Your message dated Fri, 16 May 2008 15:47:18 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#480724: fixed in vlc 0.8.6.e-2.2
has caused the Debian Bug report #480724,
regarding vlc: CVE-2008-2147 untrusted search path vulnerability for module
library
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
480724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480724
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: vlc
Severity: grave
Tags: security patch
Hi,
vlc is vulnerable to a local privilege escalation[0]:
| At startup, VLC recursively scans the modules/ and plugins/ subdirectories
from
| the current working directory, and tries to execute the vlc_entry__0_8_6 (or
| another in other VLC versions) symbol from any file matching the
| "lib*_plugin.so" pattern.
An attacker could use this to execute code by providing a crafted library file.
Patch:
http://git.videolan.org/?p=vlc.git;a=commit;h=c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181
This issue doesn't have a CVE id yet, I already request one and will update
this bug report if I got it.
Make sure to use it on your changelog then if you close the bug.
[0] https://trac.videolan.org/vlc/ticket/1578
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpu1cdL2tOHc.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: vlc
Source-Version: 0.8.6.e-2.2
We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:
libvlc0-dev_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2.2_amd64.deb
libvlc0_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/libvlc0_0.8.6.e-2.2_amd64.deb
mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
vlc-nox_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc-nox_0.8.6.e-2.2_amd64.deb
vlc-plugin-alsa_0.8.6.e-2.2_all.deb
to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2.2_all.deb
vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
vlc_0.8.6.e-2.2.diff.gz
to pool/main/v/vlc/vlc_0.8.6.e-2.2.diff.gz
vlc_0.8.6.e-2.2.dsc
to pool/main/v/vlc/vlc_0.8.6.e-2.2.dsc
vlc_0.8.6.e-2.2_amd64.deb
to pool/main/v/vlc/vlc_0.8.6.e-2.2_amd64.deb
wxvlc_0.8.6.e-2.2_all.deb
to pool/main/v/vlc/wxvlc_0.8.6.e-2.2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 16 May 2008 16:18:04 +0200
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa
vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts
mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.e-2.2
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libvlc0 - multimedia player and streamer library
libvlc0-dev - development files for VLC
mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
vlc - multimedia player and streamer
vlc-nox - multimedia player and streamer (without X support)
vlc-plugin-alsa - dummy transitional package
vlc-plugin-arts - aRts audio output plugin for VLC
vlc-plugin-esd - Esound audio output plugin for VLC
vlc-plugin-ggi - GGI video output plugin for VLC
vlc-plugin-glide - Glide video output plugin for VLC
vlc-plugin-jack - Jack audio plugins for VLC
vlc-plugin-sdl - SDL video and audio output plugin for VLC
vlc-plugin-svgalib - SVGAlib video output plugin for VLC
wxvlc - dummy transitional package
Closes: 477734 478971 480370 480724 481417
Changes:
vlc (0.8.6.e-2.2) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix regression introduced by latest security upload which
did not properly define FREENULL (Closes: #478971,#481417,#477734).
* Fix untrusted search path vulnerability by not loading libraries
from plugins and modules directories in the current working
directory (CVE-2008-2147; Closes: #480724).
* Fix arbitrary file overwriting via a crafted playlist or an EXTLVLCOPT
statement in an mp3 file by partially disabling this functionality
for the browser plugin (CVE-2007-6683; Closes: #480370).
Checksums-Sha1:
678b75baa6225c7e7955306e1d697e2fb985a997 3081 vlc_0.8.6.e-2.2.dsc
ee53a998c1d4ce7604fb14ccf1c12591d23c5413 40817 vlc_0.8.6.e-2.2.diff.gz
e6cb8191d4e3d136974b29c6d2c936d0de57c629 798
vlc-plugin-alsa_0.8.6.e-2.2_all.deb
832dba48bddafb5808959c0aaab7efdb9d0bce3c 794 wxvlc_0.8.6.e-2.2_all.deb
d3d247fb28bf2d8d126c816d6e5976a17f3b11a3 1166094 vlc_0.8.6.e-2.2_amd64.deb
555ca4e1256bc9e0da1c9e59f608379ea12872e4 4795776 vlc-nox_0.8.6.e-2.2_amd64.deb
8b761e20d03edaff334cebe2e269bed70ad76cdc 469142 libvlc0_0.8.6.e-2.2_amd64.deb
e29445077fd66bd185564e4d174a47cdf0911d14 505374
libvlc0-dev_0.8.6.e-2.2_amd64.deb
f0175001303f22a69201fb27dcc3880a64634fe5 4530
vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
d11cf11ca73870f3963b3d3122c9ba3b5f22e0d6 11652
vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
8bb0d48aa75adc84f40004ed0ce03495c1ed1dcf 6222
vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
0ab8da9ce7fb804930a6564baad885b3a8d4e17f 4184
vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
34dd8b61212eec372d0506a708fe2307dfd15fc7 38720
mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
745b588c9436a72e34dff3ad304b62c2f94d4578 4810
vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
d3b6a7cf6394c2971c4d8c1c701ed65ff66c54fc 4880
vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
Checksums-Sha256:
308a218eecff8281eb1f2719436b04bc0554109cf63a1f412042dad4fa0941ed 3081
vlc_0.8.6.e-2.2.dsc
1e52a970cff16f4f93f3c758a80f09f6747fed18641e4553ebbe65764257d317 40817
vlc_0.8.6.e-2.2.diff.gz
4e92bef1512e01af911b90ee9a3e654416d190eca5b58c4de2776e45246807f4 798
vlc-plugin-alsa_0.8.6.e-2.2_all.deb
e3bf4343eeed3e456868ac34fdb6b6a435094176aa30f9118eb1563ff031fb44 794
wxvlc_0.8.6.e-2.2_all.deb
9f3427068c094e648b9d62b2c85d2fc027c1303f5c7e90435ede6c2d899faf91 1166094
vlc_0.8.6.e-2.2_amd64.deb
a39aff9d4fe5e879d3223644e24f9bcad1b15b8e1c1379e27f06db37a9372a61 4795776
vlc-nox_0.8.6.e-2.2_amd64.deb
060a8cb31d2eb82e2074ba4eb25135a7183efd4dd93b7406469abf2f3e6dcdd8 469142
libvlc0_0.8.6.e-2.2_amd64.deb
f51826bafdbcd873829a0a991f2db922792f80c1ce1467566f229d888f317c1a 505374
libvlc0-dev_0.8.6.e-2.2_amd64.deb
71bd2ab60dee995d11c5fffc4abd5667fc0e3a4ec3250c8f73387b7beb2c7342 4530
vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
a2e8acf655e7226a4ea8366b792adb259884205fd21cb337beb9018fe9d9d7cd 11652
vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
f64fd84483e8721691c4d02fd46fd75301cb2c7b8eb27255455998519bafa70c 6222
vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
1e10ebaccc7a849128f9e5b4577372ef5b906296f8fa66fca1fea23be1388a4f 4184
vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
a9927923dc9e57bba2c33ae171125083f52ef563b080a75d3bfd3c197926018c 38720
mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
6e9a78f790738f41dab0b1037963eec6fa8c0215499cf055cc83a90fe7993867 4810
vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
df5e4ad25ff1bea6244ab8802776aa427c3f87da7f0539fcb2c7d33bfb900c73 4880
vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
Files:
08a6b32ab77adc28e6be41b61f863b02 3081 graphics optional vlc_0.8.6.e-2.2.dsc
ab63042a199c798b61459d1a50d562de 40817 graphics optional
vlc_0.8.6.e-2.2.diff.gz
b6266035097a55e8a720505805cf96c5 798 graphics optional
vlc-plugin-alsa_0.8.6.e-2.2_all.deb
e680c2370261592e74e978e5e1a1dcd3 794 graphics optional
wxvlc_0.8.6.e-2.2_all.deb
01014f83b428ff6ace46311503a053ef 1166094 graphics optional
vlc_0.8.6.e-2.2_amd64.deb
8b4b0bb8215e4a24ff122afdc5b11eae 4795776 net optional
vlc-nox_0.8.6.e-2.2_amd64.deb
739bd77b9285f35c824e73d6ff207bd2 469142 libs optional
libvlc0_0.8.6.e-2.2_amd64.deb
77772c70f9d1e6286ea5b099598414f2 505374 libdevel optional
libvlc0-dev_0.8.6.e-2.2_amd64.deb
7a8b8b115dfe8d33fce8f75dfacde340 4530 graphics optional
vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
03c6506e4ca5048ab538ed148c9bf87b 11652 graphics optional
vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
033c342f69010782d6b11baa4a0b0d36 6222 graphics optional
vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
387bfb005ea1e46ff5ef2d6f375abb40 4184 graphics optional
vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
9613ea721e033593e655a45677579c66 38720 graphics optional
mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
827fecdd8886423c70f4b4f2e76c2e95 4810 graphics optional
vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
fa29b2eea0858c51ab56c40dd4af7d80 4880 graphics optional
vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFILarfHYflSXNkfP8RAte3AJwO5w4Kf66lLPRrXQddHfTLC05C0ACeIr1L
NVHtv1geDHDgsU5Y1poAZYQ=
=XPc+
-----END PGP SIGNATURE-----
--- End Message ---
