[Bug 238873] Re: vlc in Hardy needs a security update
Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid. ** Changed in: vlc (Ubuntu Dapper) Status: New = Invalid -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** Branch linked: lp:ubuntu/karmic/vlc -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** Branch linked: lp:~ubuntu-branches/ubuntu/hardy/vlc/hardy-security -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life - http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the Gutsy task. ** Changed in: vlc (Ubuntu Gutsy) Status: New = Won't Fix -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix. ** Changed in: vlc (Ubuntu Feisty) Status: New = Won't Fix -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
This bug was fixed in the package vlc - 0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1 --- vlc (0.8.6.release.e+x264svn20071224+faad2.6.1-0ubuntu3.1) hardy-security; urgency=low * SECURITY UPDATE: multiple denials of service, arbitrary code execution and arbitrary file overwriting vulnerabilities. (LP: #238873) - debian/patches/032_CVE-2007-6683.diff: Assume unsafe Mozilla variable settings. Fixes file overwriting. Patch from upstream git. - debian/patches/033_CVE-2008-0073.diff: Check that the RTSP stream ID isn't too large. Fixes arbitrary code execution. Patch from upstream git. - debian/patches/034_CVE-2008-1686.diff: Check that the Speex header mode is positive. Fixes arbitrary code execution. Patch from upstream git. - debian/patches/038_CVE-2008-1768.diff: Fix a buffer overflow in the MP4 decoder, and an integer overflow in both the Cinepak and Real decoders. Patches from upstream git. - debian/patches/035_CVE-2008-1769.diff: Perform an appropriate boundary check on frames in Cinepak streams. Fixes denial of service. Patch from upstream git. - debian/patches/036_CVE-2008-1881.diff: Fix subtitle format strings. Properly fixes CVE-2007-6681, an arbitrary code execution vulnerability. Patch from upstream git. - debian/patches/037_CVE-2008-2147.diff: Only search for plugins in the normal path. Fixes arbitrary code execution. Patch from upstream git. - debian/patches/038_CVE-2008-2430.diff: Fix integer overflow in the WAV demuxer. Fixes arbitrary code execution. Path from upstream git. - References: + CVE-2007-6681 + CVE-2007-6683 + CVE-2008-0073 + CVE-2008-1686 + CVE-2008-1768 + CVE-2008-1769 + CVE-2008-1881 + CVE-2008-2147 + CVE-2008-2430 -- William Grant [EMAIL PROTECTED] Sun, 13 Jul 2008 10:45:55 +1000 ** Changed in: vlc (Ubuntu Hardy) Status: In Progress = Fix Released -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Thanks for your debdiff William! I'm processing it now. -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
The right Hardy fix this time. ** Attachment added: hardy debdiff with CVE-2008-2430 fix http://launchpadlibrarian.net/15990316/hardy-new.debdiff -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Hold the phone, VLC just release 0.8.6i stating that 0.8.6h and below have a security vulnerability: http://www.videolan.org/security/sa0806.html -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
That'd be: - CVE-2008-2430: 3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1 Already fixed in Debian, which I'm merging from, so will be in Intrepid in a couple of minutes. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2430 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
This bug was fixed in the package vlc - 0.8.6.release.h-1ubuntu1 --- vlc (0.8.6.release.h-1ubuntu1) intrepid; urgency=low * Merge from Debian unstable. (LP: #238873, #243450, #245563) Remaining changes: - Add PulseAudio support. - Enable (and build-depend on) x264 support. - Add Xb-Npp-.* fields to mozilla-plugin-vlc, for the Firefox plugin finder service. - Clean up debian/vlc.desktop. - Make vlc recommend vlc-plugin-pulse. - Install link to plugin in xulrunner 1.9 plugin directory. - Build against xul rather then iceape. - Rename the upstream tarball to match old Ubuntu convention. - Modify Maintainer value to match the DebianMaintainerField specification. -- William Grant [EMAIL PROTECTED] Sun, 06 Jul 2008 21:53:26 +1000 ** Changed in: vlc (Ubuntu Intrepid) Status: In Progress = Fix Released -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** Attachment added: hardy debdiff with CVE-2008-2430 fix http://launchpadlibrarian.net/15988726/hardy-new.debdiff ** Attachment removed: hardy debdiff with CVE-2008-2430 fix http://launchpadlibrarian.net/15988726/hardy-new.debdiff -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** Changed in: vlc (Ubuntu Intrepid) Assignee: (unassigned) = William Grant (wgrant) Status: Triaged = In Progress -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 238873] Re: vlc in Hardy needs a security update
