Bug#405425: marked as done (FrSIRT/ADV-2007-0026: vlc: "cdio_log_handler()" and "vcd_log_handler()" Format String Vulnerabilities)

Debian Bug Tracking System Thu, 11 Jan 2007 15:17:48 -0800

Your message dated Thu, 11 Jan 2007 22:32:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#405425: fixed in vlc 0.8.6-svn20061012.debian-3
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: vlc
Version: 0.8.6-svn20061012.debian-1
Severity: critical
Tags: security
Justification: root security hole

Description:
Multiple vulnerabilities have been identified in VideoLAN VLC, which could be 
exploited by attackers to take complete control of an affected system. These 
issues 
are due to format string errors in the "cdio_log_handler()" and 
"vcd_log_handler()" functions that call "msg_Dbg()", "msg_Warn()", and 
"msg_Err()" in an insecure 
manner, which could be exploited by remote attackers to execute arbitrary 
commands by tricking a user into visiting a specially crafted web page or 
opening a 
malicious M3U playlist.

Affected:
VideoLAN VLC version 0.8.6 and prior 

Solution:
A fix is available via SVN :
http://trac.videolan.org/vlc/changeset/18481

References:
http://www.frsirt.com/english/advisories/2007/0026
http://projects.info-pull.com/moab/MOAB-02-01-2007.html

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)

-- 
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `-

--- End Message ---

--- Begin Message ---

Source: vlc
Source-Version: 0.8.6-svn20061012.debian-3

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-3_i386.deb
libvlc0_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-3_i386.deb
mozilla-plugin-vlc_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-3_i386.deb
vlc-nox_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-3_i386.deb
vlc-plugin-alsa_0.8.6-svn20061012.debian-3_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6-svn20061012.debian-3_all.deb
vlc-plugin-arts_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-3_i386.deb
vlc-plugin-esd_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-3_i386.deb
vlc-plugin-ggi_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-3_i386.deb
vlc-plugin-glide_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc-plugin-glide_0.8.6-svn20061012.debian-3_i386.deb
vlc-plugin-sdl_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-3_i386.deb
vlc-plugin-svgalib_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6-svn20061012.debian-3_i386.deb
vlc_0.8.6-svn20061012.debian-3.diff.gz
  to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-3.diff.gz
vlc_0.8.6-svn20061012.debian-3.dsc
  to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-3.dsc
vlc_0.8.6-svn20061012.debian-3_i386.deb
  to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-3_i386.deb
wxvlc_0.8.6-svn20061012.debian-3_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6-svn20061012.debian-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <[EMAIL PROTECTED]> (supplier of updated vlc 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  8 Jan 2007 09:43:07 +0100
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-glide 
vlc-plugin-esd mozilla-plugin-vlc vlc libvlc0 vlc-plugin-arts vlc-nox 
vlc-plugin-svgalib libvlc0-dev
Architecture: source i386 all
Version: 0.8.6-svn20061012.debian-3
Distribution: testing-proposed-updates
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Changed-By: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 399713 400720 403022 405425
Changes: 
 vlc (0.8.6-svn20061012.debian-3) testing-proposed-updates; urgency=high
 .
   * patch-version-information-0.8.6debian-0.8.6a.diff:
     + Set version information to 0.8.6a, even if it's not really our real
       version, to make it clear that the security issues were fixed.
 .
   * MOAB-02-01-2007-CVE-2007-0017.patch:
     + Fix CVE-2007-0017, âformat string vulnerabilityâ (Closes: #405425).
 .
   * 020_kfreebsd.diff:
     + New patch courtesy of Petr Salinger. Fix a GNU/kFreeBSD FTBFS
       (Closes: #399713).
 .
   * patch-documentation-0.8.6debian-0.8.6a.diff:
     + Documentation, translation and error messages updates.
 .
   * patch-po-0.8.6debian-0.8.6a.diff:
     + Translation updates.
 .
   * patch-mozilla-plugin-0.8.6debian-0.8.6a.diff:
     + Proper fix for the Mozilla plugin (Closes: #400720, #403022).
   * debian/rules:
     + Build with mediacontrol bindings, needed for the Mozilla plugin.
 .
   * patch-badly-initialised-data-0.8.6debian-0.8.6a.diff:
     + Fix various badly initialised variables in the code.
 .
   * patch-i422-yuy2-crash-0.8.6debian-0.8.6a.diff:
     + Fix a crash in the I422-YUY2 chroma conversion.
 .
   * patch-integer-signedness-0.8.6debian-0.8.6a.diff:
     + Fix integer signedness issues in the variable code.
 .
   * patch-logo-filter-crash-0.8.6debian-0.8.6a.diff:
     + Fix a crash in the logo filter.
 .
   * patch-memory-leaks-0.8.6debian-0.8.6a.diff:
     + Fix various memory leaks.
 .
   * patch-missing-locks-0.8.6debian-0.8.6a.diff:
     + Add missing mutex locks.
 .
   * patch-playlist-crash-0.8.6debian-0.8.6a.diff:
     + Fix a crash in the playlist code.
 .
   * patch-sanitise-javascript-0.8.6debian-0.8.6a.diff:
     + Fix the javascript string sanitising.
 .
   * patch-sanity-checks-0.8.6debian-0.8.6a.diff:
     + Various sanity checks for untrusted data.
Files: 
 d7bc8c86c91cbffc5d2c1beb5bb27855 2493 graphics optional 
vlc_0.8.6-svn20061012.debian-3.dsc
 87f20adfd0e54e4b8260ae7e3af1e2f8 2403880 graphics optional 
vlc_0.8.6-svn20061012.debian-3.diff.gz
 54c9885fb9ed67557db634bf42f519ed 778 graphics optional 
vlc-plugin-alsa_0.8.6-svn20061012.debian-3_all.deb
 b6f9c9b5491c7e2bbf18f45b96dbcf84 770 graphics optional 
wxvlc_0.8.6-svn20061012.debian-3_all.deb
 2f9afee417eee1e8832b5242b8e06544 1141126 graphics optional 
vlc_0.8.6-svn20061012.debian-3_i386.deb
 80650ce4cc7107533239dd6e32efeed3 4657576 net optional 
vlc-nox_0.8.6-svn20061012.debian-3_i386.deb
 67681a9e308e5c57f1f1bd8b7d056c49 958228 libs optional 
libvlc0_0.8.6-svn20061012.debian-3_i386.deb
 eea1b583c240155156eee1029b3da9a5 20126 libdevel optional 
libvlc0-dev_0.8.6-svn20061012.debian-3_i386.deb
 768509bed47e677acdaaec62c8a553df 4814 graphics optional 
vlc-plugin-esd_0.8.6-svn20061012.debian-3_i386.deb
 2eece62f0260eb12f568ab11f9a5bbb0 10734 graphics optional 
vlc-plugin-sdl_0.8.6-svn20061012.debian-3_i386.deb
 209ddb639267693d534eee5bacb3dd88 5834 graphics optional 
vlc-plugin-ggi_0.8.6-svn20061012.debian-3_i386.deb
 fd68aad308847d3190a2f7dbe388e003 4126 graphics optional 
vlc-plugin-glide_0.8.6-svn20061012.debian-3_i386.deb
 f512aaa8f3ae8b100ef4d27979df89b5 4098 graphics optional 
vlc-plugin-arts_0.8.6-svn20061012.debian-3_i386.deb
 c516c29db56a44ddfb36f770224d7116 36180 graphics optional 
mozilla-plugin-vlc_0.8.6-svn20061012.debian-3_i386.deb
 735e702891ecaf6f1caf79b0c6a3b1bb 4528 graphics optional 
vlc-plugin-svgalib_0.8.6-svn20061012.debian-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFprjifPP1rylJn2ERAokyAJ0bGfyjq+ftHZDevUMurTYYnYvhiwCff5Yz
ib+bM6YeU6qd+tJY7+7D6cg=
=j0Pe
-----END PGP SIGNATURE-----

--- End Message ---

Bug#405425: marked as done (FrSIRT/ADV-2007-0026: vlc: "cdio_log_handler()" and "vcd_log_handler()" Format String Vulnerabilities)

Reply via email to