Your message dated Wed, 05 Nov 2008 22:32:18 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#503118: fixed in vlc 0.8.6.h-4+lenny1
has caused the Debian Bug report #503118,
regarding vlc: CVE-2008-4686 integer overflow in ty parsing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
503118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503118
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc-nox
Version: 0.8.6.h-4
Severity: grave
File: libty_plugin
Tags: security
Justification: user security hole
VLC versions 0.8.2 through 0.9.4 are prone to an exploitable
stack-based buffer overflow in the TY (TiVo) file parser.
See also http://www.videolan.org/security/sa0809.html
N.B.: please give me the CVE ID if you allocate one.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (100, 'unstable'), (100, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.27 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages vlc-nox depends on:
ii liba52-0.7.4 0.7.4-11 library for decoding ATSC A/52 str
ii libasound2 1.0.16-2 ALSA library
ii libavahi-client3 0.6.23-2 Avahi client library
ii libavahi-common3 0.6.23-2 Avahi common library
ii libavc1394-0 0.5.3-1+b1 control IEEE 1394 audio/video devi
ii libavcodec51 0.svn20080206-14 ffmpeg codec library
ii libavformat52 0.svn20080206-14 ffmpeg file format library
ii libavutil49 0.svn20080206-14 ffmpeg utility library
ii libc6 2.7-15 GNU C Library: Shared libraries
ii libcdio7 0.78.2+dfsg1-3 library to read and control CD-ROM
ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst
ii libdvbpsi4 0.1.5-3.1 library for MPEG TS and DVB PSI ta
ii libdvdnav4 4.1.2-3 DVD navigation library
ii libdvdread3 0.9.7-11 library for reading DVDs
ii libebml0 0.7.7-3.1 access library for the EBML format
ii libfaad0 2.6.1-3.1 freeware Advanced Audio Decoder -
ii libflac8 1.2.1-1.2 Free Lossless Audio Codec - runtim
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libfribidi0 0.10.9-1 Free Implementation of the Unicode
ii libgcc1 1:4.3.2-1 GCC support library
ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr
ii libgnutls26 2.4.2-1 the GNU TLS library - runtime libr
ii libhal1 0.5.11-5 Hardware Abstraction Layer - share
ii libid3tag0 0.15.1b-10 ID3 tag reading library from the M
ii libiso9660-5 0.78.2+dfsg1-3 library to work with ISO9660 files
ii liblircclient0 0.8.3-3 infra-red remote control support -
ii libmad0 0.15.1b-3 MPEG audio decoder library
ii libmatroska0 0.8.1-1.1 extensible open standard audio/vid
ii libmodplug0c2 1:0.8.4-2 shared libraries for mod music bas
ii libmpcdec3 1.2.2-1 Musepack (MPC) format library
ii libmpeg2-4 0.4.1-3 MPEG1 and MPEG2 video decoder libr
ii libncurses5 5.6+20081011-1 shared libraries for terminal hand
ii libogg0 1.1.3-4 Ogg Bitstream Library
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libpostproc51 0.svn20080206-14 ffmpeg video postprocessing librar
ii libraw1394-8 1.3.0-4 library for direct access to IEEE
ii libsmbclient 2:3.2.3-3 shared library that allows applica
ii libspeex1 1.2~rc1-1 The Speex codec runtime library
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii libsysfs2 2.1.0-5 interface library to sysfs
ii libtheora0 1.0~beta3-1 The Theora Video Compression Codec
ii libtwolame0 0.3.12-1 MPEG Audio Layer 2 encoding librar
ii libvcdinfo0 0.7.23-4 library to extract information fro
ii libvlc0 0.8.6.h-4 multimedia player and streamer lib
ii libvorbis0a 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-3.1 The Vorbis General Audio Compressi
ii libxml2 2.6.32.dfsg-4 GNOME XML library
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
vlc-nox recommends no packages.
vlc-nox suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.h-4+lenny1
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.h-4+lenny1_amd64.deb
libvlc0_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/libvlc0_0.8.6.h-4+lenny1_amd64.deb
mozilla-plugin-vlc_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.h-4+lenny1_amd64.deb
vlc-nox_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc-nox_0.8.6.h-4+lenny1_amd64.deb
vlc-plugin-arts_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.h-4+lenny1_amd64.deb
vlc-plugin-esd_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.h-4+lenny1_amd64.deb
vlc-plugin-ggi_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.h-4+lenny1_amd64.deb
vlc-plugin-jack_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.h-4+lenny1_amd64.deb
vlc-plugin-sdl_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.h-4+lenny1_amd64.deb
vlc-plugin-svgalib_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.h-4+lenny1_amd64.deb
vlc_0.8.6.h-4+lenny1.diff.gz
to pool/main/v/vlc/vlc_0.8.6.h-4+lenny1.diff.gz
vlc_0.8.6.h-4+lenny1.dsc
to pool/main/v/vlc/vlc_0.8.6.h-4+lenny1.dsc
vlc_0.8.6.h-4+lenny1_amd64.deb
to pool/main/v/vlc/vlc_0.8.6.h-4+lenny1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 03 Nov 2008 14:41:58 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl
vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc
vlc-plugin-svgalib vlc-plugin-jack
Architecture: source amd64
Version: 0.8.6.h-4+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
Closes: 503118
Changes:
vlc (0.8.6.h-4+lenny1) testing-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix integer overflows that could possibly lead to arbitrary
code execution (CVE-2008-4686.diff; Closes: #503118).
Checksums-Sha1:
d5eb5ee85e35d28fa70c32c384efdb30018843f2 3081 vlc_0.8.6.h-4+lenny1.dsc
829b2599a9188254d1c109be377b4a9c18e14482 16977154 vlc_0.8.6.h.orig.tar.gz
77690db64a86196375844da584f6b9475273821e 43887 vlc_0.8.6.h-4+lenny1.diff.gz
d3c85f508f389124cfe6b376f51c26c30f27ad9f 1096978 vlc_0.8.6.h-4+lenny1_amd64.deb
cffbf335462779d75bdeb7c12e10571a577ab2d7 4953936
vlc-nox_0.8.6.h-4+lenny1_amd64.deb
4689c93807bfb310d657a87eef33c0f236486330 462378
libvlc0_0.8.6.h-4+lenny1_amd64.deb
7493a02036c64cb9c03ca9f366ed47891a71ceee 501462
libvlc0-dev_0.8.6.h-4+lenny1_amd64.deb
dd1f69f17232893ee56aaa7d64c3534006e10e20 4582
vlc-plugin-esd_0.8.6.h-4+lenny1_amd64.deb
4649115fc1026241fc616ff4538f44a495a9907e 11754
vlc-plugin-sdl_0.8.6.h-4+lenny1_amd64.deb
89f91ae82d24e2d257dd92b415449cede39624f9 6238
vlc-plugin-ggi_0.8.6.h-4+lenny1_amd64.deb
621e2699fac0c00b3075bc9ea9647a28eefe3ace 4224
vlc-plugin-arts_0.8.6.h-4+lenny1_amd64.deb
12c018bc4196f62af7a87d4d4f6f3d3b9964962a 37418
mozilla-plugin-vlc_0.8.6.h-4+lenny1_amd64.deb
7c318fc99e2886ecd18bb23bc5cf0feefa1c3f24 4806
vlc-plugin-svgalib_0.8.6.h-4+lenny1_amd64.deb
0b2dec433c10bad4b5026a76b5ec67f6f71237bc 4986
vlc-plugin-jack_0.8.6.h-4+lenny1_amd64.deb
Checksums-Sha256:
ed0b409463b052007cc8e5d39c2589c89f42f4be269ff75734d26acbf34a776e 3081
vlc_0.8.6.h-4+lenny1.dsc
92a998f2ca53b77610c608436b2e8d991442742f25793c136cb4ee095eec1eff 16977154
vlc_0.8.6.h.orig.tar.gz
15bda9d9029cfcf71b6101f99c3c32295aa7e3faec757f8393e15287df6f13e3 43887
vlc_0.8.6.h-4+lenny1.diff.gz
fe7029f76a1a2b6a38bb1b17f2818b2cdf3a36cc10bc8830a2916231ec4542f4 1096978
vlc_0.8.6.h-4+lenny1_amd64.deb
aef1ddf69a196601f9073a2d65afd5aa4189ce943aea68c030673c90069d70d3 4953936
vlc-nox_0.8.6.h-4+lenny1_amd64.deb
87cd49e219bd539d24f8d7fc74e763f98ad83b1426c9374e713025ae07a2c309 462378
libvlc0_0.8.6.h-4+lenny1_amd64.deb
3840cfbadf4fba1af12cc421600a855220b69525645271d50400f55139369b77 501462
libvlc0-dev_0.8.6.h-4+lenny1_amd64.deb
b7ce7a58552b4a885324291b0683075342142aa8c616e7cd3cac2976062bac55 4582
vlc-plugin-esd_0.8.6.h-4+lenny1_amd64.deb
4c0bb1e9e2cadd82abcb5d7f13c62bd76bc158f53d2e120496e697ac645c3fe0 11754
vlc-plugin-sdl_0.8.6.h-4+lenny1_amd64.deb
d1b6ca88e13603c31972c3dd6d949f5c0a4d5e84e7aa5034cda9c39a51d2ed1b 6238
vlc-plugin-ggi_0.8.6.h-4+lenny1_amd64.deb
562b0689c31b6039c2ebf54768b7839d30db78a5ceead4cce425285e934f3297 4224
vlc-plugin-arts_0.8.6.h-4+lenny1_amd64.deb
b0299a2a1e4b3fe75ba380c61b0dd6243106b68ac10ba8b677d6d3c4847c77cc 37418
mozilla-plugin-vlc_0.8.6.h-4+lenny1_amd64.deb
14348552dbfed753d7c68bb8aa57ffbabe9b005ef1230c379dfab6c4a0aa240a 4806
vlc-plugin-svgalib_0.8.6.h-4+lenny1_amd64.deb
38d376eb8bce224ea1bc093d63427227fddff69063f2c35d2cb7f86546cbcff2 4986
vlc-plugin-jack_0.8.6.h-4+lenny1_amd64.deb
Files:
efe9188d0a58935932d477534aa94a2a 3081 graphics optional
vlc_0.8.6.h-4+lenny1.dsc
9b3e15802b482cb12e79d2eb8cc4ea98 16977154 graphics optional
vlc_0.8.6.h.orig.tar.gz
3829a09fcbc99b193b2eda36eac309ab 43887 graphics optional
vlc_0.8.6.h-4+lenny1.diff.gz
82f0bfe44c19517bc063e338294d3e6b 1096978 graphics optional
vlc_0.8.6.h-4+lenny1_amd64.deb
895e919a3e4374af76cb1776ba60f742 4953936 net optional
vlc-nox_0.8.6.h-4+lenny1_amd64.deb
b7fcaf819b6e985eeb4ed0c3c360f723 462378 libs optional
libvlc0_0.8.6.h-4+lenny1_amd64.deb
41aa7bc07a1d328868dda2baa8f2edd4 501462 libdevel optional
libvlc0-dev_0.8.6.h-4+lenny1_amd64.deb
36c50e92290cddb655f4426fb87ac108 4582 graphics optional
vlc-plugin-esd_0.8.6.h-4+lenny1_amd64.deb
f808604cfc59983e4937f946c01571f5 11754 graphics optional
vlc-plugin-sdl_0.8.6.h-4+lenny1_amd64.deb
3711ffb6d58cab88d46ec2275fe98b7b 6238 graphics optional
vlc-plugin-ggi_0.8.6.h-4+lenny1_amd64.deb
8759e7e76253c804dc1dfc1f3ed75610 4224 graphics optional
vlc-plugin-arts_0.8.6.h-4+lenny1_amd64.deb
4629b5d58adcd3664a190cd19a304177 37418 graphics optional
mozilla-plugin-vlc_0.8.6.h-4+lenny1_amd64.deb
86c4012be6ed433d39c76b75aad4facb 4806 graphics optional
vlc-plugin-svgalib_0.8.6.h-4+lenny1_amd64.deb
d4fc07ff52a75462e3d610cd06295834 4986 graphics optional
vlc-plugin-jack_0.8.6.h-4+lenny1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkR73AACgkQHYflSXNkfP8+hgCfYYfWgmGbxSlq0pX6F4Q2JuIT
otAAn0Tyyq2+K/1+ttKyaxetl0h2Ombm
=TVYu
-----END PGP SIGNATURE-----
--- End Message ---