William Grant [EMAIL PROTECTED] writes: ** Changed in: vlc (Ubuntu Intrepid) Assignee: (unassigned) = William Grant (wgrant) Status: Triaged = In Progress FYI, I uploaded a new vlc to unstable today. You might want to merge that package instead of doing the work independently. -- Gruesse/greetings, Reinhard Tartler, KeyID 945348A4 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1881 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Now to find changesets for all of them: - CVE-2007-6681: 338264a2e56e3f780957817665b7ec8fa41dd6ff - CVE-2007-6683: b426b192c7712eaa08c5f55d08ef648226d6d421 - CVE-2008-0073: 8c838a6fe5f3bdb4af4f5f73d7ac0206ea92e029 - CVE-2008-1489: 09572892df7e72c0d4e598c0b5e076cf330d8b0a - CVE-2008-1686: c1c81073e661f7d80197711ab11753e1e170b44c - CVE-2008-1769: cf489d7bff3c1b36b2d5501ecf21129c78104d98 - CVE-2008-1881: 94baded6eff88e39c98b6e3572826f16f21ceec3 - CVE-2008-2147: c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181 CVE-2008-1881 is the fixed fix for CVE-2007-6681. All of the CVEs I've removed from this bug are bugs in libraries with which our vlc is dynamically linked. -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** Changed in: vlc (Ubuntu Hardy) Assignee: (unassigned) = William Grant (wgrant) Status: Triaged = In Progress -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Also, one more: - CVE-2008-1768: 3a6282755277ba9321d405c635e50da935d258a6, edca13e259472872fdfd456cf3ef4a21d1262c11, 783ab03c7bd8ddedcd3dc5bad18efc70a4c57aaa, 18eb4fd5a75b6429d1d7058a8967696be701a00b ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1768 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** Attachment added: hardy debdiff http://launchpadlibrarian.net/15560151/hardy.debdiff -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Considering the security vulnerabilities, this should really be marked high or above. Even from a general usability standpoint, e is one of the worst VLC versions in recent memory. Numerous bugs related to AAC, mjpeg and pretty much everything else. Loads of people report sound stuttering while working fine in totem player and mplayer. I really, really hope f makes it into Hardy, especially considering the LTS nature of it... -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Indeed, the status should be high. I'm not sure why it wasn't before. ** Changed in: vlc (Ubuntu Intrepid) Importance: Medium = High Status: Confirmed = Triaged ** Changed in: vlc (Ubuntu Hardy) Importance: Undecided = High Status: New = Triaged -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1382 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1423 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1420 ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1419 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2109 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
0.8.6f itself fixes CVE-2007-6681 (properly), CVE-2008-0073, CVE-2008-1489 and CVE-2008-1769. The Speex issue (CVE-2008-1686) is part of bug #218652, but I'll handle it here. VLC is so secure. ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-6681 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0073 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1489 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1769 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 238873] Re: vlc in Hardy needs a security update
Changes between 0.8.6f and 0.8.6g Security updates * Removed VLC variable settings from Mozilla and ActiveX (CVE-2007-6683, VideoLAN-SA-0804) * Removed loading plugins from the current directory (CVE-2008-2147, VideoLAN-SA-0805) * Updated libpng on Windows and Mac OS X (CVE-2008-1382) * Fixed libid3tag denial of service (CVE-2008-2109) * Fixed libvorbis vulnerabilities (CVE-2008-1419, CVE-2008-1420, CVE-2008-1423) * Fixed speex insufficient boundary check (CVE-2008-1686, oCERT-2008-004) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2147 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-6683 ** Changed in: vlc (Ubuntu) Importance: Undecided = Medium Status: New = Confirmed ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-6683 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-6683 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1382 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1419 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1420 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1423 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-1686 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2109 -- vlc in Hardy needs a security update https://bugs.launchpad.net/bugs/238873 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs