Bug#825728: marked as done (vlc: CVE-2016-5108)

[Debian Bug Tracking System]

Your message dated Mon, 13 Jun 2016 22:17:26 +0000
with message-id <e1bcaag-0002ji...@franck.debian.org>
and subject line Bug#825728: fixed in vlc 2.2.4-1~deb8u1
has caused the Debian Bug report #825728,
regarding vlc: CVE-2016-5108
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
825728: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825728
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: vlc
Version: 2.2.3-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for vlc.

CVE-2016-5108[0]:
crash and potential code execution when processing QuickTime IMA files

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5108
[1] http://www.openwall.com/lists/oss-security/2016/05/27/3
[2] 
https://git.videolan.org/?p=vlc.git;a=commit;h=458ed62bbeb9d1bddf7b8df104e14936408a3db9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: vlc
Source-Version: 2.2.4-1~deb8u1

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 825...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramac...@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 05 Jun 2016 17:39:38 +0200
Source: vlc
Binary: libvlc-dev libvlc5 libvlccore-dev libvlccore8 vlc vlc-data vlc-dbg 
vlc-nox vlc-plugin-fluidsynth vlc-plugin-jack vlc-plugin-notify vlc-plugin-sdl 
vlc-plugin-svg vlc-plugin-zvbi vlc-plugin-samba vlc-plugin-pulse
Architecture: source amd64 all
Version: 2.2.4-1~deb8u1
Distribution: jessie-security
Urgency: medium
Maintainer: Debian Multimedia Maintainers 
<pkg-multimedia-maintain...@lists.alioth.debian.org>
Changed-By: Sebastian Ramacher <sramac...@debian.org>
Description:
 libvlc-dev - development files for libvlc
 libvlc5    - multimedia player and streamer library
 libvlccore-dev - development files for libvlccore
 libvlccore8 - base library for VLC and its modules
 vlc        - multimedia player and streamer
 vlc-data   - Common data for VLC
 vlc-dbg    - debugging symbols for vlc
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-fluidsynth - FluidSynth plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-notify - LibNotify plugin for VLC
 vlc-plugin-pulse - transitional dummy package for vlc
 vlc-plugin-samba - Samba plugin for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svg - SVG plugin for VLC
 vlc-plugin-zvbi - VBI teletext plugin for VLC
Closes: 782229 784640 801448 825728
Changes:
 vlc (2.2.4-1~deb8u1) jessie-security; urgency=medium
 .
   * New upstream release.
     - quicktime: Reject invalid IMA files (CVE-2016-5108). (Closes: #825728)
     - pulse: Compute latency correctly if negative, fixing missing audio on
       high network latency. (Closes: #784640)
     - alsa: Fix audio device selection. (Closes: #801448)
     - hls: Fix hang on stop, crashes and stack overflow.
     - mkv: Fix infinite loop.
     - vpx: Fix crash.
     - mxf: Fix crash on stop.
     - adpcm: Fix double-free.
     - zvbi: Fix crash.
     - skins2: Fix crash on malformed skin bitmaps.
     - swscale: Fix crashes in swscale resizing.
     - mp4: Fix divide-by-zero crash in mux.
     - rtsp: Fix off-by-one buffer overflow.
     - mms: Fix segmentation fault on large allocation, fix overflows.
     - lua: Fix use-after-free.
     - httplive: Fix stack overflow.
     - avformat: Fix heap overflow, NULL dereference and double-free.
     - avcodec: Fix invalid free.
