Your message dated Mon, 03 Nov 2008 14:17:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#503118: fixed in vlc 0.8.6.h-4.1
has caused the Debian Bug report #503118,
regarding vlc: CVE-2008-4686 integer overflow in ty parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
503118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503118
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc-nox
Version: 0.8.6.h-4
Severity: grave
File: libty_plugin
Tags: security
Justification: user security hole
VLC versions 0.8.2 through 0.9.4 are prone to an exploitable
stack-based buffer overflow in the TY (TiVo) file parser.
See also http://www.videolan.org/security/sa0809.html
N.B.: please give me the CVE ID if you allocate one.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (100, 'unstable'), (100, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.27 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages vlc-nox depends on:
ii liba52-0.7.4 0.7.4-11 library for decoding ATSC A/52 str
ii libasound2 1.0.16-2 ALSA library
ii libavahi-client3 0.6.23-2 Avahi client library
ii libavahi-common3 0.6.23-2 Avahi common library
ii libavc1394-0 0.5.3-1+b1 control IEEE 1394 audio/video devi
ii libavcodec51 0.svn20080206-14 ffmpeg codec library
ii libavformat52 0.svn20080206-14 ffmpeg file format library
ii libavutil49 0.svn20080206-14 ffmpeg utility library
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libcdio7 0.78.2+dfsg1-3 library to read and control CD-ROM
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libdvbpsi4 0.1.5-3.1 library for MPEG TS and DVB PSI ta
ii libdvdnav4 4.1.2-3 DVD navigation library
ii libdvdread3 0.9.7-11 library for reading DVDs
ii libebml0 0.7.7-3.1 access library for the EBML format
ii libfaad0 2.6.1-3.1 freeware Advanced Audio Decoder -
ii libflac8 1.2.1-1.2 Free Lossless Audio Codec - runtim
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libfribidi0 0.10.9-1 Free Implementation of the Unicode
ii libgcc1 1:4.3.2-1 GCC support library
ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr
ii libgnutls26 2.4.2-1 the GNU TLS library - runtime libr
ii libhal1 0.5.11-5 Hardware Abstraction Layer - share
ii libid3tag0 0.15.1b-10 ID3 tag reading library from the M
ii libiso9660-5 0.78.2+dfsg1-3 library to work with ISO9660 files
ii liblircclient0 0.8.3-3 infra-red remote control support -
ii libmad0 0.15.1b-3 MPEG audio decoder library
ii libmatroska0 0.8.1-1.1 extensible open standard audio/vid
ii libmodplug0c2 1:0.8.4-2 shared libraries for mod music bas
ii libmpcdec3 1.2.2-1 Musepack (MPC) format library
ii libmpeg2-4 0.4.1-3 MPEG1 and MPEG2 video decoder libr
ii libncurses5 5.6+20081011-1 shared libraries for terminal hand
ii libogg0 1.1.3-4 Ogg Bitstream Library
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libpostproc51 0.svn20080206-14 ffmpeg video postprocessing librar
ii libraw1394-8 1.3.0-4 library for direct access to IEEE
ii libsmbclient 2:3.2.3-3 shared library that allows applica
ii libspeex1 1.2~rc1-1 The Speex codec runtime library
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii libsysfs2 2.1.0-5 interface library to sysfs
ii libtheora0 1.0~beta3-1 The Theora Video Compression Codec
ii libtwolame0 0.3.12-1 MPEG Audio Layer 2 encoding librar
ii libvcdinfo0 0.7.23-4 library to extract information fro
ii libvlc0 0.8.6.h-4 multimedia player and streamer lib
ii libvorbis0a 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libxml2 2.6.32.dfsg-4 GNOME XML library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
vlc-nox recommends no packages.
vlc-nox suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.h-4.1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.h-4.1_amd64.deb
libvlc0_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/libvlc0_0.8.6.h-4.1_amd64.deb
mozilla-plugin-vlc_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.h-4.1_amd64.deb
vlc-nox_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc-nox_0.8.6.h-4.1_amd64.deb
vlc-plugin-arts_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.h-4.1_amd64.deb
vlc-plugin-esd_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.h-4.1_amd64.deb
vlc-plugin-ggi_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.h-4.1_amd64.deb
vlc-plugin-jack_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.h-4.1_amd64.deb
vlc-plugin-sdl_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.h-4.1_amd64.deb
vlc-plugin-svgalib_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.h-4.1_amd64.deb
vlc_0.8.6.h-4.1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.h-4.1.diff.gz
vlc_0.8.6.h-4.1.dsc
to pool/main/v/vlc/vlc_0.8.6.h-4.1.dsc
vlc_0.8.6.h-4.1_amd64.deb
to pool/main/v/vlc/vlc_0.8.6.h-4.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 03 Nov 2008 14:41:58 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl
vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc
vlc-plugin-svgalib vlc-plugin-jack
Architecture: source amd64
Version: 0.8.6.h-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
Closes: 503118
Changes:
vlc (0.8.6.h-4.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix integer overflows that could possibly lead to arbitrary
code execution (CVE-2008-4686.diff; Closes: #503118).
Checksums-Sha1:
73d20925768ecb35757524e8805fb64da9fd64cd 3061 vlc_0.8.6.h-4.1.dsc
47fbf6f62f32d3a3703f7ebf18b0b1eb4d743282 44259 vlc_0.8.6.h-4.1.diff.gz
6f65257ef036a40dd95046baad9515a86b113535 1102546 vlc_0.8.6.h-4.1_amd64.deb
f47b75c38459fee4a3ca7b8a100019b6d3bc17c1 4958462 vlc-nox_0.8.6.h-4.1_amd64.deb
037f42714675a6a427b635be9125686156583fa1 461254 libvlc0_0.8.6.h-4.1_amd64.deb
53d0be764042c8d35c5f63730090b3296b10ad3c 501896
libvlc0-dev_0.8.6.h-4.1_amd64.deb
fb4dc3d727c12207700fbbe9295d025a586b29cc 4580
vlc-plugin-esd_0.8.6.h-4.1_amd64.deb
f87277cf69c26c5d1961c174e6eb66c61b7f781c 11728
vlc-plugin-sdl_0.8.6.h-4.1_amd64.deb
5e5398925e98b4f898533881f9d0453a4c35125c 6236
vlc-plugin-ggi_0.8.6.h-4.1_amd64.deb
eec8cca3de0344bc85c5dc2939bfee94f8e9fa66 4224
vlc-plugin-arts_0.8.6.h-4.1_amd64.deb
3eee96bb863d6c61d413998ae8c0c81843481bd1 37418
mozilla-plugin-vlc_0.8.6.h-4.1_amd64.deb
d3e9ef853725926f1e3ad24f24a6af249658a79e 4792
vlc-plugin-svgalib_0.8.6.h-4.1_amd64.deb
76272d45dfd8892b64f3c0143b76a35102e6e4c8 4988
vlc-plugin-jack_0.8.6.h-4.1_amd64.deb
Checksums-Sha256:
e50e2307db885b99e97d4870a19ffa5699b68f7313983059f6470ecfc247e994 3061
vlc_0.8.6.h-4.1.dsc
0a0b5baf4f1bb71b8ccba194663ffdd3c76a1daed25f8567505b3259877c6d47 44259
vlc_0.8.6.h-4.1.diff.gz
410718797c608176e3bd4d63e9214da986be47c1fa40fb2ef289163632005e61 1102546
vlc_0.8.6.h-4.1_amd64.deb
e56d39a766e5e26f8753958147203ec04b8ad78f626a42e8f27ba1c088e0e96a 4958462
vlc-nox_0.8.6.h-4.1_amd64.deb
e44b60c9ff87d5e0216391f4040838dfee75d09e1ff213f4f1cb72eac9a1d94b 461254
libvlc0_0.8.6.h-4.1_amd64.deb
6f4c3a794b973fb608638ccbf511b543a40b4918665816cbf2055cd23c32b95c 501896
libvlc0-dev_0.8.6.h-4.1_amd64.deb
1f72365f99d78e9c2efb9decef334ae390d373fd3a52b8db089a9c03f99d4605 4580
vlc-plugin-esd_0.8.6.h-4.1_amd64.deb
f396215aee999839aa68714f00447adda568688b6495b34fbcd8462c363e2b82 11728
vlc-plugin-sdl_0.8.6.h-4.1_amd64.deb
1e0145100cd0624180270333848078788fdd4bf18881880f48e93fa80df2755b 6236
vlc-plugin-ggi_0.8.6.h-4.1_amd64.deb
0985997eacb93e82890ecd66664d15b36c6842250421da1d94b8589c5edb4c17 4224
vlc-plugin-arts_0.8.6.h-4.1_amd64.deb
44f4ed17acfdf20189c9e1250e1b3f424afe76fe31f4e97c05b57cc33320a162 37418
mozilla-plugin-vlc_0.8.6.h-4.1_amd64.deb
b050c1e047efead22520e16bd68090f53a9ed255855d68d166209bc930d73827 4792
vlc-plugin-svgalib_0.8.6.h-4.1_amd64.deb
3c7880bc37ddb7011dfec01c1584a5a1ff7fdf5d9c6cd6d64f33e85035aa971d 4988
vlc-plugin-jack_0.8.6.h-4.1_amd64.deb
Files:
e37d47f7f65d45f8968b5808aec13b7b 3061 graphics optional vlc_0.8.6.h-4.1.dsc
d6d474974d1339c518cd0b8b4dd0b90f 44259 graphics optional
vlc_0.8.6.h-4.1.diff.gz
6e9805be9b8a86f0e55fa95f0200e5f6 1102546 graphics optional
vlc_0.8.6.h-4.1_amd64.deb
87ec42ad9aff245b0219c1de43b06906 4958462 net optional
vlc-nox_0.8.6.h-4.1_amd64.deb
f2008ab65362b24694e515aa117207e2 461254 libs optional
libvlc0_0.8.6.h-4.1_amd64.deb
2487732a281c6bc365956344067b0af9 501896 libdevel optional
libvlc0-dev_0.8.6.h-4.1_amd64.deb
fbe5628c3dcc5277df19377f9257cb1f 4580 graphics optional
vlc-plugin-esd_0.8.6.h-4.1_amd64.deb
b545acee8452a95aab828eb0948e9635 11728 graphics optional
vlc-plugin-sdl_0.8.6.h-4.1_amd64.deb
cefa2d30b043f833dab2bd909cd1ac87 6236 graphics optional
vlc-plugin-ggi_0.8.6.h-4.1_amd64.deb
7649c16a508c1002bccd6e3146088e19 4224 graphics optional
vlc-plugin-arts_0.8.6.h-4.1_amd64.deb
cb2e08cc41a657d1431011ff652bfab8 37418 graphics optional
mozilla-plugin-vlc_0.8.6.h-4.1_amd64.deb
151b25c7c7b0891f1c3a6f261b899bd0 4792 graphics optional
vlc-plugin-svgalib_0.8.6.h-4.1_amd64.deb
9ebc01536ba4819bcb472020960f50e1 4988 graphics optional
vlc-plugin-jack_0.8.6.h-4.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkPBUAACgkQHYflSXNkfP8g3wCeI1vUkOL9sqFscSo0+EZ6BdL3
bmEAoLOiuGuhsFNGSXgWgpz2mTwX3PED
=KvLu
-----END PGP SIGNATURE-----
--- End Message ---
