On 2016-01-01 21:25:05, Sebastian Ramacher wrote: > Hi Julien > > On 2016-01-01 20:01:46, Julien Cristau wrote: > > Control: tag -1 confirmed > > > > On Sun, Apr 26, 2015 at 13:15:45 +0200, Sebastian Ramacher wrote: > > > > > Package: release.debian.org > > > Severity: normal > > > Tags: jessie > > > User: release.debian.org@packages.debian.org > > > Usertags: pu > > > > > > I'd like to update vlc in jessie to the latest bug fix release in the 2.2.X > > > series: 2.2.1. It includes fixes for potential NULL dereferences, crashes when > > > playing FLAC and SPC files > > > > > > The Debian changelog is: > > > > > > vlc (2.2.1-1~deb8u1) jessie; urgency=medium > > > > > > [ Sebastian Ramacher ] > > > * New upstream release. > > > * debian/patches: Remove patches, no longer needed. > > > > > > [ Benjamin Drung ] > > > * drop/rules: Drop removed --enable-glx configure flag. > > > > > > -- Sebastian Ramacher <sramacher@debian.org> Sat, 25 Apr 2015 23:00:04 +0200 > > > > > So I have no particular objection to these changes (assuming none of > > them turned out to be buggy and were reverted in 2.2.2). I guess > > #798763 / #798899 also apply here so you'd need a symbols file update. > > Yes, the symbols file update needs to be included. Updated diffs aginst > 2.2.0~rc2-2+deb8u1 are attached: vlc-debian-only.debdiff including only changes > in debian/ and vlc.debdiff.xz for the full debdiff. The changelog is now: Looks like the attachment was too large. The full debdiff is now at https://people.debian.org/~sramacher/vlc.debdiff.xz. > vlc (2.2.1-1~deb8u1) jessie; urgency=medium > > [ Sebastian Ramacher ] > * New upstream release. > * debian/patches: Removed > codec-schroedinger-fix-potential-buffer-overflow.patch, > demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch, and > stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch. They are > included upstream. > * debian/libvlccore8.symbols: Bump version requirements for meta data > change. (Closes: #798763, #798899) > > [ Benjamin Drung ] > * drop/rules: Drop removed --enable-glx configure flag. > > -- Sebastian Ramacher <sramacher@debian.org> Fri, 01 Jan 2016 20:21:31 +0100 > > > For the next time, please bear in mind that review is faster and easier > > if changes are small and their importance is explained. The changelog > > you provided is fairly sparse, meaning we get to reverse engineer what > > happened, which does not a happy reviewer make. > > I'll keep that in mind and try to be more verbose next time. > > Thanks! Cheers -- Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog index a084c54..936aa4e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +vlc (2.2.1-1~deb8u1) jessie; urgency=medium + + [ Sebastian Ramacher ] + * New upstream release. + * debian/patches: Removed + codec-schroedinger-fix-potential-buffer-overflow.patch, + demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch, and + stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch. They are + included upstream. + * debian/libvlccore8.symbols: Bump version requirements for meta data + change. (Closes: #798763, #798899) + + [ Benjamin Drung ] + * drop/rules: Drop removed --enable-glx configure flag. + + -- Sebastian Ramacher <sramacher@debian.org> Fri, 01 Jan 2016 20:21:31 +0100 + vlc (2.2.0~rc2-2+deb8u1) jessie-security; urgency=high * Non-maintainer upload by the Security Team. diff --git a/debian/libvlccore8.symbols b/debian/libvlccore8.symbols index 76f4e03..4e41834 100644 --- a/debian/libvlccore8.symbols +++ b/debian/libvlccore8.symbols @@ -206,7 +206,7 @@ libvlccore.so.8 libvlccore8 #MINVER# input_item_DelInfo@Base 2.0.0 input_item_GetDuration@Base 2.0.0 input_item_GetInfo@Base 2.0.0 - input_item_GetMeta@Base 2.0.0 + input_item_GetMeta@Base 2.2.0 input_item_GetName@Base 2.0.0 input_item_GetTitleFbName@Base 2.0.0 input_item_GetURI@Base 2.0.0 @@ -215,14 +215,14 @@ libvlccore.so.8 libvlccore8 #MINVER# input_item_IsArtFetched@Base 2.0.0 input_item_IsPreparsed@Base 2.0.0 input_item_MergeInfos@Base 2.0.0 - input_item_MetaMatch@Base 2.0.0 + input_item_MetaMatch@Base 2.2.0 input_item_NewExt@Base 2.0.0 input_item_NewWithType@Base 2.0.0 input_item_PostSubItem@Base 2.0.0 input_item_Release@Base 2.1.0 input_item_ReplaceInfos@Base 2.0.0 input_item_SetDuration@Base 2.0.0 - input_item_SetMeta@Base 2.0.0 + input_item_SetMeta@Base 2.2.0 input_item_SetName@Base 2.0.0 input_item_SetURI@Base 2.0.0 input_item_WriteMeta@Base 2.0.0 @@ -532,15 +532,15 @@ libvlccore.so.8 libvlccore8 #MINVER# vlc_meta_AddExtra@Base 2.0.0 vlc_meta_CopyExtraNames@Base 2.0.0 vlc_meta_Delete@Base 2.0.0 - vlc_meta_Get@Base 2.0.0 + vlc_meta_Get@Base 2.2.0 vlc_meta_GetExtra@Base 2.0.0 vlc_meta_GetExtraCount@Base 2.0.0 vlc_meta_GetStatus@Base 2.0.0 vlc_meta_Merge@Base 2.0.0 vlc_meta_New@Base 2.0.0 - vlc_meta_Set@Base 2.0.0 + vlc_meta_Set@Base 2.2.0 vlc_meta_SetStatus@Base 2.0.0 - vlc_meta_TypeToLocalizedString@Base 2.0.0 + vlc_meta_TypeToLocalizedString@Base 2.2.0 vlc_mime_Ext2Mime@Base 2.1.0 vlc_mkdir@Base 2.0.0 vlc_mkstemp@Base 2.0.0 diff --git a/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch b/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch deleted file mode 