Bug#783355: jessie-pu: package vlc/2.2.1-1~deb8u1

To: Julien Cristau <jcristau@debian.org>
Cc: 783355@bugs.debian.org
Subject: Bug#783355: jessie-pu: package vlc/2.2.1-1~deb8u1
From: Sebastian Ramacher <sramacher@debian.org>
Date: Fri, 1 Jan 2016 22:43:28 +0100
Message-id: <[🔎] 20160101214328.GB20517@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 783355@bugs.debian.org
In-reply-to: <20160101202505.GA20517@ramacher.at>
References: <20150426111545.GA10549@ramacher.at> <[🔎] 20160101190146.GE31614@betterave.cristau.org> <20160101202505.GA20517@ramacher.at>

On 2016-01-01 21:25:05, Sebastian Ramacher wrote:
> Hi Julien
> 
> On 2016-01-01 20:01:46, Julien Cristau wrote:
> > Control: tag -1 confirmed
> > 
> > On Sun, Apr 26, 2015 at 13:15:45 +0200, Sebastian Ramacher wrote:
> > 
> > > Package: release.debian.org
> > > Severity: normal
> > > Tags: jessie
> > > User: release.debian.org@packages.debian.org
> > > Usertags: pu
> > > 
> > > I'd like to update vlc in jessie to the latest bug fix release in the 2.2.X
> > > series: 2.2.1. It includes fixes for potential NULL dereferences, crashes when
> > > playing FLAC and SPC files
> > > 
> > > The Debian changelog is:
> > > 
> > > vlc (2.2.1-1~deb8u1) jessie; urgency=medium
> > > 
> > >   [ Sebastian Ramacher ]
> > >   * New upstream release.
> > >   * debian/patches: Remove patches, no longer needed.
> > > 
> > >   [ Benjamin Drung ]
> > >   * drop/rules: Drop removed --enable-glx configure flag.
> > > 
> > >  -- Sebastian Ramacher <sramacher@debian.org>  Sat, 25 Apr 2015 23:00:04 +0200
> > > 
> > So I have no particular objection to these changes (assuming none of
> > them turned out to be buggy and were reverted in 2.2.2).  I guess
> > #798763 / #798899 also apply here so you'd need a symbols file update.
> 
> Yes, the symbols file update needs to be included. Updated diffs aginst
> 2.2.0~rc2-2+deb8u1 are attached: vlc-debian-only.debdiff including only changes
> in debian/ and vlc.debdiff.xz for the full debdiff. The changelog is now:

Looks like the attachment was too large. The full debdiff is now at
https://people.debian.org/~sramacher/vlc.debdiff.xz.

> vlc (2.2.1-1~deb8u1) jessie; urgency=medium
> 
>   [ Sebastian Ramacher ]
>   * New upstream release.
>   * debian/patches: Removed
>     codec-schroedinger-fix-potential-buffer-overflow.patch,
>     demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch, and
>     stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch. They are
>     included upstream.
>   * debian/libvlccore8.symbols: Bump version requirements for meta data
>     change. (Closes: #798763, #798899)
> 
>   [ Benjamin Drung ]
>   * drop/rules: Drop removed --enable-glx configure flag.
> 
>  -- Sebastian Ramacher <sramacher@debian.org>  Fri, 01 Jan 2016 20:21:31 +0100
> 
> > For the next time, please bear in mind that review is faster and easier
> > if changes are small and their importance is explained.  The changelog
> > you provided is fairly sparse, meaning we get to reverse engineer what
> > happened, which does not a happy reviewer make.
> 
> I'll keep that in mind and try to be more verbose next time.
> 
> Thanks!

