Your message dated Wed, 21 Jan 2015 22:18:56 +0000 with message-id <e1ye3c0-0004e2...@franck.debian.org> and subject line Bug#775866: fixed in vlc 2.2.0~rc2-2 has caused the Debian Bug report #775866, regarding vlc: multiple vulnerabilities to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 775866: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775866 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: vlc Version: 2.1.5-1 Severity: grave Tags: security Justification: user security hole Hi, multiple vulnerabilities were reported against vlc 2.1.5. The complete mail is at http://seclists.org/oss-sec/2015/q1/187 but at least the following vulnerabilities are fixed in vlc master branch: * Buffer overflow in updater: https://github.com/videolan/vlc/commit/fbe2837bc80f155c001781041a54c58b5524fc14 * Buffer overflow in mp4 demuxer: https://github.com/videolan/vlc/commit/2e7c7091a61aa5d07e7997b393d821e91f593c39 * Potential buffer overflow in Schroedinger Encoder https://github.com/videolan/vlc/commit/9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5 * Invalid memory access in rtp code: https://github.com/videolan/vlc/commit/204291467724867b79735c0ee3aeb0dbc2200f97 * Null-pointer dereference in dmo codec: https://github.com/videolan/vlc/commit/229c385a79d48e41687fae8b4dfeaeef9c8c3eb7 And there are unfixed ones: * The potential buffer overflow in the Dirac Encoder was not fixed as the Dirac encoder no longer exists in the master branch. * The potential invalid writes in modules/services_discovery/sap.c and modules/access/ftp.c were not fixed as I did not provide a trigger. Note, that the code looks very similar to the confirmed bug in rtp_packetize_xiph_config, and so I leave it to you to decide whether you want to patch this. CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so a DSA might be needed. Regards, -- Yves-Alexis -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: vlc Source-Version: 2.2.0~rc2-2 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 775...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Ramacher <sramac...@debian.org> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 21 Jan 2015 22:41:57 +0100 Source: vlc Binary: libvlc-dev libvlc5 libvlccore-dev libvlccore8 vlc vlc-data vlc-dbg vlc-nox vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-sdl vlc-plugin-svg vlc-plugin-zvbi vlc-plugin-samba vlc-plugin-pulse Architecture: source all Version: 2.2.0~rc2-2 Distribution: unstable Urgency: medium Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintain...@lists.alioth.debian.org> Changed-By: Sebastian Ramacher <sramac...@debian.org> Description: libvlc-dev - development files for libvlc libvlc5 - multimedia player and streamer library libvlccore-dev - development files for libvlccore libvlccore8 - base library for VLC and its modules vlc - multimedia player and streamer vlc-data - Common data for VLC vlc-dbg - debugging symbols for vlc vlc-nox - multimedia player and streamer (without X support) vlc-plugin-fluidsynth - FluidSynth plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-notify - LibNotify plugin for VLC vlc-plugin-pulse - transitional dummy package for vlc vlc-plugin-samba - Samba plugin for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svg - SVG plugin for VLC vlc-plugin-zvbi - VBI teletext plugin for VLC Closes: 775866 Changes: vlc (2.2.0~rc2-2) unstable; urgency=medium . * debian/patches: Apply upstream patches for security vulnerabilities. (Closes: #775866) - codec-schroedinger-fix-potential-buffer-overflow.patch: fix potential buffer overflow. (CVE-2014-9629) - demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch: fix buffer overflow in parsing of string boxes. (CVE-2014-9626, CVE-2014-9627, CVE-2014-9628) - stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch: don't use VLA for user controlled data. (CVE-2014-9630) Checksums-Sha1: 5f7324842882ae36aa18c5a6a074245c1ab3043b 5410 vlc_2.2.0~rc2-2.dsc d124ad416dcc8171ea38d716250db58a1af0ec9b 59516 vlc_2.2.0~rc2-2.debian.tar.xz e91b8b7b64654651365887c0e63de3dc6fac9d77 5410426 vlc-data_2.2.0~rc2-2_all.deb 91d689787b1b481e0082e61c85929fa9c8ba7060 916 vlc-plugin-pulse_2.2.0~rc2-2_all.deb Checksums-Sha256: cd9a53d57402a7888072ce589e89db0f2794d8691857aabac1a1edab7742b642 5410 vlc_2.2.0~rc2-2.dsc 202082c88e4a4b81b11eb7fe2c0a04f638c7fa08bee2d824711659313c8dc178 59516 vlc_2.2.0~rc2-2.debian.tar.xz 204640e68a44ded134311836dda6de2b64e1a17291a50c97c462822435fd5236 5410426 vlc-data_2.2.0~rc2-2_all.deb baca59d500f8cb32a6a0ab61a3557d431fbbfe32bfe4e9faf0fb00a85bb9f6d8 916 vlc-plugin-pulse_2.2.0~rc2-2_all.deb Files: a674accfdebaee47310ca3a4cddc749c 5410 video optional vlc_2.2.0~rc2-2.dsc 3957db5553a882d682d8367d1e577828 59516 video optional vlc_2.2.0~rc2-2.debian.tar.xz 966c48aa910015cb6040800d647308cb 5410426 video optional vlc-data_2.2.0~rc2-2_all.deb 07af522a72f1b206a4911e1e64d30ec8 916 video optional vlc-plugin-pulse_2.2.0~rc2-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUwCNLAAoJEGny/FFupxmT+GsQAMFKca1mA2K/0gayORhxWWcl DxBEfWcHKz12nYpQRse7ZsmjwPqOo9NJRdn5o2/ZR3Vn6Fqza4xraKBr5v6szz/s S77X03nBAs1PQat20Vt7OWXOlzbtenPWDoezpEOtCQXt0H6jlyk8DJ4q0aMGNMnw Pkobf9eszJR7IhK/TERev14CMk7dB8I1mHSQeJJdrwKsiwBR+vfeoBLR+/i9N4ol LazQbX/S1+pFC6uARxVGzeNmaTy8kVaB8ceWkfTqg7NJA374+nKrfDevKgJVNV25 EtNUBY0A0kEP0IP38dGU7IUEVGKqlxLCG7TywsTw+LU7JLlle5DXLz+2LUAeqaP8 QcCGY3e37eBYGdDFvjSSsI7uqbW7Tk+52XPwai+86kWIcTWt15+a3FF44dQOoOwW 29sJQbl4tw6cALAOJmAaSupANpzq8SMlkfygGG3zleknYdYCRvQG+hVIARQ0p8Ge 8n46y7kn9oLhQcMMwQbdkw2U2PdHu9QhOxTKtFo+XFSNdy9CIlR/APbKg24ZRwb8 CIK3rI4P5FPIdu/fayFYIY42NPIbS9HSahaOH1wAyzI7RiKoMS+1FvcKYHigT55D 1NAwQSXYTHjGCbUsOZ5yMdw4BN266c+26LU+aR/o3SqutmACi1ltqDZTCHEEBi63 TSNgex1fnwbbq5QOTj/t =o18o -----END PGP SIGNATURE-----
--- End Message ---
