Your message dated Mon, 08 Jan 2007 17:32:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#405425: fixed in vlc 0.8.6-svn20061012.debian-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: vlc
Version: 0.8.6-svn20061012.debian-1
Severity: critical
Tags: security
Justification: root security hole
Description:
Multiple vulnerabilities have been identified in VideoLAN VLC, which could be
exploited by attackers to take complete control of an affected system. These
issues
are due to format string errors in the "cdio_log_handler()" and
"vcd_log_handler()" functions that call "msg_Dbg()", "msg_Warn()", and
"msg_Err()" in an insecure
manner, which could be exploited by remote attackers to execute arbitrary
commands by tricking a user into visiting a specially crafted web page or
opening a
malicious M3U playlist.
Affected:
VideoLAN VLC version 0.8.6 and prior
Solution:
A fix is available via SVN :
http://trac.videolan.org/vlc/changeset/18481
References:
http://www.frsirt.com/english/advisories/2007/0026
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
--
.''`.
: :' : Alex de Oliveira Silva | enerv
`. `' www.enerv.net
`-
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6-svn20061012.debian-2
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-2_i386.deb
libvlc0_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-2_i386.deb
mozilla-plugin-vlc_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-2_i386.deb
vlc-nox_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-2_i386.deb
vlc-plugin-alsa_0.8.6-svn20061012.debian-2_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6-svn20061012.debian-2_all.deb
vlc-plugin-arts_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-2_i386.deb
vlc-plugin-esd_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-2_i386.deb
vlc-plugin-ggi_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-2_i386.deb
vlc-plugin-glide_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc-plugin-glide_0.8.6-svn20061012.debian-2_i386.deb
vlc-plugin-sdl_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-2_i386.deb
vlc-plugin-svgalib_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6-svn20061012.debian-2_i386.deb
vlc_0.8.6-svn20061012.debian-2.diff.gz
to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-2.diff.gz
vlc_0.8.6-svn20061012.debian-2.dsc
to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-2.dsc
vlc_0.8.6-svn20061012.debian-2_i386.deb
to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-2_i386.deb
wxvlc_0.8.6-svn20061012.debian-2_all.deb
to pool/main/v/vlc/wxvlc_0.8.6-svn20061012.debian-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <[EMAIL PROTECTED]> (supplier of updated vlc
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 8 Jan 2007 09:43:07 +0100
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-glide
vlc-plugin-esd mozilla-plugin-vlc vlc libvlc0 vlc-plugin-arts vlc-nox
vlc-plugin-svgalib libvlc0-dev
Architecture: source i386 all
Version: 0.8.6-svn20061012.debian-2
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Changed-By: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 399713 400720 400720 403022 403022 405425
Changes:
vlc (0.8.6-svn20061012.debian-2) unstable; urgency=high
.
* Maintainer upload.
* Acknowledge previous NMUs by Andreas Barth. Thanks.
(Closes: #405425, #400720, #403022).
.
* debian/control:
+ Put back mozilla-plugin-vlc package.
.
* debian/rules:
+ Build with mediacontrol bindings, needed for the Mozilla plugin.
.
* 020_kfreebsd.diff:
+ New patch courtesy of Petr Salinger. Fix a GNU/kFreeBSD FTBFS
(Closes: #399713).
.
* patch-configure.ac-syntax-0.8.6debian-0.8.6a.diff:
+ Fix "CFAGS" to "CFLAGS" in configure.ac.
.
* patch-documentation-0.8.6debian-0.8.6a.diff:
+ Documentation, translation and error messages updates.
.
* patch-network-protocols-fixes-0.8.6debian-0.8.6a.diff:
+ Various fixes for the IPv4, IPv6, SAP and HTTP protocols.
.
* patch-po-0.8.6debian-0.8.6a.diff:
+ Translation updates.
.
* patch-version-information-0.8.6debian-0.8.6a.diff:
+ Set version information to 0.8.6a, even if it's not really our real
version, to make it clear that the security issues were fixed.
.
* patch-mozilla-plugin-0.8.6debian-0.8.6a.diff:
+ Proper fix for the Mozilla plugin (Closes: #400720, #403022).
.
* 000_bootstrap.diff:
+ Rebootstrap tarball because of changes to configure.ac.
.
* patch-badly-initialised-data-0.8.6debian-0.8.6a.diff:
+ Fix various badly initialised variables in the code.
.
* patch-i422-yuy2-crash-0.8.6debian-0.8.6a.diff:
+ Fix a crash in the I422-YUY2 chroma conversion.
.
* patch-integer-signedness-0.8.6debian-0.8.6a.diff:
+ Fix integer signedness issues in the variable code.
.
* patch-logo-filter-crash-0.8.6debian-0.8.6a.diff:
+ Fix a crash in the logo filter.
.
* patch-memory-leaks-0.8.6debian-0.8.6a.diff:
+ Fix various memory leaks.
.
* patch-missing-locks-0.8.6debian-0.8.6a.diff:
+ Add missing mutex locks.
.
* patch-mjpeg-separator-0.8.6debian-0.8.6a.diff:
+ Fix MJPEG format support.
.
* patch-playlist-crash-0.8.6debian-0.8.6a.diff:
+ Fix a crash in the playlist code.
.
* patch-private-libcaca-0.8.6debian-0.8.6a.diff:
+ Do not use private libcaca symbols.
.
* patch-remove-debug-messages-0.8.6debian-0.8.6a.diff:
+ Disable debug messages and spurious messages to stderr.
.
* patch-sanitise-javascript-0.8.6debian-0.8.6a.diff:
+ Fix the javascript string sanitising.
.
* patch-sanity-checks-0.8.6debian-0.8.6a.diff:
+ Various sanity checks for untrusted data.
.
* patch-sdl-image-priority-0.8.6debian-0.8.6a.diff:
+ Downgraded the sdl-image plugin priority.
.
* patch-utf8-0.8.6debian-0.8.6a.diff:
+ Fix Unicode support in GUIs and file access.
Files:
85fd37f91f29fa66666a68717b6f53ec 2493 graphics optional
vlc_0.8.6-svn20061012.debian-2.dsc
b45f4bdd9f5e097f76c4a0d3e521caae 2407274 graphics optional
vlc_0.8.6-svn20061012.debian-2.diff.gz
7bbcda972653dc033a32cf3a568ad76c 780 graphics optional
vlc-plugin-alsa_0.8.6-svn20061012.debian-2_all.deb
19618046fcee3a051f95da843fef193f 772 graphics optional
wxvlc_0.8.6-svn20061012.debian-2_all.deb
6c844c3857ddbde95c5518e6ff4d1822 1141302 graphics optional
vlc_0.8.6-svn20061012.debian-2_i386.deb
1c6224253dd34d8ce1e3858533093436 4657900 net optional
vlc-nox_0.8.6-svn20061012.debian-2_i386.deb
dac1e6b9a3d18c7eb2a0f19829fbdc4d 958550 libs optional
libvlc0_0.8.6-svn20061012.debian-2_i386.deb
0de5386e2b051309b519cf4918b99726 20098 libdevel optional
libvlc0-dev_0.8.6-svn20061012.debian-2_i386.deb
6d1f59826586069473c53cae3910f580 4812 graphics optional
vlc-plugin-esd_0.8.6-svn20061012.debian-2_i386.deb
65c54ea6f402ddd6cb857ff444a7187e 10738 graphics optional
vlc-plugin-sdl_0.8.6-svn20061012.debian-2_i386.deb
f63090495cd5a5139b1c197f500e2e21 5834 graphics optional
vlc-plugin-ggi_0.8.6-svn20061012.debian-2_i386.deb
5cfcef8ee775cd586e960a4abd161641 4130 graphics optional
vlc-plugin-glide_0.8.6-svn20061012.debian-2_i386.deb
bc0cde568963798ae947f835a960b452 4098 graphics optional
vlc-plugin-arts_0.8.6-svn20061012.debian-2_i386.deb
d8dffea959637a031e0c792e3451cc42 36184 graphics optional
mozilla-plugin-vlc_0.8.6-svn20061012.debian-2_i386.deb
db14b638fc12995555cd784e510ad8ba 4526 graphics optional
vlc-plugin-svgalib_0.8.6-svn20061012.debian-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFoiJVfPP1rylJn2ERAlYpAKCXW5aVKh5V6dILlKtD8S9gWSmrHgCfaXs3
MfEdVC7bfWfVJ1bvb6AaOm4=
=CuI/
-----END PGP SIGNATURE-----
--- End Message ---
