Your message dated Mon, 28 Apr 2008 15:47:07 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#478140: fixed in vlc 0.8.6.c-6+lenny4
has caused the Debian Bug report #478140,
regarding vlc: CVE-2008-1768, CVE-2008-1769 multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
478140: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478140
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for vlc.
CVE-2008-1769[0]:
| VLC before 0.8.6f allow remote attackers to cause a denial of service
| (crash) via a crafted Cinepak file that triggers an out-of-bounds
| array access and memory corruption.
Patch:
http://trac.videolan.org/vlc/changeset/d7e6e4afcecea38831282152d6e7af9a62989985
CVE-2008-1768[1]:
| Multiple integer overflows in VLC before 0.8.6f allow remote attackers
| to cause a denial of service (crash) via the (1) MP4 demuxer, (2) Real
| demuxer, and (3) Cinepak codec, which triggers a buffer overflow.
The MP4 demuxer issue is already partly covered by #467652,
please also use:
http://trac.videolan.org/vlc/changeset/3a6282755277ba9321d405c635e50da935d258a6
and
http://trac.videolan.org/vlc/changeset/edca13e259472872fdfd456cf3ef4a21d1262c11
Real demuxer patch:
http://trac.videolan.org/vlc/changeset/783ab03c7bd8ddedcd3dc5bad18efc70a4c57aaa
Cinepack integer overflow patch:
http://trac.videolan.org/vlc/changeset/18eb4fd5a75b6429d1d7058a8967696be701a00b
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1769
http://security-tracker.debian.net/tracker/CVE-2008-1769
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1768
http://security-tracker.debian.net/tracker/CVE-2008-1768
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp3wK8XPgug0.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.c-6+lenny4
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
libvlc0_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny4_amd64.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
vlc-nox_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
vlc_0.8.6.c-6+lenny4.diff.gz
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny4.diff.gz
vlc_0.8.6.c-6+lenny4.dsc
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny4.dsc
vlc_0.8.6.c-6+lenny4_amd64.deb
to pool/main/v/vlc/vlc_0.8.6.c-6+lenny4_amd64.deb
wxvlc_0.8.6.c-6+lenny4_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 27 Apr 2008 16:32:34 +0200
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.c-6+lenny4
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 477805 478140 478140
Changes:
vlc (0.8.6.c-6+lenny4) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update addresses the following security issues:
- CVE-2008-1769: out-of-bounds array access and memory corruption
via a crafted cinepak file (Closes: #478140).
- CVE-2008-1768: multiple integer overflow triggering buffer overflows
in the mp4 and real demuxer and the cinepak codec (Closes: #478140).
- CVE-2008-1881: stack-based buffer overflow in subtitle parsing leading
to arbitrary code execution via crafted subtitle file (Closes: #477805).
Checksums-Sha1:
969ed605acacc8f86d2c8504cfaa3e2a9a738bb1 3101 vlc_0.8.6.c-6+lenny4.dsc
73127c27a3545e10efb5c7c79d191249572d40a5 41394 vlc_0.8.6.c-6+lenny4.diff.gz
5478e21d2d171b92da7620086bbd2d9d8c937fae 800
vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
1f353f0b33cdfb9f0368eb58d815f713f75fb56d 794 wxvlc_0.8.6.c-6+lenny4_all.deb
04ffdd06f748f6be3ba797c81fe13bf0dc48c8b3 1160532 vlc_0.8.6.c-6+lenny4_amd64.deb
9251783bffb13313b893d63990dccf6fe182ec1c 4661230
vlc-nox_0.8.6.c-6+lenny4_amd64.deb
cf5587de66bd750e59b2e7cdcb245bc0373d10b2 457322
libvlc0_0.8.6.c-6+lenny4_amd64.deb
10ec97be81ff42f949a79e96cf4a4dc2d309bd38 504464
libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
9ca20ff0a320b501d0d2747f3b1a3b2017ea51fb 4538
vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
98ce369b70dc74ca272ad037b549afceedfb633e 11646
vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
74f76bd552bf23f8ddb0f30c15c1127fb72b4229 6216
vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
728c259fbd882268002e4b36e514b94f1237df54 4186
vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
07043015d39766662e49a8032a48f7018b3d02b2 38578
mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
456480da0ce73f296a3d89be3dd84239463f44fb 4812
vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
7e4f3e20c8fa1ec1d8ea29cb8c75f09fa45a0507 4878
vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
Checksums-Sha256:
47350d6be9493ea34787d0c6293cb502329dc3d9d58793797a87197b277dfda8 3101
vlc_0.8.6.c-6+lenny4.dsc
cd4fec0381bc86094267330d173edab05e2226746553293efaec3a37ed6b1036 41394
vlc_0.8.6.c-6+lenny4.diff.gz
e0bf645dfe5832b24984de6c0d1fa35b94e6e87c6d4a16310cea02ca3562d8d7 800
vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
addc5597469fa238c80ef3a5b3c7d615fff4b303e1573e5fbfb225fa39cb7c81 794
wxvlc_0.8.6.c-6+lenny4_all.deb
fb72c37e59648adfca7b6cf63ce100b47079adf26a81525a419f8b2bc329c7f9 1160532
vlc_0.8.6.c-6+lenny4_amd64.deb
940d349d3c8bb77db84bc8d49e46a1b3c61ad5b4644b50c1a5c7cbeb1439bd02 4661230
vlc-nox_0.8.6.c-6+lenny4_amd64.deb
d9cee4e988ca8b1a74fb94d98031878b4f17ccb162b427af61afad610f2a73a1 457322
libvlc0_0.8.6.c-6+lenny4_amd64.deb
1462f362bf563a5e20409eb59ad008afb098f5ac17bdf75827dcdfaf3eea5ad7 504464
libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
e0b79920f2d0eb91fa9173e02f6009d0e1ac28d9c9e1409b2a4eaee72bdcae47 4538
vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
d1eb788c55c9e2010bf8a3736fb4551081ae064c78b0565f60ca43087596953f 11646
vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
fec451d13e9f519d932323518b08a9f52f90e7c2c86839c5d8ac3cab68d9cbb2 6216
vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
8e8241dc0b551a6583f47e58e767adf0b3567da9bc50e5a2184b0846bce9265e 4186
vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
db878241d53e3cc0378c2809e031229f018e1cf93e2323319b577956c37bffbc 38578
mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
58461944b49270710e342a15983dc8b7c39cc64b2420098e18289e3a32334906 4812
vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
7e8320280fb281a576158c673efa8b8a9c0f0606c57738a089cefd78c86c5ae1 4878
vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
Files:
760dcb306b60d1e826fad333b8da2982 3101 graphics optional
vlc_0.8.6.c-6+lenny4.dsc
7ab0694b1d9198e0806fd51033155308 41394 graphics optional
vlc_0.8.6.c-6+lenny4.diff.gz
756fb29b95e9bbc347da7f8c11d6ff85 800 graphics optional
vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
2b65c262cb536fe33085d663e41a8be4 794 graphics optional
wxvlc_0.8.6.c-6+lenny4_all.deb
9a0b2314c253fccb5f6840efae5bc22b 1160532 graphics optional
vlc_0.8.6.c-6+lenny4_amd64.deb
23f183dfcf7bf8086d7f725c2211fa79 4661230 net optional
vlc-nox_0.8.6.c-6+lenny4_amd64.deb
49f62bc2ebe5663368b4f55fda91d4b6 457322 libs optional
libvlc0_0.8.6.c-6+lenny4_amd64.deb
c12059707bc2ecca7f3cce9e885d66fa 504464 libdevel optional
libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
db67c923d92fa51a01ecb29ffc7f17f1 4538 graphics optional
vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
a05b9b7f38a38c244880f4ea6c709edd 11646 graphics optional
vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
44e412de1ab131b9d1276b96fbf2d458 6216 graphics optional
vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
40ac7cbb99c89d139d71feaa5bc11e09 4186 graphics optional
vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
e552c4aba44601d5c4012553fb69f843 38578 graphics optional
mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
a06c95fdf43be40a1d1007702fb2710b 4812 graphics optional
vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
1897129b07ed5629d88b4c90b51a3332 4878 graphics optional
vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIFJOxHYflSXNkfP8RAnJhAJsGYLH67PacaZziAeDfjeWNJy1QUwCgqbqc
Hrxv6oSCCJllXnvrtBLhiac=
=X+jm
-----END PGP SIGNATURE-----
--- End Message ---
