Control: tag -1 upstream
On Mon, Feb 3, 2014 at 10:08 AM, Raphael Geissert <geiss...@debian.org> wrote:
> Package: vlc
> Severity: important
> Tags: security
>
> Hi,
>
> vlc uses libtar to unpack skins, however, its use on untrusted data
> exposes it to CVE-2013-4420 (#731860).
>
> Changing the behaviour of libtar appears to be problematic because
> some applications have relied on the, lack of, path sanitation (cf.
> https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html
> and the follow-ups).
> What appears to be the safe way to handle this issue is making sure
> that libtar is not used on untrusted data without file path validation
> - that would mean that vlc would have to check for every file that is
> about to be extracted that none contains a ../, and something similar
> for symlinks.
>
> Alternatively, vlc could just use tar(1) to unpack the tarballs, or
> drop support for skins or skins in tarballs.
>
> What do you think?
>
> This should probably be forwarded to upstream.
I totally agree.
J-B, do you have any opinion on this issue?
Thanks,
Reinhard
--
regards,
Reinhard
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