100644 index 31502ad..0000000 --- a/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Fabian Yamaguchi <fyamagu@gwdg.de> -Subject: [PATCH] codec: schroedinger: fix potential buffer overflow. - The variable len is a raw 32 bit value read using GetDWBE. If this - value is larger than UINT32_MAX - sizeof(eos), this will cause an - integer overflow in the subsequent call to malloc, and finally a - buffer overflow when calling memcpy. We fix this by checking len - accordingly. -Origin: upstream, http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 -Bug-Debian: https://bugs.debian.org/775866 -Last-Update: 2015-01-21 - -diff --git a/modules/codec/schroedinger.c b/modules/codec/schroedinger.c -index f48aa2b..977afca 100644 ---- a/modules/codec/schroedinger.c -+++ b/modules/codec/schroedinger.c -@@ -1548,6 +1548,10 @@ static block_t *Encode( encoder_t *p_enc, picture_t *p_pic ) - * is appended to the sequence header to allow guard - * against poor streaming servers */ - /* XXX, should this be done using the packetizer ? */ -+ -+ if( len > UINT32_MAX - sizeof( eos ) ) -+ return NULL; -+ - p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) ); - if( !p_enc->fmt_out.p_extra ) - return NULL; --- -2.1.4 - diff --git a/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch b/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch deleted file mode 100644 index 3ae498d..0000000 --- a/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Fabian Yamaguchi <fyamagu@gwdg.de> -Subject: [PATCH] demux: mp4: fix buffer overflow in parsing of string boxes. - We ensure that pbox->i_size is never smaller than 8 to avoid an - integer underflow in the third argument of the subsequent call to - memcpy. We also make sure no truncation occurs when passing values - derived from the 64 bit integer p_box->i_size to arguments of malloc - and memcpy that may be 32 bit integers on 32 bit platforms. -Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=914462405f8e90d9b2b1184ff047fdfb1f800b48 -Bug-Debian: https://bugs.debian.org/775866 -Last-Update: 2015-01-21 - -diff --git a/modules/demux/mp4/libmp4.c b/modules/demux/mp4/libmp4.c -index 19e84d3..3912e7e 100644 ---- a/modules/demux/mp4/libmp4.c -+++ b/modules/demux/mp4/libmp4.c -@@ -2667,6 +2667,9 @@ static int MP4_ReadBox_name( stream_t *p_stream, MP4_Box_t *p_box ) - { - MP4_READBOX_ENTER( MP4_Box_data_name_t ); - -+ if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX ) -+ MP4_READBOX_EXIT( 0 ); -+ - p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */ - if( p_box->data.p_name->psz_text == NULL ) - MP4_READBOX_EXIT( 0 ); --- -2.1.4 - diff --git a/debian/patches/series b/debian/patches/series index 83ced6d..2fbbdf3 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1 @@ -codec-schroedinger-fix-potential-buffer-overflow.patch -demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch -stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch CVE-2015-5949.patch diff --git a/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch b/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch deleted file mode 100644 index 9148092..0000000 --- a/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Fabian Yamaguchi <fyamagu@gwdg.de> -Subject: [PATCH] stream_out: rtp: don't use VLA for user controlled data - It should fix a possible invalid memory access - . - When streaming ogg-files via rtp, an ogg-file can trigger an invalid - write access using an overly long 'configuration' string. - . - The original code attemps to allocate space to hold the string on the stack - and hence, cannot verify if allocation succeeds. Instead, we now allocate the - buffer on the heap and return if allocation fails. - . - In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where - the size depends on the local variable 'len'. The variable 'len' is - calculated at (0) to be the length of a string contained in a specially - crafted Ogg Vorbis file, and therefore, it is attacker-controlled. -Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=3199c5dd837bc641962e9c1c8d0cd2d7c9b8bb37 -Bug-Debian: https://bugs.debian.org/775866 -Last-Update: 2015-01-21 - -diff --git a/modules/stream_out/rtpfmt.c b/modules/stream_out/rtpfmt.c -index baee82a..ff7ea10 100644 ---- a/modules/stream_out/rtpfmt.c -+++ b/modules/stream_out/rtpfmt.c -@@ -557,7 +557,11 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp, - char *end = strchr(start, ';'); - assert(end != NULL); - size_t len = end - start; -- char b64[len + 1]; -+ -+ char *b64 = malloc(len + 1); -+ if(!b64) -+ return VLC_EGENERIC; -+ - memcpy(b64, start, len); - b64[len] = '\0'; - -@@ -567,6 +571,7 @@ int rtp_packetize_xiph_config( sout_stream_id_sys_t *id, const char *fmtp, - int i_data; - - i_data = vlc_b64_decode_binary(&p_orig, b64); -+ free(b64); - if (i_data <= 9) - { - free(p_orig); --- -2.1.4 - diff --git a/debian/rules b/debian/rules index 247bfdc..dc9ce6d 100755 --- a/debian/rules +++ b/debian/rules @@ -61,7 +61,6 @@ confflags += \ --enable-fribidi \ --enable-gles1 \ --enable-gles2 \ - --enable-glx \ --enable-gnutls \ --enable-jack \ --enable-kate \
Attachment:
signature.asc
Description: PGP signature