Cheers
-- 
Sebastian Ramacher

diff --git a/debian/changelog b/debian/changelog
index a084c54..936aa4e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+vlc (2.2.1-1~deb8u1) jessie; urgency=medium
+
+  [ Sebastian Ramacher ]
+  * New upstream release.
+  * debian/patches: Removed
+    codec-schroedinger-fix-potential-buffer-overflow.patch,
+    demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch, and
+    stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch. They are
+    included upstream.
+  * debian/libvlccore8.symbols: Bump version requirements for meta data
+    change. (Closes: #798763, #798899)
+
+  [ Benjamin Drung ]
+  * drop/rules: Drop removed --enable-glx configure flag.
+
+ -- Sebastian Ramacher <sramacher@debian.org>  Fri, 01 Jan 2016 20:21:31 +0100
+
 vlc (2.2.0~rc2-2+deb8u1) jessie-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff --git a/debian/libvlccore8.symbols b/debian/libvlccore8.symbols
index 76f4e03..4e41834 100644
--- a/debian/libvlccore8.symbols
+++ b/debian/libvlccore8.symbols
@@ -206,7 +206,7 @@ libvlccore.so.8 libvlccore8 #MINVER#
  input_item_DelInfo@Base 2.0.0
  input_item_GetDuration@Base 2.0.0
  input_item_GetInfo@Base 2.0.0
- input_item_GetMeta@Base 2.0.0
+ input_item_GetMeta@Base 2.2.0
  input_item_GetName@Base 2.0.0
  input_item_GetTitleFbName@Base 2.0.0
  input_item_GetURI@Base 2.0.0
@@ -215,14 +215,14 @@ libvlccore.so.8 libvlccore8 #MINVER#
  input_item_IsArtFetched@Base 2.0.0
  input_item_IsPreparsed@Base 2.0.0
  input_item_MergeInfos@Base 2.0.0
- input_item_MetaMatch@Base 2.0.0
+ input_item_MetaMatch@Base 2.2.0
  input_item_NewExt@Base 2.0.0
  input_item_NewWithType@Base 2.0.0
  input_item_PostSubItem@Base 2.0.0
  input_item_Release@Base 2.1.0
  input_item_ReplaceInfos@Base 2.0.0
  input_item_SetDuration@Base 2.0.0
- input_item_SetMeta@Base 2.0.0
+ input_item_SetMeta@Base 2.2.0
  input_item_SetName@Base 2.0.0
  input_item_SetURI@Base 2.0.0
  input_item_WriteMeta@Base 2.0.0
@@ -532,15 +532,15 @@ libvlccore.so.8 libvlccore8 #MINVER#
  vlc_meta_AddExtra@Base 2.0.0
  vlc_meta_CopyExtraNames@Base 2.0.0
  vlc_meta_Delete@Base 2.0.0
- vlc_meta_Get@Base 2.0.0
+ vlc_meta_Get@Base 2.2.0
  vlc_meta_GetExtra@Base 2.0.0
  vlc_meta_GetExtraCount@Base 2.0.0
  vlc_meta_GetStatus@Base 2.0.0
  vlc_meta_Merge@Base 2.0.0
  vlc_meta_New@Base 2.0.0
- vlc_meta_Set@Base 2.0.0
+ vlc_meta_Set@Base 2.2.0
  vlc_meta_SetStatus@Base 2.0.0
- vlc_meta_TypeToLocalizedString@Base 2.0.0
+ vlc_meta_TypeToLocalizedString@Base 2.2.0
  vlc_mime_Ext2Mime@Base 2.1.0
  vlc_mkdir@Base 2.0.0
  vlc_mkstemp@Base 2.0.0
diff --git a/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch b/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
deleted file mode 100644
index 31502ad..0000000
--- a/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Fabian Yamaguchi <fyamagu@gwdg.de>
-Subject: [PATCH] codec: schroedinger: fix potential buffer overflow.
- The variable len is a raw 32 bit value read using GetDWBE. If this
- value is larger than UINT32_MAX - sizeof(eos), this will cause an
- integer overflow in the subsequent call to malloc, and finally a
- buffer overflow when calling memcpy. We fix this by checking len
- accordingly.
-Origin: upstream, http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5
-Bug-Debian: https://bugs.debian.org/775866
-Last-Update: 2015-01-21
-
-diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c
-index f48aa2b..977afca 100644
---- a/modules/codec/schroedinger.c
-+++ b/modules/codec/schroedinger.c
-@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic )
-                      * is appended to the sequence header to allow guard
-                      * against poor streaming servers */
-                     /* XXX, should this be done using the packetizer ? */
-+
-+                    if( len > UINT32_MAX - sizeof( eos ) )
-+                        return NULL;
-+
-                     p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
-                     if( !p_enc->fmt_out.p_extra )
-                         return NULL;
--- 
-2.1.4
-
diff --git a/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch b/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
