[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#776155: unblock: vlc/2.2.0~rc2-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package vlc. 2.2.0~rc2-2 fixes multiple security
vulnerabilities.

unblock vlc/2.2.0~rc2-2

Cheers
-- 
Sebastian Ramacher

diff -Nru vlc-2.2.0~rc2/debian/changelog vlc-2.2.0~rc2/debian/changelog
--- vlc-2.2.0~rc2/debian/changelog	2014-11-23 13:14:12.000000000 +0100
+++ vlc-2.2.0~rc2/debian/changelog	2015-01-21 22:42:06.000000000 +0100
@@ -1,3 +1,17 @@
+vlc (2.2.0~rc2-2) unstable; urgency=medium
+
+  * debian/patches: Apply upstream patches for security vulnerabilities.
+    (Closes: #775866)
+    - codec-schroedinger-fix-potential-buffer-overflow.patch: fix potential
+      buffer overflow. (CVE-2014-9629)
+    - demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch: fix buffer
+      overflow in parsing of string boxes. (CVE-2014-9626, CVE-2014-9627,
+      CVE-2014-9628)
+    - stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch: don't use
+      VLA for user controlled data. (CVE-2014-9630)
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Wed, 21 Jan 2015 22:41:57 +0100
+
 vlc (2.2.0~rc2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
--- vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch	2015-01-21 22:57:50.000000000 +0100
@@ -0,0 +1,29 @@
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Subject: [PATCH] codec: schroedinger: fix potential buffer overflow.
+ The variable len is a raw 32 bit value read using GetDWBE. If this
+ value is larger than UINT32_MAX - sizeof(eos), this will cause an
+ integer overflow in the subsequent call to malloc, and finally a
+ buffer overflow when calling memcpy. We fix this by checking len
+ accordingly.
+Origin: upstream, http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
+index f48aa2b..977afca 100644
+--- a/modules/codec/schroedinger.c
++++ b/modules/codec/schroedinger.c
+@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
+                      * is appended to the sequence header to allow guard
+                      * against poor streaming servers */
+                     /* XXX, should this be done using the packetizer ? */
++
++                    if( len > UINT32_MAX - sizeof( eos ) )
++                        return NULL;
++
+                     p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
+                     if( !p_enc->fmt_out.p_extra )
+                         return NULL;
+-- 
+2.1.4
+
diff -Nru vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
--- vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch	2015-01-21 23:00:13.000000000 +0100
@@ -0,0 +1,28 @@
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Subject: [PATCH] demux: mp4: fix buffer overflow in parsing of string boxes.
+ We ensure that pbox->i_size is never smaller than 8 to avoid an
+ integer underflow in the third argument of the subsequent call to
+ memcpy. We also make sure no truncation occurs when passing values
+ derived from the 64 bit integer p_box->i_size to arguments of malloc
+ and memcpy that may be 32 bit integers on 32 bit platforms.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=914462405f8e90d9b2b1184ff047fdfb1f800b48
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
+index 19e84d3..3912e7e 100644
+--- a/modules/demux/mp4/libmp4.c
++++ b/modules/demux/mp4/libmp4.c
+@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
+ {
+     MP4_READBOX_ENTER( MP4_Box_data_name_t );
+ 
++    if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
++        MP4_READBOX_EXIT( 0 );
++
+     p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
+     if( p_box->data.p_name->psz_text == NULL )
+         MP4_READBOX_EXIT( 0 );
+-- 
+2.1.4
+
diff -Nru vlc-2.2.0~rc2/debian/patches/series vlc-2.2.0~rc2/debian/patches/series
--- vlc-2.2.0~rc2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/series	2015-01-21 12:30:01.000000000 +0100
@@ -0,0 +1,3 @@
+codec-schroedinger-fix-potential-buffer-overflow.patch
+demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
+stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
diff -Nru vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
--- vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch	2015-01-21 23:00:35.000000000 +0100
@@ -0,0 +1,47 @@
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Subject: [PATCH] stream_out: rtp: don't use VLA for user controlled data
+ It should fix a possible invalid memory access
+ .
+ When streaming ogg-files via rtp, an ogg-file can trigger an invalid
+ write access using an overly long 'configuration' string.
+ .
+ The original code attemps to allocate space to hold the string on the stack
+ and hence, cannot verify if allocation succeeds. Instead, we now allocate the
+ buffer on the heap and return if allocation fails.
+ .
+ In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
+ the size depends on the local variable 'len'. The variable 'len' is
+ calculated at (0) to be the length of a string contained in a specially
+ crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=3199c5dd837bc641962e9c1c8d0cd2d7c9b8bb37
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
+index baee82a..ff7ea10 100644
+--- a/modules/stream_out/rtpfmt.c
++++ b/modules/stream_out/rtpfmt.c
+@@ -557,7 +557,11 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
+     char *end = strchr(start, ';');
+     assert(end != NULL);
+     size_t len = end - start;
+-    char b64[len + 1];
++
++    char *b64 = malloc(len + 1);
++    if(!b64)
++        return VLC_EGENERIC;
++
+     memcpy(b64, start, len);
+     b64[len] = '\0';
+ 
+@@ -567,6 +571,7 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
+     int i_data;
+ 
+     i_data = vlc_b64_decode_binary(&p_orig, b64);
++    free(b64);
+     if (i_data <= 9)
+     {
+         free(p_orig);
+-- 
+2.1.4
+

Attachment: signature.asc
Description: Digital signature

Reply to: