Bug#915760: marked as done (vlc: CVE-2018-19857)
Your message dated Sun, 09 Dec 2018 21:27:25 +0000
with message-id <E1gW6bl-000FPh-Be@fasolo.debian.org>
and subject line Bug#915760: fixed in vlc 3.0.4-4
has caused the Debian Bug report #915760,
regarding vlc: CVE-2018-19857
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
915760: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915760
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Source: vlc
Version: 3.0.4-3
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for vlc.
CVE-2018-19857[0]:
| The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player
| 3.0.4 may read memory from an uninitialized pointer when processing
| magic cookies in CAF files, because a ReadKukiChunk() cast converts a
| return value to an unsigned int even if that value is negative. This
| could result in a denial of service and/or a potential infoleak.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19857
[1] https://dyntopia.com/advisories/013-vlc
[2] https://git.videolan.org/?p=vlc.git;a=commit;h=0cc5ea748ee5ff7705dde61ab15dff8f58be39d0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 3.0.4-4
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915760@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Dec 2018 21:02:57 +0100
Source: vlc
Binary: vlc libvlc-dev libvlc5 libvlccore-dev libvlccore9 libvlc-bin vlc-bin vlc-data vlc-l10n vlc-plugin-base vlc-plugin-access-extra vlc-plugin-video-output vlc-plugin-video-splitter vlc-plugin-visualization vlc-plugin-skins2 vlc-plugin-qt vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-svg vlc-plugin-samba vlc-plugin-zvbi
Architecture: source
Version: 3.0.4-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Description:
libvlc-bin - tools for VLC's base library
libvlc-dev - development files for libvlc
libvlc5 - multimedia player and streamer library
libvlccore-dev - development files for libvlccore
libvlccore9 - base library for VLC and its modules
vlc - multimedia player and streamer
vlc-bin - binaries from VLC
vlc-data - common data for VLC
vlc-l10n - translations for VLC
vlc-plugin-access-extra - multimedia player and streamer (extra access plugins)
vlc-plugin-base - multimedia player and streamer (base plugins)
vlc-plugin-fluidsynth - FluidSynth plugin for VLC
vlc-plugin-jack - JACK audio plugins for VLC
vlc-plugin-notify - LibNotify plugin for VLC
vlc-plugin-qt - multimedia player and streamer (Qt plugin)
vlc-plugin-samba - Samba plugin for VLC
vlc-plugin-skins2 - multimedia player and streamer (Skins2 plugin)
vlc-plugin-svg - SVG plugin for VLC
vlc-plugin-video-output - multimedia player and streamer (video output plugins)
vlc-plugin-video-splitter - multimedia player and streamer (video splitter plugins)
vlc-plugin-visualization - multimedia player and streamer (visualization plugins)
vlc-plugin-zvbi - transitional dummy package
Closes: 915760
Changes:
vlc (3.0.4-4) unstable; urgency=medium
.
* debian/patches: Apply upstream patch to fix integer underflow
(CVE-2018-19857). (Closes: #915760)
Checksums-Sha1:
1e614e2408dd789c462df61345d1a3762b7aa3b5 6183 vlc_3.0.4-4.dsc
4e38442a3b6d73cea846d619728dc2652843e64c 66392 vlc_3.0.4-4.debian.tar.xz
Checksums-Sha256:
590b0bdea7960a8df7707ad87160e24dc692d2e538a85329c13587c041a4f8a1 6183 vlc_3.0.4-4.dsc
d91e4b07261d39698bc5c9e16153ccdf6566d8fd7b2bf9a5d5777ece235d9a0a 66392 vlc_3.0.4-4.debian.tar.xz
Files:
140205c5c2692410bacf8e0ecfa3949c 6183 video optional vlc_3.0.4-4.dsc
db43113a15355b120b811e9a6d0e2d46 66392 video optional vlc_3.0.4-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAlwNeEwACgkQafL8UW6n
GZNrDg/9FTMtB4QFckqIQq0LISgPRHvGkF5CeUipNCgJP8uXIRl2EnllYlRiF4U5
rwXBwdSsGIflCuoM7BF9g3rQpHBrFsAClsDtIhfgExIwKf5IZLxGhZzdj1sohk6v
Sxx8/qkrzTU+fEQy9YW8ojObslaQK2PiJV8aqjEZpa5WAu6YJkWgO/y1usUOr5mg
Wt5q2q/rWVI77wITs4mG8c6cZJs+gaaDrXqcIWJJIH+frodQUF9VAcMQz9YBPUR1
D0jcJRsDWLgK7IJZVj0SpZjNQpsdMRTH2eaJBFpqIBD32puVbPxuDfFt5x1kP23R
hF+qgrgkx1GgRNzTzYwTEQezY+8C1yT5+NtmkBUdMB7W5j5PJ77f44O1WSXTiuV6
v1rvRSGjwwDO6/AndYeenzsSmPH+qXmKL5KjSIbN8AoWwuzieJa0LQLCXSfmqfyg
3ApWv4zwwypo02kg58AKj7dNwzgumMnkc1emv44UWxYUbEMOydFNb71ZWcrtM546
L9wrufyAPItZlqhdSImYxw6BXgF0mad4kC+HqUfZAuAJ3wWCu08ac+aM1iLUvKZ+
jxxWN4x8sy/vEaMlwyURl1XhbsO697zZyXigGC3gEpAhshvRmrsI1Ak5XqO1qkOH
6I43L9seu1ye4Nr+lYee463sJX6RCaxtbM/tJyo7MBdsRadMd28=
=+vZP
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: