Your message dated Mon, 28 Apr 2008 22:47:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#477805: fixed in vlc 0.8.6.e-2.1
has caused the Debian Bug report #477805,
regarding vlc: CVE-2008-1881 stack-based buffer overflow in subtitle parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
477805: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477805
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for vlc.
CVE-2008-1881[0]:
| Stack-based buffer overflow in the ParseSSA function
| (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to
| execute arbitrary code via a long subtitle in an SSA file. NOTE: this
| issue is due to an incomplete fix for CVE-2007-6681.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1881
http://security-tracker.debian.net/tracker/CVE-2008-1881
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpSnbLOVWhlc.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.e-2.1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2.1_amd64.deb
libvlc0_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/libvlc0_0.8.6.e-2.1_amd64.deb
mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
vlc-nox_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc-nox_0.8.6.e-2.1_amd64.deb
vlc-plugin-alsa_0.8.6.e-2.1_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2.1_all.deb
vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
vlc_0.8.6.e-2.1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.e-2.1.diff.gz
vlc_0.8.6.e-2.1.dsc
to pool/main/v/vlc/vlc_0.8.6.e-2.1.dsc
vlc_0.8.6.e-2.1_amd64.deb
to pool/main/v/vlc/vlc_0.8.6.e-2.1_amd64.deb
wxvlc_0.8.6.e-2.1_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.e-2.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 27 Apr 2008 16:17:49 +0200
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.e-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 477805 478140 478140
Changes:
vlc (0.8.6.e-2.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* This update addresses the following security issues:
- CVE-2008-1769: out-of-bounds array access and memory corruption
via a crafted cinepak file (Closes: #478140).
- CVE-2008-1768: multiple integer overflow triggering buffer overflows
in the mp4 and real demuxer and the cinepak codec (Closes: #478140).
- CVE-2008-1881: stack-based buffer overflow in subtitle parsing leading
to arbitrary code execution via crafted subtitle file (Closes: #477805).
Checksums-Sha1:
8afba5b41a9cc757d246e66c028b3feabce06505 3081 vlc_0.8.6.e-2.1.dsc
7b0aae3db2490b769c6b2c70090d915a5c33a765 39672 vlc_0.8.6.e-2.1.diff.gz
12646b42838114757bfaca8c877d3db102279d95 794
vlc-plugin-alsa_0.8.6.e-2.1_all.deb
e56bbfe588cf0f4834c0f3d669b7b7c4aba8e123 790 wxvlc_0.8.6.e-2.1_all.deb
7b270a6e8a5652dd0f42b93e44cd7561e28d672a 1166110 vlc_0.8.6.e-2.1_amd64.deb
4282819080fc36ed17bb659e5cf2946313f4d4db 4795738 vlc-nox_0.8.6.e-2.1_amd64.deb
8b68378ff6f4b612c9666a7a66963c088f25c5b5 468894 libvlc0_0.8.6.e-2.1_amd64.deb
a9b7ddc3ee2cb87a55a5d832049ea8df2e529a3a 505264
libvlc0-dev_0.8.6.e-2.1_amd64.deb
e6945ebbdece6da683212a84d535fef51e2dd7c8 4528
vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
00a36f07cf55e37fc5cd70d47f7e5f600d7e10a3 11654
vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
d138474b267ae82e7662f7afe58a7d146167ae0e 6220
vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
fa668cca7f6d9dad739c34103e253c4577d6edb0 4186
vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
191b793f0c46c13d0236213a2793fd2db918c5ef 38720
mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
6ca5064393aeccc9344d5e4e0405d38019e67876 4804
vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
6ac7f5abf93ee107aee3f5b9207eef07e0b547b2 4878
vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
Checksums-Sha256:
f33e5159904397d019aad2709fef486b04b006f20df2907e1c354981f531b9a1 3081
vlc_0.8.6.e-2.1.dsc
e1cac7f06d111bf556288f114812c063cad80f7ef52aa1f1883b74d4242d4f42 39672
vlc_0.8.6.e-2.1.diff.gz
d4fb315e68d3763042d2488ad750b3028c5e19823e638fad2d3cfaa566809aec 794
vlc-plugin-alsa_0.8.6.e-2.1_all.deb
ed6525fcc610d3030d0790d77e56cd04cab01ef9ec256bcd6fb47b84f7863483 790
wxvlc_0.8.6.e-2.1_all.deb
d02847f35885f13aaeda064d7111963ffc36d5dc60cb2852c44e78c753863965 1166110
vlc_0.8.6.e-2.1_amd64.deb
71513e5254e3c4ba93bb56f6ad3f348e10cfc9d097565ca54ec49426264d482b 4795738
vlc-nox_0.8.6.e-2.1_amd64.deb
5a3ba6b45351a7adbb8f54095ddbd1c9c202210efb94cade804ef2df49d3e08f 468894
libvlc0_0.8.6.e-2.1_amd64.deb
090946702faded0350b9ee8d8b4700be5a2cf44cfee59db312fb432f89098994 505264
libvlc0-dev_0.8.6.e-2.1_amd64.deb
1251ba656158b014d6498f47fa421d2bdda476d5776bc54d2120ee8da08bd185 4528
vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
be17ea20a8a762eeba30868e28478def2de6b2568f6115fc365c51b86bc14509 11654
vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
495d5c59f40e993c9a9aef19158a95e0cfbe633255eead65461c4898ff933da0 6220
vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
902bd716f4d6682cc83f32e781d82a03c0882841d66d00024d764e44d752aeca 4186
vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
f388876fa7c919c33b27f969bd5fd72a458772f6175289d585fac3a79cb12f0e 38720
mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
425d5ce562168814bbb2cc585a9893e3095e5fa42600e6e0455863c073adb93e 4804
vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
ee44a840ba112861d36ccffe44c01ba35227765ad0b43ec650a297c8f885a4d7 4878
vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
Files:
37ed653d9f35e9ecd0228274b2ef593f 3081 graphics optional vlc_0.8.6.e-2.1.dsc
2f81b07d1e0aee1c037e7d1eb438a2d8 39672 graphics optional
vlc_0.8.6.e-2.1.diff.gz
fe1a451b4adb035d7d40ced3172eaf78 794 graphics optional
vlc-plugin-alsa_0.8.6.e-2.1_all.deb
3f1ecb9fa3cef176ec74bae45e18df57 790 graphics optional
wxvlc_0.8.6.e-2.1_all.deb
8140882854a526433c5a603705b07ed4 1166110 graphics optional
vlc_0.8.6.e-2.1_amd64.deb
8f0cef92a309e12377dfcd8796269ae2 4795738 net optional
vlc-nox_0.8.6.e-2.1_amd64.deb
4540aca2e9133ca7f3c8de4d95144d77 468894 libs optional
libvlc0_0.8.6.e-2.1_amd64.deb
c40f9e7bea2ebfa61d44ad1a4c93074e 505264 libdevel optional
libvlc0-dev_0.8.6.e-2.1_amd64.deb
76786f24a7af32efc917fd0533d3694e 4528 graphics optional
vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
569c6a90defeef6fff2ed12c916d4121 11654 graphics optional
vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
aa07c6bf10367dc0b933b3f41f225b4b 6220 graphics optional
vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
dd25e4b33e360d300328ce41ba8b1eac 4186 graphics optional
vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
f88474cbe9c7a0e78e268ecf4bef2807 38720 graphics optional
mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
751b47b3de7d73c695216a5764627062 4804 graphics optional
vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
1ee44faf8420b9dea185f758b9a15fb1 4878 graphics optional
vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIFk5aHYflSXNkfP8RApt5AJ4wM2tuV56N/MyrolFGAxFV1TYkXQCgtYnW
XEBAcJJRYhoIMv3VjJ4At0E=
=GlM2
-----END PGP SIGNATURE-----
--- End Message ---