     - sdp: Fix read overflow.
     - vcd: Fix double-free.
     - aout: Fix use-after-free.
     - vout: Fix use-after-free.
     - realrtsp: Fix off-by-one and various crashes.
     - Fix various memory leaks.
     - Fix links to French TV icons. (Closes: #782229)
   * debian/patches/CVE-2015-5949.patch: Removed, included upstream.
   * debian/copyright: Update copyright years.
   * debian/libvlc5.symbols: Bump version of libvlc_event_type_name for new
     event names.
Checksums-Sha1:
 c2a81d5d348d669f13e932aa5a3e6918d327cc46 5410 vlc_2.2.4-1~deb8u1.dsc
 ec171b0ad731d9d114540cd7b7fcb41fc3293696 22199316 vlc_2.2.4.orig.tar.xz
 c1e6fc378de4a1a1c94a1f7151b793db372143b4 58632 vlc_2.2.4-1~deb8u1.debian.tar.xz
 2486365752fdb43c444fd5def34df88b9565dc9b 26644 
libvlc-dev_2.2.4-1~deb8u1_amd64.deb
 2af205752e0ea50ff1c417c4dce0c7332499c61d 47300 libvlc5_2.2.4-1~deb8u1_amd64.deb
 8669be164371ad110f8e8dc2d3509430fad96e85 117672 
libvlccore-dev_2.2.4-1~deb8u1_amd64.deb
 9ab04d9c8201c9184994dfc2ba170189642ddd85 391538 
libvlccore8_2.2.4-1~deb8u1_amd64.deb
 102b6c511b324760521202791206a9a977c4df3d 1501062 vlc_2.2.4-1~deb8u1_amd64.deb
 d70a3bf2ae1084c0e2bd026dfd2f17840467ffd2 5991856 
vlc-data_2.2.4-1~deb8u1_all.deb
 0c7279a150a26913d8b27f8e0609b8f0eee05bd0 24359486 
vlc-dbg_2.2.4-1~deb8u1_amd64.deb
 010e66330cf606a7ca4533a501120d5ce3e4e87f 2530574 
vlc-nox_2.2.4-1~deb8u1_amd64.deb
 4f48c248dd641c7588433779e50aab36afccde7c 5652 
vlc-plugin-fluidsynth_2.2.4-1~deb8u1_amd64.deb
 3f1f7c4a2d225282a70e85a409a48f2e6ee6e90e 10928 
vlc-plugin-jack_2.2.4-1~deb8u1_amd64.deb
 9a79dd984d72fc96e4301533bd4375c310887b7f 5406 
vlc-plugin-notify_2.2.4-1~deb8u1_amd64.deb
 3c313c1dc8a8c74fa4661f35c270eeb6939035eb 8076 
vlc-plugin-sdl_2.2.4-1~deb8u1_amd64.deb
 30db842f64f1fde84d5386a244da613742141df6 5988 
vlc-plugin-svg_2.2.4-1~deb8u1_amd64.deb
 ad38c05421d2263761d5e55f3b9f4933ff81ae70 11090 
vlc-plugin-zvbi_2.2.4-1~deb8u1_amd64.deb
 d3c8caf201f2840e69d286bb54d4d486b350d786 4914 
vlc-plugin-samba_2.2.4-1~deb8u1_amd64.deb
 f68009b1d049c8a9279bda1500e16e2c61a3619c 918 
vlc-plugin-pulse_2.2.4-1~deb8u1_all.deb
Checksums-Sha256:
 68b37d784776558d7922e624c70ce56bd018474b07fd43bf623b6a0c0410a431 5410 
vlc_2.2.4-1~deb8u1.dsc
 1632e91d2a0087e0ef4c3fb4c95c3c2890f7715a9d1d43ffd46329f428cf53be 22199316 
vlc_2.2.4.orig.tar.xz
 154406a165cc67dc6a309eaf427d9708d3da3e45610ff587026b6d8d22d40ed3 58632 
vlc_2.2.4-1~deb8u1.debian.tar.xz
 0cd530cb3adb66bae0eda9690fb3441740768f8d007dd4d4b0e45af7284f3ddc 26644 
libvlc-dev_2.2.4-1~deb8u1_amd64.deb
 d4415c1e7d600bb45c3f9f42844a3f528ebfac8b0af06d0f646c3d39476d5c60 47300 
libvlc5_2.2.4-1~deb8u1_amd64.deb
 d793b7bbf2fbcefd8f6dead75589cd1ae9cdd1153961071fa08056105bdd7e80 117672 
libvlccore-dev_2.2.4-1~deb8u1_amd64.deb
 73cdda1f551662662d2b1fc65ecfae53007b0da0663ceabad70fce64c49f3f1c 391538 
libvlccore8_2.2.4-1~deb8u1_amd64.deb
 8cfed56989b30bb65dcbe758eaa58b5f4d5b546e38a2068e042b526f1220541d 1501062 
vlc_2.2.4-1~deb8u1_amd64.deb
 ea1f614cf4fa80e722db8b2272dd50bfd3759db66fde33058d1b58a0d247240d 5991856 
vlc-data_2.2.4-1~deb8u1_all.deb
 57b7f3d10b83a23e7bb46064a4205fb6e8bbedc0d557421a7fd1972521da68db 24359486 
vlc-dbg_2.2.4-1~deb8u1_amd64.deb
 56b0a9a2e3009515f1654a7fc960e528cbb78c054260c12addbd613fd13b9af9 2530574 
vlc-nox_2.2.4-1~deb8u1_amd64.deb
 80321147e3a93bf545d9a609f430b98b080269ddf29f8349224a85eba7433d76 5652 
vlc-plugin-fluidsynth_2.2.4-1~deb8u1_amd64.deb
 910e5e09a0b2d620485ae58e70d86e76f3d94e366c3a2bbb7ba9548e41de9f4c 10928 
vlc-plugin-jack_2.2.4-1~deb8u1_amd64.deb
 c9898dc5568e802d06d85bfd7ede4736339d8397b15dead71718bcee41f8777b 5406 
vlc-plugin-notify_2.2.4-1~deb8u1_amd64.deb
 831a012feb3390609adf556f13cd78d75d8e71763bb4d9243dedd44d0cd4df22 8076 
vlc-plugin-sdl_2.2.4-1~deb8u1_amd64.deb
 37eb8608930c0b0ed14f3dae0eace7b462418af755100ca0f852f1d7a67391f6 5988 
vlc-plugin-svg_2.2.4-1~deb8u1_amd64.deb
 38f1944479c56b60e87a760983a9116b6fef583dee238cd4bede45ccc06a4a63 11090 
vlc-plugin-zvbi_2.2.4-1~deb8u1_amd64.deb
 b5ee8e6ce45bdfbc32f329ee046b66e3a781f596884f87452ab6c0664eeadfd3 4914 
vlc-plugin-samba_2.2.4-1~deb8u1_amd64.deb
 62615edf2cd299a2bd689a30466a73ac33275658ff546848af56797b5c57e6f9 918 
vlc-plugin-pulse_2.2.4-1~deb8u1_all.deb
Files:
 3d4b9dd278afbe31d9e62cb8993b0f5b 5410 video optional vlc_2.2.4-1~deb8u1.dsc
 55666c9898f658c7fcca12725bf7dd1b 22199316 video optional vlc_2.2.4.orig.tar.xz
 87c6a121ba5861876f9cf77c071799f3 58632 video optional 
vlc_2.2.4-1~deb8u1.debian.tar.xz
 e63eac6a3055a19ea349246f719c9a98 26644 libdevel optional 
libvlc-dev_2.2.4-1~deb8u1_amd64.deb
 1c80236409bb8f1d0462f8e6568b77f1 47300 libs optional 
libvlc5_2.2.4-1~deb8u1_amd64.deb
 bbca40814ec4cda7a72c3820d4f42bf7 117672 libdevel optional 
libvlccore-dev_2.2.4-1~deb8u1_amd64.deb
 9877dba4ea9cd5d2a0274b70cdc97906 391538 libs optional 
libvlccore8_2.2.4-1~deb8u1_amd64.deb
 31ff984b8dacd1dfc0b4307c3267068d 1501062 video optional 
vlc_2.2.4-1~deb8u1_amd64.deb
 57087dd6bd9e986dd4c18b0709902ae0 5991856 video optional 
vlc-data_2.2.4-1~deb8u1_all.deb
 3854391d78bc430789b4c45c1a4232bd 24359486 debug extra 
vlc-dbg_2.2.4-1~deb8u1_amd64.deb
 6ff7bbf6ddf118553752233e30e09107 2530574 video optional 
vlc-nox_2.2.4-1~deb8u1_amd64.deb
 c5563b9e3473af838c52258504521965 5652 video optional 
vlc-plugin-fluidsynth_2.2.4-1~deb8u1_amd64.deb
 9a9c6d699833d52072c7e7fa9f092d78 10928 video optional 
vlc-plugin-jack_2.2.4-1~deb8u1_amd64.deb
 fec0ba619d269d52af5c5e7ec68b2745 5406 video optional 
vlc-plugin-notify_2.2.4-1~deb8u1_amd64.deb
 e5817abab3be7f1a7c21085159732a1d 8076 video optional 
vlc-plugin-sdl_2.2.4-1~deb8u1_amd64.deb
 d6c90af8c4d538ae5a4d7b9118f3376e 5988 video optional 
vlc-plugin-svg_2.2.4-1~deb8u1_amd64.deb
 ac042e8d1d17bde53a3631f0694a75f6 11090 video optional 
vlc-plugin-zvbi_2.2.4-1~deb8u1_amd64.deb
 cca09fe449945530a4ba990133d7ff1f 4914 video optional 
vlc-plugin-samba_2.2.4-1~deb8u1_amd64.deb
 5812aeb9ae30d6f1e4f14c3d1023b26a 918 video optional 
vlc-plugin-pulse_2.2.4-1~deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXVJ21AAoJEGny/FFupxmTVLYP/iQ+vX89YpDz75BRjW83JcWf
Oi8ZBxK/IjGiNWTmwbCHAnK6eAdzTd0iCgKCLhsivTvv08HKngHZiXUmYD+/5dFd
fA1fHuKWigV2thuSSjPpGTgfI4YMgeTUHtLfvrvspgDMcu6nMFZwvGoDezuIDZjv
NMUJoCNW9lrd2rBC1YiIj6QWoif9YU2TjwbrwSMdUfRCjeiG95GVcX52Et2HAiB2
kb/G5WfIJsXs+t10LAgKI4G38sN2YqiE4b9thpO1AALa1ooZ+y4jhrRwl3a8lsXf
KL0m4qeuwSOlHVaHVrOb9Sv38hU5VDagAFkQ7x3Z2xLefkPVSVi7lgiGPwOTca7z
OlUIZT66a3eDveEKKDyvfjkZjXvpF805sJMHVXxaYK9R063sFw1unlItH52qDpTT
CFRWjsMLZVyyNI5BxUx6ShbW87/hGhtaZLPK0pIWcKffvx/PHd5x3T4k+WslQZ8m
QecbtIl2yPhTKiqvwYkoDWJuHkwBGCBtbt2+dbSNdtbfZ1rc4UfEo4ShkwnVoeM5
ikD/8cw9ikbbyJSjDcPxALIS6hlh4jBOgcteaA6GCGqMYH2ZwLxrDCiLD49b5sAT
D/odjUi0LrFbhUu4bJ/pcSlvHp+ETADRotXR4YS736deoqogrwAPgydbhYgg1vN5
9cmkMdNNb6syPXBZRutG
=EK9A
-----END PGP SIGNATURE-----

--- End Message ---