Your message dated Thu, 28 Feb 2008 16:02:12 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#467652: fixed in vlc 0.8.6.e-1
has caused the Debian Bug report #467652,
regarding vlc: CVE-2008-0984 arbitrary code execution via crafted mp4 file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
467652: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=467652
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Version: 0.8.6.c-6
Severity: grave
Tags: security
Justification: user security hole
"VLC media player's MPEG-4 file format parser (a.k.a. the MP4 demuxer)
suffers from an arbitrary memory overwrite vulnerability when using
specially crafted (invalid) MP4 input files.
If successful, a malicious third party could trigger execution of
arbitrary code within the context of the VLC media player, or otherwise
crash the player instance.
Exploitation of the MP4 demuxer problem requires the user to explicitly
open a specially crafted file."
See also http://www.videolan.org/security/sa0802.html
This also affects Etch.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (100, 'unstable'), (100, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.24.2 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages vlc depends on:
ii libaa1 1.4p5-34 ascii art library
ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit
ii libc6 2.7-8 GNU C Library: Shared libraries
ii libcaca0 0.99.beta13b-4 colour ASCII art library
ii libcairo2 1.4.14-1 The Cairo 2D vector graphics libra
ii libcdio7 0.78.2+dfsg1-2 library to read and control CD-ROM
ii libcucul0 0.99.beta13b-4 low-level Unicode character drawin
ii libdbus-1-3 1.1.4-1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.74-1 simple interprocess messaging syst
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libfribidi0 0.10.9-1 Free Implementation of the Unicode
ii libgcc1 1:4.3-20080219-1 GCC support library
ii libgl1-mesa-glx [libgl 7.0.3~rc2-1 A free implementation of the OpenG
ii libglib2.0-0 2.14.6-1 The GLib library of C routines
ii libglu1-mesa [libglu1] 7.0.3~rc2-1 The OpenGL utility library (GLU)
ii libgtk2.0-0 2.12.8-1 The GTK+ graphical user interface
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libiso9660-5 0.78.2+dfsg1-2 library to work with ISO9660 files
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n
ii libpango1.0-0 1.18.4-1 Layout and rendering of internatio
ii libpng12-0 1.2.15~beta5-3 PNG library - runtime
ii libsdl-image1.2 1.2.6-3 image loading library for Simple D
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libsm6 2:1.0.3-1+b1 X11 Session Management library
ii libstdc++6 4.3-20080219-1 The GNU Standard C++ Library v3
ii libtar 1.2.11-4 C library for manipulating tar arc
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii libvcdinfo0 0.7.23-4 library to extract information fro
ii libvlc0 0.8.6.c-6 multimedia player and streamer lib
ii libwxbase2.6-0 2.6.3.2.2-2 wxBase library (runtime) - non-GUI
ii libwxgtk2.6-0 2.6.3.2.2-2 wxWidgets Cross-platform C++ GUI t
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar
ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library
ii libxosd2 2.2.14-1.5 X On-Screen Display library - runt
ii libxv1 1:1.0.3-1 X11 Video extension library
ii ttf-dejavu-core 2.23-1 Vera font family derivate with add
ii vlc-nox 0.8.6.c-6 multimedia player and streamer (wi
ii zlib1g 1:1.2.3.3.dfsg-11 compression library - runtime
vlc recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.e-1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.e-1_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.e-1_i386.deb
libvlc0_0.8.6.e-1_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6.e-1_i386.deb
mozilla-plugin-vlc_0.8.6.e-1_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-1_i386.deb
vlc-nox_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6.e-1_i386.deb
vlc-plugin-alsa_0.8.6.e-1_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-1_all.deb
vlc-plugin-arts_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-1_i386.deb
vlc-plugin-esd_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-1_i386.deb
vlc-plugin-ggi_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-1_i386.deb
vlc-plugin-glide_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6.e-1_i386.deb
vlc-plugin-jack_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-1_i386.deb
vlc-plugin-sdl_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-1_i386.deb
vlc-plugin-svgalib_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-1_i386.deb
vlc_0.8.6.e-1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.e-1.diff.gz
vlc_0.8.6.e-1.dsc
to pool/main/v/vlc/vlc_0.8.6.e-1.dsc
vlc_0.8.6.e-1_i386.deb
to pool/main/v/vlc/vlc_0.8.6.e-1_i386.deb
vlc_0.8.6.e.orig.tar.gz
to pool/main/v/vlc/vlc_0.8.6.e.orig.tar.gz
wxvlc_0.8.6.e-1_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.e-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christophe Mutricy <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 25 Feb 2008 23:35:24 +0000
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all i386
Version: 0.8.6.e-1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Christophe Mutricy <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 404361 467652
Changes:
vlc (0.8.6.e-1) unstable; urgency=high
.
[ Christophe Mutricy ]
* New security upstream release
- CORE-2008-0130, VideoLAN-SA-0802, CVE-2008-0986: Arbitrary memory
overwrite in the MP4 demuxer (Closes: #467652)
- Others security fixes already included in the Debian package
- Xshm detection fix (Closes: #404361)
- Alsa 5.1 fixes
- DTS to S/PDIF fixes
* patches/
- delete the uneeded sec-* patches
- delete 100_no_wx_update.diff as the update "feature" has been removed
upstream
.
[ Loic Minier ]
* Urgency high for security bugfix.
Files:
5d94304e331dd86c5053444f73992b69 2699 graphics optional vlc_0.8.6.e-1.dsc
e4b64e38b95e84a52b51dd433ba66972 16285612 graphics optional
vlc_0.8.6.e.orig.tar.gz
9ad35158c8af3ddd0ec5550a1ae2dd1e 35337 graphics optional vlc_0.8.6.e-1.diff.gz
50f3751dcc0c775e3a267bb2043c39bc 798 graphics optional
vlc-plugin-alsa_0.8.6.e-1_all.deb
662e930519bea013709b6769f7cbd053 790 graphics optional wxvlc_0.8.6.e-1_all.deb
24e9792e460cbefa00cb42c8d76e7c5e 1147424 graphics optional
vlc_0.8.6.e-1_i386.deb
32ace1fc868428220327e9ab5528e2f3 4829932 net optional
vlc-nox_0.8.6.e-1_i386.deb
da38894f2661a5f1519f0653bbcc8ff3 479994 libs optional
libvlc0_0.8.6.e-1_i386.deb
f008833ec10d3747ba2faf2746eef88f 510944 libdevel optional
libvlc0-dev_0.8.6.e-1_i386.deb
91dcd3f1f90961d16ecc4626d2485fca 4798 graphics optional
vlc-plugin-esd_0.8.6.e-1_i386.deb
be52cf60b46f0196683f300b3de52a77 10890 graphics optional
vlc-plugin-sdl_0.8.6.e-1_i386.deb
a7238d20c2c8472d094c81873a32e067 5926 graphics optional
vlc-plugin-ggi_0.8.6.e-1_i386.deb
2b507a54b7f600839c190d36a51bd85c 4186 graphics optional
vlc-plugin-glide_0.8.6.e-1_i386.deb
9879a969481f7f3efcd14b94a72ad47c 4068 graphics optional
vlc-plugin-arts_0.8.6.e-1_i386.deb
567509257baa9f47583a797e8d0a38cd 37838 graphics optional
mozilla-plugin-vlc_0.8.6.e-1_i386.deb
2ea52013d0a5954b82691dfcb2f2d343 4528 graphics optional
vlc-plugin-svgalib_0.8.6.e-1_i386.deb
716bf915fe466a24f8c966f533896491 4788 graphics optional
vlc-plugin-jack_0.8.6.e-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHxsPv4VUX8isJIMARAsZbAKCEOG6p6MKqD23UlU9G0PpW7CIjQACfTXtM
bseLwnsYal2ZiydN54W73Q0=
=JVIZ
-----END PGP SIGNATURE-----
--- End Message ---
