Bug#932241: vlc: CVE-2019-13615

To: Salvatore Bonaccorso <carnil@debian.org>, 932241@bugs.debian.org
Subject: Bug#932241: vlc: CVE-2019-13615
From: Rémi Denis-Courmont <remi@remlab.net>
Date: Wed, 24 Jul 2019 18:33:25 +0300
Message-id: <[🔎] 1679108.Hshq9HMgKp@basile.remlab.net>
Reply-to: Rémi Denis-Courmont <remi@remlab.net>, 932241@bugs.debian.org
In-reply-to: <[🔎] 20190723203258.GA2003@eldamar.local>
References: <[🔎] 156330941012.28174.3740412849077578936.reportbug@eldamar.local> <[🔎] 20190723203258.GA2003@eldamar.local> <[🔎] 156330941012.28174.3740412849077578936.reportbug@eldamar.local>

Le tiistaina 23. heinäkuuta 2019, 23.32.58 EEST Salvatore Bonaccorso a écrit :
> hi Sebastian,
> 
> On Tue, Jul 23, 2019 at 09:24:29PM +0200, Sebastian Ramacher wrote:
> > Hi Salvatore
> > 
> > On 2019-07-16 22:36:50, Salvatore Bonaccorso wrote:
> > > Source: vlc
> > > Version: 3.0.7.1-2
> > > Severity: important
> > > Tags: security upstream
> > > Forwarded: https://trac.videolan.org/vlc/ticket/22474
> > > Control: found -1 3.0.7.1-1
> > > Control: found -1 3.0.7-1
> > > Control: found -1 3.0.7-0+deb9u1
> > > 
> > > Hi,
> > > 
> > > The following vulnerability was published for vlc, sorry another one.
> > > For buster, stretch I think we can follow the usual strategy and
> > > release a new upstream stable version once available.
> > > 
> > > CVE-2019-13615[0]:
> > > | VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in
> > > | mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when
> > > | called from mkv::Open in modules/demux/mkv/mkv.cpp.
> > > 
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2019-13615
> > > 
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13615
> > > 
> > > [1] https://trac.videolan.org/vlc/ticket/22474
> > 
> > FWIW, this issue is disputed upstream.
> > 
> > Cheers
> > 
> > > Please adjust the affected versions in the BTS as needed.
> 
> Ack, let's see what will be the outcome. Thanks in any case for the
> heads-up on the disputed state upstream!

Hi,

The PoC on that bug report does not crash in Debian unstable.

However, that same PoC triggers overlapping memcpy() within libebml, so there 
is probably still undefined behaviour bug in newer libebml, but that is 
probably not security-relevant in practice.

Also it seems that libebml silently broke binary compatibility. At least, 
installing a recent "fixed" libebml .deb on Ubuntu 18.04 leads to VLC crashing 
badly. Though at this point, I guess that problem affects only Ubuntu, not 
Debian anymore.

-- 
レミ・デニ-クールモン
http://www.remlab.net/

Reply to:

References:
- Bug#932241: vlc: CVE-2019-13615
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#932241: vlc: CVE-2019-13615
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Processed: retitle 932241 to libebml: CVE-2019-13615
Next by Date: Bug#932241: patch for CVE-2019-13615
Previous by thread: Bug#932241: vlc: CVE-2019-13615
Next by thread: Bug#932241: vlc: CVE-2019-13615
Index(es):
- Date
- Thread