Your message dated Fri, 5 Sep 2008 12:49:13 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Re: Bug#497894: vlc: CVE-2008-3732 Integer overflow in the
Open function in modules/demux/tta.c
has caused the Debian Bug report #497894,
regarding vlc: CVE-2008-3732 Integer overflow in the Open function in
modules/demux/tta.c
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
497894: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497894
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Version: 0.8.6.h-4
Severity: grave
Tags: security
Justification: user security hole
When parsing the header of an invalid TTA file, an integer overflow might
happen causing an heap-based buffer overflow.
When parsing a response from an MMS server, an integer overflow might happen
causing a stack-based buffer overflow.
See http://www.videolan.org/security/sa0807.html .
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25-2-686 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages vlc depends on:
ii libaa1 1.4p5-37+b1 ascii art library
ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit
ii libavcodec51 0.svn20080206-12 ffmpeg codec library
ii libc6 2.7-13 GNU C Library: Shared libraries
ii libcaca0 0.99.beta14-1 colour ASCII art library
ii libcairo2 1.6.4-6 The Cairo 2D vector graphics libra
ii libcdio7 0.78.2+dfsg1-3 library to read and control CD-ROM
ii libcucul0 0.99.beta14-1 low-level Unicode character drawin
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libfribidi0 0.10.9-1 Free Implementation of the Unicode
ii libgcc1 1:4.3.1-9 GCC support library
ii libgl1-mesa-glx [libgl 7.0.3-5 A free implementation of the OpenG
ii libglib2.0-0 2.16.5-1 The GLib library of C routines
ii libglu1-mesa [libglu1] 7.0.3-5 The OpenGL utility library (GLU)
ii libgtk2.0-0 2.12.11-3 The GTK+ graphical user interface
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libiso9660-5 0.78.2+dfsg1-3 library to work with ISO9660 files
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n
ii libpango1.0-0 1.20.5-2 Layout and rendering of internatio
ii libpng12-0 1.2.27-1 PNG library - runtime
ii libsdl-image1.2 1.2.6-3 image loading library for Simple D
ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libstdc++6 4.3.1-9 The GNU Standard C++ Library v3
ii libtar 1.2.11-5 C library for manipulating tar arc
ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra
ii libvcdinfo0 0.7.23-4 library to extract information fro
ii libvlc0 0.8.6.h-4 multimedia player and streamer lib
ii libwxbase2.6-0 2.6.3.2.2-2 wxBase library (runtime) - non-GUI
ii libwxgtk2.6-0 2.6.3.2.2-2 wxWidgets Cross-platform C++ GUI t
ii libx11-6 2:1.1.4-2 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library
ii libxosd2 2.2.14-1.6 X On-Screen Display library - runt
ii libxv1 2:1.0.4-1 X11 Video extension library
ii ttf-dejavu-core 2.25-3 Vera font family derivate with add
ii vlc-nox 0.8.6.h-4 multimedia player and streamer (wi
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
vlc recommends no packages.
Versions of packages vlc suggests:
pn mozilla-plugin-vlc <none> (no description available)
pn videolan-doc <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi Bernard,
* Bernard Massot <[EMAIL PROTECTED]> [2008-09-05 11:51]:
> When parsing the header of an invalid TTA file, an integer overflow might
> happen causing an heap-based buffer overflow.
> When parsing a response from an MMS server, an integer overflow might happen
> causing a stack-based buffer overflow.
>
> See http://www.videolan.org/security/sa0807.html .
Please check the security tracker for such issues, both
issues are fixed already. The tta issue in vlc 0.8.6.h-2 and
the mms issue in 0.8.6.h-4.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpf9r7hnqoGn.pgp
Description: PGP signature
--- End Message ---
