Your message dated Thu, 28 Feb 2008 11:02:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#467652: fixed in vlc 0.8.6.c-6+lenny1
has caused the Debian Bug report #467652,
regarding vlc: CVE-2008-0984 arbitrary code execution via crafted mp4 file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
467652: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=467652
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Version: 0.8.6.c-6
Severity: grave
Tags: security
Justification: user security hole
"VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer)
suffers from an arbitrary memory overwrite vulnerability when using
specially crafted (invalid) MP4 input files.
If successful, a malicious third party could trigger execution of
arbitrary code within the context of the VLC media player, or otherwise
crash the player instance.
Exploitation of the MP4 demuxer problem requires the user to explicitly
open a specially crafted file."
See also http://www.videolan.org/security/sa0802.html
This also affects Etch.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (100, 'unstable'), (100, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24.2 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages vlc depends on:
ii libaa1 1.4p5-34 ascii art library
ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit
ii libc6 2.7-8 GNU C Library: Shared libraries
ii libcaca0 0.99.beta13b-4 colour ASCII art library
ii libcairo2 1.4.14-1 The Cairo 2D vector graphics libra
ii libcdio7 0.78.2+dfsg1-2 library to read and control CD-ROM
ii libcucul0 0.99.beta13b-4 low-level Unicode character drawin
ii libdbus-1-3 1.1.4-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.74-1 simple interprocess messaging syst
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libfribidi0 0.10.9-1 Free Implementation of the Unicode
ii libgcc1 1:4.3-20080219-1 GCC support library
ii libgl1-mesa-glx [libgl 7.0.3~rc2-1 A free implementation of the OpenG
ii libglib2.0-0 2.14.6-1 The GLib library of C routines
ii libglu1-mesa [libglu1] 7.0.3~rc2-1 The OpenGL utility library (GLU)
ii libgtk2.0-0 2.12.8-1 The GTK+ graphical user interface
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libiso9660-5 0.78.2+dfsg1-2 library to work with ISO9660 files
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n
ii libpango1.0-0 1.18.4-1 Layout and rendering of internatio
ii libpng12-0 1.2.15~beta5-3 PNG library - runtime
ii libsdl-image1.2 1.2.6-3 image loading library for Simple D
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libstdc++6 4.3-20080219-1 The GNU Standard C++ Library v3
ii libtar 1.2.11-4 C library for manipulating tar arc
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii libvcdinfo0 0.7.23-4 library to extract information fro
ii libvlc0 0.8.6.c-6 multimedia player and streamer lib
ii libwxbase2.6-0 2.6.3.2.2-2 wxBase library (runtime) - non-GUI
ii libwxgtk2.6-0 2.6.3.2.2-2 wxWidgets Cross-platform C++ GUI t
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar
ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library
ii libxosd2 2.2.14-1.5 X On-Screen Display library - runt
ii libxv1 1:1.0.3-1 X11 Video extension library
ii ttf-dejavu-core 2.23-1 Vera font family derivate with add
ii vlc-nox 0.8.6.c-6 multimedia player and streamer (wi
ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime
vlc recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.c-6+lenny1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny1_i386.deb
libvlc0_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny1_i386.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny1_i386.deb
vlc-nox_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-alsa_0.8.6.c-6+lenny1_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny1_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-esd_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-ggi_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-glide_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-jack_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-sdl_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny1_i386.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny1_i386.deb
vlc_0.8.6.c-6+lenny1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny1.diff.gz
vlc_0.8.6.c-6+lenny1.dsc
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny1.dsc
vlc_0.8.6.c-6+lenny1_i386.deb
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny1_i386.deb
wxvlc_0.8.6.c-6+lenny1_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 27 Feb 2008 16:06:47 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all i386
Version: 0.8.6.c-6+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 467652
Changes:
vlc (0.8.6.c-6+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by security team.
* This update addresses the following security issue:
- CVE-2008-0986: A buffer overflow in the mpeg-4 demuxer
could lead to arbitrary code execution via a crafted
mp4 file (sec-CVE-2008-0984.diff; Closes: #467652).
Files:
8513f783a180c211ebd13248f36d3ad8 2713 graphics optional
vlc_0.8.6.c-6+lenny1.dsc
e01b8c433658a618a947b6a4e6a48b91 38090 graphics optional
vlc_0.8.6.c-6+lenny1.diff.gz
64297a74fbb648fdb32022468d77b77f 802 graphics optional
vlc-plugin-alsa_0.8.6.c-6+lenny1_all.deb
14b56d6b81798bac7f9b9eb85a465143 798 graphics optional
wxvlc_0.8.6.c-6+lenny1_all.deb
a5bb48d46164eaf2fe7e2861cd03f04e 1143410 graphics optional
vlc_0.8.6.c-6+lenny1_i386.deb
e7f627f8bb19ca8d2b7765ebc0dea03b 4710562 net optional
vlc-nox_0.8.6.c-6+lenny1_i386.deb
47fb8215f4deb6a70c65cf3a39a1f79f 467142 libs optional
libvlc0_0.8.6.c-6+lenny1_i386.deb
04d74dbff9be4f70a5689a1662399b5d 511126 libdevel optional
libvlc0-dev_0.8.6.c-6+lenny1_i386.deb
c077130f787c6cd2cd39611dbe1d7de4 4822 graphics optional
vlc-plugin-esd_0.8.6.c-6+lenny1_i386.deb
e99291e359c16c79fb2c133d32592f9a 10880 graphics optional
vlc-plugin-sdl_0.8.6.c-6+lenny1_i386.deb
0c557821de817733c193dd96f89c4d33 5932 graphics optional
vlc-plugin-ggi_0.8.6.c-6+lenny1_i386.deb
7087d64190189e27e1f5afbdaf8cf850 4196 graphics optional
vlc-plugin-glide_0.8.6.c-6+lenny1_i386.deb
6addbc33cbc0376fc25f56c45027a908 4072 graphics optional
vlc-plugin-arts_0.8.6.c-6+lenny1_i386.deb
7463cec14bd5bcdb3cdc41635d4b59ed 37774 graphics optional
mozilla-plugin-vlc_0.8.6.c-6+lenny1_i386.deb
6cca05181808b8566c6daed6f00416ad 4536 graphics optional
vlc-plugin-svgalib_0.8.6.c-6+lenny1_i386.deb
cf78b623c3a0bdd23e6d9d2ce477486d 4796 graphics optional
vlc-plugin-jack_0.8.6.c-6+lenny1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHxapGHYflSXNkfP8RAipMAJ9IPSd9h1dlEC4c4JQJmoEJJ8xUewCfXCL7
0WsWpKF9p5b4AmwPsujyq64=
=3iab
-----END PGP SIGNATURE-----
--- End Message ---
