Hi, according to the 0-day NMU policy and after talking with Sam in IRC i will upload an NMU for vlc.
Patch is attached and also archived on: http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.c-4_0.8.6.c-4.1.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u vlc-0.8.6.c/debian/patches/series vlc-0.8.6.c/debian/patches/series
--- vlc-0.8.6.c/debian/patches/series
+++ vlc-0.8.6.c/debian/patches/series
@@ -9,0 +10,4 @@
+sec-httpd_formatstring.diff
+sec-vlcopt_support.diff
+sec-rtsp_remote_dos.diff
+sec-subtitle_buffer_overflow.diff
diff -u vlc-0.8.6.c/debian/changelog vlc-0.8.6.c/debian/changelog
--- vlc-0.8.6.c/debian/changelog
+++ vlc-0.8.6.c/debian/changelog
@@ -1,3 +1,21 @@
+vlc (0.8.6.c-4.1) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update addresses the following security issues
+ (CVE ids pending; Closes: #458318):
+ - Fix format string issue in internal webserver that could lead to
+ to arbitrary code execution (sec-httpd_formatstring.diff).
+ - Disable m3u EXTVLCOPT parsing if no command line option is specified
+ (--m3u-extvlcopt) to prevent browser plugins to control stream output
+ and thus overwriting arbitrary files of the user running vlc
+ (sec-vlcopt_support.diff).
+ - Fix stack-based buffer overflow in subtitle parsing
+ (sec-subtitle_buffer_overflow.diff).
+ - Fix NULL pointer dereference in the rtsp/rtp module by checking return
+ of the httpd_MsgGet function (sec-rtsp_remote_dos.diff).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Fri, 11 Jan 2008 15:05:10 +0100
+
vlc (0.8.6.c-4) unstable; urgency=high
[ Loic Minier ]
only in patch2:
unchanged:
--- vlc-0.8.6.c.orig/debian/patches/sec-vlcopt_support.diff
+++ vlc-0.8.6.c/debian/patches/sec-vlcopt_support.diff
@@ -0,0 +1,73 @@
+diff -Nurad vlc-0.8.6.c.orig/modules/demux/playlist/m3u.c vlc-0.8.6.c/modules/demux/playlist/m3u.c
+--- vlc-0.8.6.c.orig/modules/demux/playlist/m3u.c 2008-01-11 14:30:15.000000000 +0100
++++ vlc-0.8.6.c/modules/demux/playlist/m3u.c 2008-01-11 14:49:35.000000000 +0100
+@@ -137,6 +137,8 @@
+ mtime_t i_duration = -1;
+ char **ppsz_options = NULL;
+ int i_options = 0, i;
++ vlc_bool_t b_enable_extvlcopt = config_GetInt( p_demux, "m3u-extvlcopt" );
++
+
+ playlist_item_t *p_item, *p_current;
+
+@@ -188,20 +190,28 @@
+ psz_name = strdup( psz_name );
+ if ( psz_artist )
+ psz_artist = strdup( psz_artist );
+- }
+ else if( !strncasecmp( psz_parse, "EXTVLCOPT:",
+ sizeof("EXTVLCOPT:") -1 ) )
+ {
+- /* VLC Option */
+- char *psz_option;
+- psz_parse += sizeof("EXTVLCOPT:") -1;
+- if( !*psz_parse ) goto error;
++ if( b_enable_extvlcopt )
++ {
++ /* VLC Option */
++ char *psz_option;
++ psz_parse += sizeof("EXTVLCOPT:") -1;
++ if( !*psz_parse ) goto error;
+
+- psz_option = MaybeFromLocaleDup( psz_parse );
+- if( psz_option )
+- INSERT_ELEM( ppsz_options, i_options, i_options,
+- psz_option );
++ psz_option = MaybeFromLocaleDup( psz_parse );
++ if( psz_option )
++ INSERT_ELEM( ppsz_options, i_options, i_options,
++ psz_option );
++ }
++ else
++ {
++ msg_Err( p_demux, "m3u EXTVLCOPT parsing is disabled for security reasons. If you need it and trust the m3u playlist you are trying to open, please append --m3u-extvlcopt to your command line." );
++ }
++ }
+ }
++
+ }
+ else if( *psz_parse )
+ {
+--- vlc-0.8.6.c.orig/modules/demux/playlist/playlist.c 2008-01-11 14:30:14.000000000 +0100
++++ vlc-0.8.6.c/modules/demux/playlist/playlist.c 2008-01-11 14:49:35.000000000 +0100
+@@ -42,6 +42,11 @@
+ #define SHOW_ADULT_LONGTEXT N_( "Show NC17 rated video streams when " \
+ "using shoutcast video playlists." )
+
++#define EXTVLCOPT_TEXT N_( "Enable parsing of EXTVLCOPT: options" )
++#define EXTVLCOPT_LONGTEXT N_( "Enable parsing of EXTVLCOPT: options in m3u " \
++ "playlists. This option is default disabled to prevent untrusted sources " \
++ "using VLC options without the user's knowledge." )
++
+ vlc_module_begin();
+ add_shortcut( "playlist" );
+ set_category( CAT_INPUT );
+@@ -67,6 +72,8 @@
+ set_description( _("M3U playlist import") );
+ add_shortcut( "m3u-open" );
+ set_capability( "demux2", 10 );
++ add_bool( "m3u-extvlcopt", VLC_FALSE, NULL,
++ EXTVLCOPT_TEXT, EXTVLCOPT_LONGTEXT, VLC_FALSE );
+ set_callbacks( E_(Import_M3U), E_(Close_M3U) );
+ add_submodule();
+ set_description( _("PLS playlist import") );
only in patch2:
unchanged:
--- vlc-0.8.6.c.orig/debian/patches/sec-subtitle_buffer_overflow.diff
+++ vlc-0.8.6.c/debian/patches/sec-subtitle_buffer_overflow.diff
@@ -0,0 +1,43 @@
+diff -Nurad vlc-0.8.6.c.orig/modules/demux/subtitle.c vlc-0.8.6.c/modules/demux/subtitle.c
+--- vlc-0.8.6.c.orig/modules/demux/subtitle.c 2008-01-03 20:18:51.000000000 +0100
++++ vlc-0.8.6.c/modules/demux/subtitle.c 2008-01-03 21:01:29.000000000 +0100
+@@ -723,8 +723,8 @@
+ i_stop = 0;
+
+ memset( buffer_text, '\0', MAX_LINE );
+- if( sscanf( s, "{%d}{}%[^\r\n]", &i_start, buffer_text ) == 2 ||
+- sscanf( s, "{%d}{%d}%[^\r\n]", &i_start, &i_stop, buffer_text ) == 3)
++ if( sscanf( s, "{%d}{}%8192[^\r\n]", &i_start, buffer_text ) == 2 ||
++ sscanf( s, "{%d}{%d}%8192[^\r\n]", &i_start, &i_stop, buffer_text ) == 3)
+ {
+ break;
+ }
+@@ -949,8 +949,8 @@
+ demux_sys_t *p_sys = p_demux->p_sys;
+ text_t *txt = &p_sys->txt;
+
+- char buffer_text[ 10 * MAX_LINE];
+- char buffer_text2[ 10 * MAX_LINE];
++ char buffer_text[ 10 * MAX_LINE + 1];
++ char buffer_text2[ 10 * MAX_LINE + 1];
+ char *s;
+ int64_t i_start;
+ int64_t i_stop;
+@@ -981,7 +981,7 @@
+ * Dialogue: Layer#,0:02:40.65,0:02:41.79,Wolf main,Cher,0000,0000,0000,,Et les enregistrements de ses ondes delta ?
+ */
+ if( sscanf( s,
+- "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%[^\r\n]",
++ "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%81920[^\r\n]",
+ buffer_text2,
+ &h1, &m1, &s1, &c1,
+ &h2, &m2, &s2, &c2,
+@@ -1075,7 +1075,7 @@
+ i_start = 0;
+
+ memset( buffer_text, '\0', MAX_LINE );
+- if( sscanf( p, "%d:%d:%d%[ :]%[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 )
++ if( sscanf( p, "%d:%d:%d%[ :]%81920[^\r\n]", &h, &m, &s, &c, buffer_text ) == 5 )
+ {
+ i_start = ( (int64_t)h * 3600*1000 +
+ (int64_t)m * 60*1000 +
only in patch2:
unchanged:
--- vlc-0.8.6.c.orig/debian/patches/sec-httpd_formatstring.diff
+++ vlc-0.8.6.c/debian/patches/sec-httpd_formatstring.diff
@@ -0,0 +1,12 @@
+diff -Nurad vlc-0.8.6.c.orig/src/network/httpd.c vlc-0.8.6.c/src/network/httpd.c
+--- vlc-0.8.6.c.orig/src/network/httpd.c 2008-01-03 20:18:35.000000000 +0100
++++ vlc-0.8.6.c/src/network/httpd.c 2008-01-03 20:21:06.000000000 +0100
+@@ -414,7 +414,7 @@
+ psz_connection = httpd_MsgGet( &cl->query, "Connection" );
+ if( psz_connection != NULL )
+ {
+- httpd_MsgAdd( answer, "Connection", psz_connection );
++ httpd_MsgAdd( answer, "Connection", "%s", psz_connection );
+ }
+
+ httpd_MsgAdd( answer, "Content-Length", "%d", answer->i_body );
only in patch2:
unchanged:
--- vlc-0.8.6.c.orig/debian/patches/sec-rtsp_remote_dos.diff
+++ vlc-0.8.6.c/debian/patches/sec-rtsp_remote_dos.diff
@@ -0,0 +1,32 @@
+diff -Nurad vlc-0.8.6.c.orig/modules/misc/rtsp.c vlc-0.8.6.c/modules/misc/rtsp.c
+--- vlc-0.8.6.c.orig/modules/misc/rtsp.c 2008-01-03 20:18:46.000000000 +0100
++++ vlc-0.8.6.c/modules/misc/rtsp.c 2008-01-03 20:34:21.000000000 +0100
+@@ -678,6 +678,12 @@
+ {
+ psz_playnow = httpd_MsgGet( query, "x-playNow" );
+ psz_transport = httpd_MsgGet( query, "Transport" );
++ if( psz_transport == NULL )
++ {
++ answer->i_status = 400;
++ answer->psz_status = strdup( "Bad request" );
++ break;
++ }
+ msg_Dbg( p_vod, "HTTPD_MSG_SETUP: transport=%s", psz_transport );
+
+ if( strstr( psz_transport, "unicast" ) &&
+diff -Nurad vlc-0.8.6.c.orig/modules/stream_out/rtp.c vlc-0.8.6.c/modules/stream_out/rtp.c
+--- vlc-0.8.6.c.orig/modules/stream_out/rtp.c 2008-01-03 20:18:50.000000000 +0100
++++ vlc-0.8.6.c/modules/stream_out/rtp.c 2008-01-03 21:10:18.000000000 +0100
+@@ -1855,6 +1855,12 @@
+ case HTTPD_MSG_SETUP:
+ {
+ char *psz_transport = httpd_MsgGet( query, "Transport" );
++ if( psz_transport == NULL )
++ {
++ answer->i_status = 400;
++ answer->psz_status = strdup( "Bad request" );
++ break;
++ }
+
+ //fprintf( stderr, "HTTPD_MSG_SETUP: transport=%s\n", psz_transport );
+
pgpO8gzgqQhRW.pgp
Description: PGP signature