deleted file mode 100644
index 3ae498d..0000000
--- a/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Fabian Yamaguchi <fyamagu@gwdg.de>
-Subject: [PATCH] demux: mp4: fix buffer overflow in parsing of string boxes.
- We ensure that pbox->i_size is never smaller than 8 to avoid an
- integer underflow in the third argument of the subsequent call to
- memcpy. We also make sure no truncation occurs when passing values
- derived from the 64 bit integer p_box->i_size to arguments of malloc
- and memcpy that may be 32 bit integers on 32 bit platforms.
-Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=914462405f8e90d9b2b1184ff047fdfb1f800b48
-Bug-Debian: https://bugs.debian.org/775866
-Last-Update: 2015-01-21
-
-diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c
-index 19e84d3..3912e7e 100644
---- a/modules/demux/mp4/libmp4.c
-+++ b/modules/demux/mp4/libmp4.c
-@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box )
- {
-     MP4_READBOX_ENTER( MP4_Box_data_name_t );
- 
-+    if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
-+        MP4_READBOX_EXIT( 0 );
-+
-     p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
-     if( p_box->data.p_name->psz_text == NULL )
-         MP4_READBOX_EXIT( 0 );
--- 
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index 83ced6d..2fbbdf3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1 @@
-codec-schroedinger-fix-potential-buffer-overflow.patch
-demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
-stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
 CVE-2015-5949.patch
diff --git a/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch b/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
deleted file mode 100644
index 9148092..0000000
--- a/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Fabian Yamaguchi <fyamagu@gwdg.de>
-Subject: [PATCH] stream_out: rtp: don't use VLA for user controlled data
- It should fix a possible invalid memory access
- .
- When streaming ogg-files via rtp, an ogg-file can trigger an invalid
- write access using an overly long 'configuration' string.
- .
- The original code attemps to allocate space to hold the string on the stack
- and hence, cannot verify if allocation succeeds. Instead, we now allocate the
- buffer on the heap and return if allocation fails.
- .
- In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
- the size depends on the local variable 'len'. The variable 'len' is
- calculated at (0) to be the length of a string contained in a specially
- crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
-Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=3199c5dd837bc641962e9c1c8d0cd2d7c9b8bb37
-Bug-Debian: https://bugs.debian.org/775866
-Last-Update: 2015-01-21
-
-diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c
-index baee82a..ff7ea10 100644
---- a/modules/stream_out/rtpfmt.c
-+++ b/modules/stream_out/rtpfmt.c
-@@ -557,7 +557,11 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
-     char *end = strchr(start, ';');
-     assert(end != NULL);
-     size_t len = end - start;
--    char b64[len + 1];
-+
-+    char *b64 = malloc(len + 1);
-+    if(!b64)
-+        return VLC_EGENERIC;
-+
-     memcpy(b64, start, len);
-     b64[len] = '\0';
- 
-@@ -567,6 +571,7 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp,
-     int i_data;
- 
-     i_data = vlc_b64_decode_binary(&p_orig, b64);
-+    free(b64);
-     if (i_data <= 9)
-     {
-         free(p_orig);
--- 
-2.1.4
-
diff --git a/debian/rules b/debian/rules
index 247bfdc..dc9ce6d 100755
--- a/debian/rules
+++ b/debian/rules
@@ -61,7 +61,6 @@ confflags += \
 	--enable-fribidi \
 	--enable-gles1 \
 	--enable-gles2 \
-	--enable-glx \
 	--enable-gnutls \
 	--enable-jack \
 	--enable-kate \

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#783355: jessie-pu: package vlc/2.2.1-1~deb8u1
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Processed: Re: Bug#809534: jessie-pu: package ttylog/0.26-1~deb8u1
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Re: Bug#783355: jessie-pu: package vlc/2.2.1-1~deb8u1
Next by thread: Bug#783355: jessie-pu: package vlc/2.2.1-1~deb8u1
Index(es):
- Date
- Thread