1aeb1cdac01b5097a3df9061ef52a3b3dd3a2 57100 vlc_2.2.0~pre2-1.debian.tar.xz e2183a1903fbcdd9c4ce14a13998d7203b953799 26658 libvlc-dev_2.2.0~pre2-1_amd64.deb 2ea0a9ea45dfc12a02d81d72f8f076b883cafd2b 43346 libvlc5_2.2.0~pre2-1_amd64.deb 5d2c852f98760e88cec1300de1c4dcc47ef80fc8 116798 libvlccore-dev_2.2.0~pre2-1_amd64.deb fb6b37426890a0ef79eba0f24df89d3f628019a2 355876 libvlccore8_2.2.0~pre2-1_amd64.deb 1620d19d35e08baabb048128bffb6f02c3218450 1325314 vlc_2.2.0~pre2-1_amd64.deb e9e0ef9d84e012d6d523873af93a3c46a77d87a9 5269900 vlc-data_2.2.0~pre2-1_all.deb b3fa8c4c13f400f4a9222e1d56facb86f62139fb 23100948 vlc-dbg_2.2.0~pre2-1_amd64.deb 1c45be5c2ddc085c92c2bfef4c0e9536736fd02a 2361444 vlc-nox_2.2.0~pre2-1_amd64.deb d25b03912c5686408efc83ad3bfbb9e7597062b1 5674 vlc-plugin-fluidsynth_2.2.0~pre2-1_amd64.deb caa1c8ff59613ade45c9303063cb2b7c8ba18b4d 10958 vlc-plugin-jack_2.2.0~pre2-1_amd64.deb ada52f53fd29f997999cb96fd310f3720b73b7b7 5418 vlc-plugin-notify_2.2.0~pre2-1_amd64.deb d2e1f357b96c349ed51b4d495a3dd70acc65d07b 17654 vlc-plugin-pulse_2.2.0~pre2-1_amd64.deb 14b957afc9285432ae6b30ad85e9eeddd2cc394b 7942 vlc-plugin-sdl_2.2.0~pre2-1_amd64.deb 1a3a414be4ea370741051e0c5a3bcf099c19c74d 6002 vlc-plugin-svg_2.2.0~pre2-1_amd64.deb 2503f755049295e49692a5613a2ad62671920e0f 11042 vlc-plugin-zvbi_2.2.0~pre2-1_amd64.deb Checksums-Sha256: d8f466bb0d9262e1e7bd532d30608a74ceedc0a75e9cec4150683d437ce6c146 4996 vlc_2.2.0~pre2-1.dsc 2370dd24aab71aeb4010aabd3fdfdf5da8763bb24948b590c088a845a7f4b067 20374604 vlc_2.2.0~pre2.orig.tar.xz ec5897fdefe504ec2e4f16e184597b4a1ba9aba34075d67e292bb4f19b7033fc 57100 vlc_2.2.0~pre2-1.debian.tar.xz d8808ae7ddc31b814e1fdc5f41fe01b7141fbef938bd2f458152fe73f77db21b 26658 libvlc-dev_2.2.0~pre2-1_amd64.deb bbba491e75e166e842735831cd9e3a4b1bd034c77636f10f9ac0e6bab1385209 43346 libvlc5_2.2.0~pre2-1_amd64.deb ca3b479df603727fe55c8bba939bc8b8b322f8280204722b50b6248a0f438926 116798 libvlccore-dev_2.2.0~pre2-1_amd64.deb d8fc89811977ae5285b3b0bab88315a6649d6124db9abf7d6ffa3858cdef2c37 355876 libvlccore8_2.2.0~pre2-1_amd64.deb 68aad4b109773332322c0298fd4d742b498e04c49fc2b60e816fcbfd29e8711b 1325314 vlc_2.2.0~pre2-1_amd64.deb 20cd3d67831b9c698ba0bcf7e56ae0fc7d71673cd0d701aab025d8a5a82b5bf0 5269900 vlc-data_2.2.0~pre2-1_all.deb 31eef9ec3312302aefa69db2f17d1ccf3dd7d7a8e33a0787d1a9e52c25b7b863 23100948 vlc-dbg_2.2.0~pre2-1_amd64.deb e5ed03680295377b68b4bd4b4b4a08ab480aee96be14e3b85d17c8b55a4a8869 2361444 vlc-nox_2.2.0~pre2-1_amd64.deb 144cc7f946bbcf0818da920ac1747ab47465a3bbd927a5cda0a568af9b0538a3 5674 vlc-plugin-fluidsynth_2.2.0~pre2-1_amd64.deb e7bdbcbaea834b26977772bd7492aee10c6365fc130878430604d345965ae3f0 10958 vlc-plugin-jack_2.2.0~pre2-1_amd64.deb 782813f332d277cf76f137c69d2802332208c858c36377efb0aa1778c57af382 