[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#776155: marked as done (unblock: vlc/2.2.0~rc2-2)

Your message dated Sat, 24 Jan 2015 23:04:28 +0100
with message-id <54C416EC.4010900@thykier.net>
and subject line Re: Bug#776155: unblock: vlc/2.2.0~rc2-2
has caused the Debian Bug report #776155,
regarding unblock: vlc/2.2.0~rc2-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
776155: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776155
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package vlc. 2.2.0~rc2-2 fixes multiple security
vulnerabilities.

unblock vlc/2.2.0~rc2-2

Cheers
-- 
Sebastian Ramacher

diff -Nru vlc-2.2.0~rc2/debian/changelog vlc-2.2.0~rc2/debian/changelog
--- vlc-2.2.0~rc2/debian/changelog	2014-11-23 13:14:12.000000000 +0100
+++ vlc-2.2.0~rc2/debian/changelog	2015-01-21 22:42:06.000000000 +0100
@@ -1,3 +1,17 @@
+vlc (2.2.0~rc2-2) unstable; urgency=medium
+
+  * debian/patches: Apply upstream patches for security vulnerabilities.
+    (Closes: #775866)
+    - codec-schroedinger-fix-potential-buffer-overflow.patch: fix potential
+      buffer overflow. (CVE-2014-9629)
+    - demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch: fix buffer
+      overflow in parsing of string boxes. (CVE-2014-9626, CVE-2014-9627,
+      CVE-2014-9628)
+    - stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch: don't use
+      VLA for user controlled data. (CVE-2014-9630)
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Wed, 21 Jan 2015 22:41:57 +0100
+
 vlc (2.2.0~rc2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
--- vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch	2015-01-21 22:57:50.000000000 +0100
@@ -0,0 +1,29 @@
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Subject: [PATCH] codec: schroedinger: fix potential buffer overflow.
+ The variable len is a raw 32 bit value read using GetDWBE. If this
+ value is larger than UINT32_MAX - sizeof(eos), this will cause an
+ integer overflow in the subsequent call to malloc, and finally a
+ buffer overflow when calling memcpy. We fix this by checking len
+ accordingly.
+Origin: upstream, http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
+index f48aa2b..977afca 100644
+--- a/modules/codec/schroedinger.c
++++ b/modules/codec/schroedinger.c
+@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
+                      * is appended to the sequence header to allow guard
+                      * against poor streaming servers */
+                     /* XXX, should this be done using the packetizer ? */
++
++                    if( len > UINT32_MAX - sizeof( eos ) )
++                        return NULL;
++
+                     p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
+                     if( !p_enc->fmt_out.p_extra )
+                         return NULL;
+-- 
+2.1.4
+
diff -Nru vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
--- vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch	2015-01-21 23:00:13.000000000 +0100
@@ -0,0 +1,28 @@
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Subject: [PATCH] demux: mp4: fix buffer overflow in parsing of string boxes.
+ We ensure that pbox->i_size is never smaller than 8 to avoid an
+ integer underflow in the third argument of the subsequent call to
+ memcpy. We also make sure no truncation occurs when passing values
+ derived from the 64 bit integer p_box->i_size to arguments of malloc
+ and memcpy that may be 32 bit integers on 32 bit platforms.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=914462405f8e90d9b2b1184ff047fdfb1f800b48
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
+index 19e84d3..3912e7e 100644
+--- a/modules/demux/mp4/libmp4.c
++++ b/modules/demux/mp4/libmp4.c
+@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
+ {
+     MP4_READBOX_ENTER( MP4_Box_data_name_t );
+ 
++    if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
++        MP4_READBOX_EXIT( 0 );
++
+     p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
+     if( p_box->data.p_name->psz_text == NULL )
+         MP4_READBOX_EXIT( 0 );
+-- 
+2.1.4
+
diff -Nru vlc-2.2.0~rc2/debian/patches/series vlc-2.2.0~rc2/debian/patches/series
--- vlc-2.2.0~rc2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/series	2015-01-21 12:30:01.000000000 +0100
@@ -0,0 +1,3 @@
+codec-schroedinger-fix-potential-buffer-overflow.patch
+demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
+stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
diff -Nru vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
--- vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch	1970-01-01 01:00:00.000000000 +0100
+++ vlc-2.2.0~rc2/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch	2015-01-21 23:00:35.000000000 +0100
@@ -0,0 +1,47 @@
+From: Fabian Yamaguchi <fyamagu@gwdg.de>
+Subject: [PATCH] stream_out: rtp: don't use VLA for user controlled data
+ It should fix a possible invalid memory access
+ .
+ When streaming ogg-files via rtp, an ogg-file can trigger an invalid
+ write access using an overly long 'configuration' string.
+ .
+ The original code attemps to allocate space to hold the string on the stack
+ and hence, cannot verify if allocation succeeds. Instead, we now allocate the
+ buffer on the heap and return if allocation fails.
+ .
+ In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
+ the size depends on the local variable 'len'. The variable 'len' is
+ calculated at (0) to be the length of a string contained in a specially
+ crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=3199c5dd837bc641962e9c1c8d0cd2d7c9b8bb37
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
+index baee82a..ff7ea10 100644
+--- a/modules/stream_out/rtpfmt.c
++++ b/modules/stream_out/rtpfmt.c
+@@ -557,7 +557,11 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
+     char *end = strchr(start, ';');
+     assert(end != NULL);
+     size_t len = end - start;
+-    char b64[len + 1];
++
++    char *b64 = malloc(len + 1);
++    if(!b64)
++        return VLC_EGENERIC;
++
+     memcpy(b64, start, len);
+     b64[len] = '\0';
+ 
+@@ -567,6 +571,7 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
+     int i_data;
+ 
+     i_data = vlc_b64_decode_binary(&p_orig, b64);
++    free(b64);
+     if (i_data <= 9)
+     {
+         free(p_orig);
+-- 
+2.1.4
+

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 2015-01-24 18:45, Sebastian Ramacher wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package vlc. 2.2.0~rc2-2 fixes multiple security
> vulnerabilities.
> 
> unblock vlc/2.2.0~rc2-2
> 
> Cheers
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: