[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
** Changed in: vlc (Ubuntu Dapper) Status: New = Invalid -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Dapper server support is until June 2011, so it can be fixed. ** Changed in: vlc (Ubuntu Dapper) Status: Invalid = New -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid. ** Changed in: vlc (Ubuntu Dapper) Status: Confirmed = Invalid -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Are you serious? This bug has been present in Dapper for such a long time, yet nobody cares to fix it. How can you call your LTS releases 'enterprise-ready' when this kind of monstrous vulnerabilities are left unpatched for years? -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
@Tiberiu: VLC is in multiverse/universe pocket...therefore it's not supported by package definition of Canonical Only main and restricted are supported...everything else is community effort...which is demandable. Feel free to provide debdiffs for the dapper package...we are happy to review them... Kind regards, \sh -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Feisty also needs to close, but can't close it as 'Wont Fix', could someone please do this? -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
** Changed in: vlc (Ubuntu Feisty) Status: Confirmed = Won't Fix -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Closing Edgy as it is end-of-lifed. ** Changed in: vlc (Ubuntu Edgy) Status: Confirmed = Won't Fix -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
New vulnerabilities classified as moderately critical by secunia in VLC were discovered and fixed in 0.8.6h http://secunia.com/advisories/30560/ . All VLC versions prior to 0.8.6h are subject to this vulnerability. Perhaps that the ubuntu security team should change the bug title and consider 0.8.6h for all ubuntu releases. -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
I've subscribed Emanuele Gentili to this bug. Since he's provided updated packages for VLC just some time ago (see Bug #195949), it would be great if he could take a look at this one. -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
I'm wondering if it wouldn't be better to just backport the current VLC to the stable releases' backports repositories if it's not possible to publish security updates in time. Better to have a leap in versions than to leave users behind with vulnerable software. But then there would have to be some kind of announcement that backports not only contain newer versions of software, but also security-related updates. -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
** Changed in: vlc Status: New = Fix Released ** Bug watch added: Debian Bug tracker #429726 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429726 ** Also affects: vlc (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429726 Importance: Unknown Status: Unknown ** CVE removed: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-0017 -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
I'm working on patches for Dapper, Edgy and Feisty, but it's taking a bit of digging, because vlc upstream doesn't actually bother to publish patches. Thanks vlc upstream. Here's a Debian bug link for -0256, because LP doesn't like having multiple Debian tasks. Thanks LP. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=407290 -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
The documentation on these vulnerabilites is *absolutely shocking*, so I'm attaching the bits here as I find them. ** Attachment added: Patch for CVE-2007-3316 http://launchpadlibrarian.net/10317358/CVE-2007-3316.diff -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Upstream bug for -0256: http://trac.videolan.org/vlc/ticket/992 -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
-0256 was backported in commit 18587. ** Attachment added: Patch for CVE-2007-0256 http://launchpadlibrarian.net/10317805/CVE-2007-0256.diff -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
-3468 is fixed in upstream commit 20445. ** Attachment added: CVE-2007-3468 http://launchpadlibrarian.net/10317780/CVE-2007-3468.diff -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
http://trac.videolan.org/vlc/changeset/20443 looks like it probably fixes CVE-2007-3467, but I'm really not sure. It is related, within a day of the notification, and I can't see anything else that might have fixed it. -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
** Changed in: vlc (Debian) Status: Unknown = Fix Released -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
I'm sorry, but I fear deb-packaging is beyond my scope (just not to say abilities...) for the time being :-( So I'll stick to reporting bugs as they come to my knowledge for now. -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Seems like the fixed packages for dapper got released; I got them yesterday evening via dapper-security. Curiously, /usr/share/doc/vlc/changelog.Debian.gz doesn't refer or even mention this bug report or it's CVE references, so I'm wondering what got fixed in the new packages...? -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
The vlc dapper released a few days ago (0.8.4.debian-1ubuntu6.1) was actually an old fix (bug 78610) that had gotten stuck in the security build queue. If you're interested in creating debdiffs and testing fixes for the issues in this report, I'd be happy to apply them and get them uploaded. Thanks! -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
** Also affects: vlc (upstream) Importance: Undecided Status: New -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-3467 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-3468 -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
Updated packages for Debian Oldstable (Sarge), Stable (Etch) and Unstable (Sid) have been announced on Debian's security mailing list and are already available. The according Debian Security Advisory should soon be available at http://www.debian.org/security/2007/dsa-1332 (link provides 404 at the time of this writing) Please provide fixed packages for the stable Ubuntu releases as soon as possible. -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 122207] Re: vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors
fixed in gutsy vlc (0.8.6.release.c-0ubuntu1) gutsy; urgency=low * SECURITY UPDATE: Format string injection in multiple plugins could lead to arbitrary code execution and/or DoS. * New upstream security and bugfix release, 0.8.6c (LP: #121511). * References CVE-2007-0256 CVE-2007-3316 * debian/patches/: Remove 020_flac.diff and 030_CVE-2007-0017.diff (subsumed by new upstream release). * debian/vlc-nox.install: Add libtelx_plugin.so (fixes FTBFS). -- Daniel T Chen [EMAIL PROTECTED] Mon, 25 Jun 2007 01:53:37 -0400 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-0017 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2007-0256 ** Changed in: vlc (Ubuntu Gutsy) Status: Confirmed = Fix Released -- vlc before 0.8.6c allows arbitrary code execution via a multitude of vectors https://bugs.launchpad.net/bugs/122207 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