5418 vlc-plugin-notify_2.2.0~pre2-1_amd64.deb ea7a30550c419416d39b4a2890b408c393cb5d30863568a2543e8ada566738db 17654 vlc-plugin-pulse_2.2.0~pre2-1_amd64.deb 98ff4bf0138b7278f6a87caa23401976fc2af1911d30a4446421fffc5b39c0cd 7942 vlc-plugin-sdl_2.2.0~pre2-1_amd64.deb 56511f544332ef091ecfc0fff62af8a26bd89607ee9d8aa6157be1294d1abc9e 6002 vlc-plugin-svg_2.2.0~pre2-1_amd64.deb 59e0f8b40662a895167912ee0aca75ee8180dc0ff688610b7ffea7525cf09f26 11042 vlc-plugin-zvbi_2.2.0~pre2-1_amd64.deb Files: 9013773bd709f5d0b9448e3f2d3362f3 26658 libdevel optional libvlc-dev_2.2.0~pre2-1_amd64.deb 45db0b303be916ec8786193cfeb1d40a 43346 libs optional libvlc5_2.2.0~pre2-1_amd64.deb a737eea6ae8b0dad6d2a073e42da903f 116798 libdevel optional libvlccore-dev_2.2.0~pre2-1_amd64.deb 125498b0eb5039a0251e4b16d9129b10 355876 libs optional libvlccore8_2.2.0~pre2-1_amd64.deb 48db8618db81aa89e68207fb4ec98ce9 1325314 video optional vlc_2.2.0~pre2-1_amd64.deb 9858d8845dd91cd6434a8e19cf7a8577 5269900 video optional vlc-data_2.2.0~pre2-1_all.deb b8d143289e243600bb08c37176fc3e7f 23100948 debug extra vlc-dbg_2.2.0~pre2-1_amd64.deb 1e0f0b56b8804b504fcb71ca58b6bdb3 2361444 video optional vlc-nox_2.2.0~pre2-1_amd64.deb 5c26fefb7586ae8397ffa3beef65ac2b 5674 video optional vlc-plugin-fluidsynth_2.2.0~pre2-1_amd64.deb cf7e6e1e51bd653ce4fc8c375bc14916 10958 video optional vlc-plugin-jack_2.2.0~pre2-1_amd64.deb 1a8329aa2de4e9c28538c5f0ec4809dc 5418 video optional vlc-plugin-notify_2.2.0~pre2-1_amd64.deb e6f89806692277e8c734631234867d31 17654 video optional vlc-plugin-pulse_2.2.0~pre2-1_amd64.deb 9b28851f1d4802a25092ec9985c7ce0e 7942 video optional vlc-plugin-sdl_2.2.0~pre2-1_amd64.deb 5d2ef65dd0f00687233f1ff4c77db825 6002 video optional vlc-plugin-svg_2.2.0~pre2-1_amd64.deb 2aa7d20c47c2cb6c659f12478531723b 11042 video optional vlc-plugin-zvbi_2.2.0~pre2-1_amd64.deb f3609efd5137ce6f2979ea18b4531da0 4996 video optional vlc_2.2.0~pre2-1.dsc 6a4bda79c7af131c2e94e19bc6548843 20374604 video optional vlc_2.2.0~pre2.orig.tar.xz 544eed3dadc4f08b85ae9cb82de61e96 57100 video optional vlc_2.2.0~pre2-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBAgAGBQJT8W7fAAoJEIuAbIZKeKRFORgL/0UfuaVGrjAmCJu1ECUD7rsC O234c/c8YB3JKPJ5vfyuWa1ex6u3q2MnWlAhjJbzRclBTfpXY3o+o4gzkNDMLzJs smPlrciqhM9qe3kBq78FbD0mxlaPsOpJTf3KcfCNKUAafEFaS6MoacKPGu9IfL8r JYQtrW9eXA3GAFZo1HIU+hRcMcUH2mU6q+r0n4LKcTmrC5f0sqDBxQanYrkLxldh fE8bG4Rlzsh69HNnTdjzUnKye+IR5XftKxsHKeo2jZAnHiIhXWqhsvGSq8OJa0mG W3XPIsrdr0urNzkKsJOn2P3BX8YZ+ZBPkwAzC4IQSIpRWmvB1DPHrUZEdVcrZrS9 g432Do8wiCrQT9ZdPyHFTicXzLLIPrdz98EQfXafjHrs6S0exQPN9foK1T3zsCC/ fKR25BQtnQoLq7hABIMdk5Yrcwl6SoQrAXfgM2LfullSQ45jzscg7EZrd3bgvR+4 IiQfhN6gFV2YppTx/o30YNtmsJwXNzozPIVVmNiuEQ== =B/LT -----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
