Hi, Uploading a 0-day NMU with permission of xtophe, he checked the debdiff.
debdiff attached and also archived on: http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.e-2.1_0.8.6.e-2.2.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u vlc-0.8.6.e/debian/changelog vlc-0.8.6.e/debian/changelog
--- vlc-0.8.6.e/debian/changelog
+++ vlc-0.8.6.e/debian/changelog
@@ -1,3 +1,17 @@
+vlc (0.8.6.e-2.2) unstable; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Fix regression introduced by latest security upload which
+ did not properly define FREENULL (Closes: #478971,#481417,#477734).
+ * Fix untrusted search path vulnerability by not loading libraries
+ from plugins and modules directories in the current working
+ directory (CVE-2008-2147; Closes: #480724).
+ * Fix arbitrary file overwriting via a crafted playlist or an EXTLVLCOPT
+ statement in an mp3 file by partially disabling this functionality
+ for the browser plugin (CVE-2007-6683; Closes: #480370).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Fri, 16 May 2008 16:18:04 +0200
+
vlc (0.8.6.e-2.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -u vlc-0.8.6.e/debian/patches/series vlc-0.8.6.e/debian/patches/series
--- vlc-0.8.6.e/debian/patches/series
+++ vlc-0.8.6.e/debian/patches/series
@@ -14,0 +15,2 @@
+405-CVE-2007-6683-plugin.diff
+406-CVE-2008-2147.diff
diff -u vlc-0.8.6.e/debian/patches/404-CVE-2008-1768.diff vlc-0.8.6.e/debian/patches/404-CVE-2008-1768.diff
--- vlc-0.8.6.e/debian/patches/404-CVE-2008-1768.diff
+++ vlc-0.8.6.e/debian/patches/404-CVE-2008-1768.diff
@@ -13,6 +13,15 @@
diff -Nurad vlc-0.8.6.e.orig/modules/demux/mp4/libmp4.c vlc-0.8.6.e/modules/demux/mp4/libmp4.c
--- vlc-0.8.6.e.orig/modules/demux/mp4/libmp4.c 2008-04-27 15:53:59.000000000 +0200
+++ vlc-0.8.6.e/modules/demux/mp4/libmp4.c 2008-04-27 16:16:02.000000000 +0200
+@@ -37,6 +37,8 @@
+ * *look* at the code.
+ *
+ *****************************************************************************/
++#define FREENULL( p ) do { free( p ); p = NULL; } while(0)
++
+ #define MP4_BOX_HEADERSIZE( p_box ) \
+ ( 8 + ( p_box->i_shortsize == 1 ? 8 : 0 ) \
+ + ( p_box->i_type == FOURCC_uuid ? 16 : 0 ) )
@@ -1641,9 +1641,19 @@
FREE( p_box->data.p_stdp->i_priority )
}
only in patch2:
unchanged:
--- vlc-0.8.6.e.orig/debian/patches/406-CVE-2008-2147.diff
+++ vlc-0.8.6.e/debian/patches/406-CVE-2008-2147.diff
@@ -0,0 +1,15 @@
+diff -Nurad vlc-0.8.6.e.orig/src/misc/modules.c vlc-0.8.6.e/src/misc/modules.c
+--- vlc-0.8.6.e.orig/src/misc/modules.c 2008-05-16 14:19:36.000000000 +0200
++++ vlc-0.8.6.e/src/misc/modules.c 2008-05-16 16:09:27.000000000 +0200
+@@ -751,9 +751,9 @@
+ {
+ /* Yes, there are two NULLs because we replace one with "plugin-path". */
+ #if defined( WIN32 ) || defined( UNDER_CE )
+- char *path[] = { "modules", "", "plugins", 0, 0 };
++ char *path[] = { 0, 0 };
+ #else
+- char *path[] = { "modules", PLUGIN_PATH, "plugins", 0, 0 };
++ char *path[] = { PLUGIN_PATH, 0, 0 };
+ #endif
+
+ char **ppsz_path = path;
only in patch2:
unchanged:
--- vlc-0.8.6.e.orig/debian/patches/405-CVE-2007-6683-plugin.diff
+++ vlc-0.8.6.e/debian/patches/405-CVE-2007-6683-plugin.diff
@@ -0,0 +1,57 @@
+diff -Nurad vlc-0.8.6.e.orig/src/libvlc.c vlc-0.8.6.e/src/libvlc.c
+--- vlc-0.8.6.e.orig/src/libvlc.c 2008-05-16 16:51:10.000000000 +0200
++++ vlc-0.8.6.e/src/libvlc.c 2008-05-16 17:07:42.000000000 +0200
+@@ -1054,6 +1054,7 @@
+ int VLC_VariableSet( int i_object, char const *psz_var, vlc_value_t value )
+ {
+ vlc_t *p_vlc = vlc_current_object( i_object );
++ module_config_t *p_item;
+ int i_ret;
+
+ if( !p_vlc )
+@@ -1064,38 +1065,15 @@
+ /* FIXME: Temporary hack for Mozilla, if variable starts with conf:: then
+ * we handle it as a configuration variable. Don't tell Gildas :) -- sam */
+ if( !strncmp( psz_var, "conf::", 6 ) )
+- {
+- module_config_t *p_item;
+- char const *psz_newvar = psz_var + 6;
+-
+- p_item = config_FindConfig( VLC_OBJECT(p_vlc), psz_newvar );
+-
+- if( p_item )
+- {
+- switch( p_item->i_type )
+- {
+- case CONFIG_ITEM_BOOL:
+- config_PutInt( p_vlc, psz_newvar, value.b_bool );
+- break;
+- case CONFIG_ITEM_INTEGER:
+- config_PutInt( p_vlc, psz_newvar, value.i_int );
+- break;
+- case CONFIG_ITEM_FLOAT:
+- config_PutFloat( p_vlc, psz_newvar, value.f_float );
+- break;
+- default:
+- config_PutPsz( p_vlc, psz_newvar, value.psz_string );
+- break;
+- }
+- if( i_object ) vlc_object_release( p_vlc );
+- return VLC_SUCCESS;
+- }
+- }
++ psz_var += 6;
+
+- i_ret = var_Set( p_vlc, psz_var, value );
++ p_item = config_FindConfig( VLC_OBJECT(p_vlc), psz_var );
++ if( !p_item )
++ return VLC_ENOVAR;
+
+- if( i_object ) vlc_object_release( p_vlc );
+- return i_ret;
++ /* None of the variables are safe in this LibVLC version (we don't have
++ * the infrastructure in the 0.8.* branch. */
++ return VLC_EGENERIC;
+ }
+
+ /*****************************************************************************
pgpy4qzv6xW6E.pgp
Description: PGP signature
