Your message dated Fri, 16 May 2008 15:47:18 +0000 with message-id <[EMAIL PROTECTED]> and subject line Bug#480724: fixed in vlc 0.8.6.e-2.2 has caused the Debian Bug report #480724, regarding vlc: CVE-2008-2147 untrusted search path vulnerability for module library to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 480724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480724 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems
--- Begin Message ---Package: vlc Severity: grave Tags: security patch Hi, vlc is vulnerable to a local privilege escalation[0]: | At startup, VLC recursively scans the modules/ and plugins/ subdirectories from | the current working directory, and tries to execute the vlc_entry__0_8_6 (or | another in other VLC versions) symbol from any file matching the | "lib*_plugin.so" pattern. An attacker could use this to execute code by providing a crafted library file. Patch: http://git.videolan.org/?p=vlc.git;a=commit;h=c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181 This issue doesn't have a CVE id yet, I already request one and will update this bug report if I got it. Make sure to use it on your changelog then if you close the bug. [0] https://trac.videolan.org/vlc/ticket/1578 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.pgpu1cdL2tOHc.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---Source: vlc Source-Version: 0.8.6.e-2.2 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2.2_amd64.deb libvlc0_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/libvlc0_0.8.6.e-2.2_amd64.deb mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb vlc-nox_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-nox_0.8.6.e-2.2_amd64.deb vlc-plugin-alsa_0.8.6.e-2.2_all.deb to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2.2_all.deb vlc-plugin-arts_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2.2_amd64.deb vlc-plugin-esd_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2.2_amd64.deb vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb vlc-plugin-jack_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2.2_amd64.deb vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb vlc_0.8.6.e-2.2.diff.gz to pool/main/v/vlc/vlc_0.8.6.e-2.2.diff.gz vlc_0.8.6.e-2.2.dsc to pool/main/v/vlc/vlc_0.8.6.e-2.2.dsc vlc_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc_0.8.6.e-2.2_amd64.deb wxvlc_0.8.6.e-2.2_all.deb to pool/main/v/vlc/wxvlc_0.8.6.e-2.2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde <[EMAIL PROTECTED]> (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 16 May 2008 16:18:04 +0200 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack Architecture: source all amd64 Version: 0.8.6.e-2.2 Distribution: unstable Urgency: high Maintainer: Debian multimedia packages maintainers <[EMAIL PROTECTED]> Changed-By: Nico Golde <[EMAIL PROTECTED]> Description: libvlc0 - multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc - multimedia player and streamer vlc-nox - multimedia player and streamer (without X support) vlc-plugin-alsa - dummy transitional package vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-glide - Glide video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC vlc-plugin-sdl - SDL video and audio output plugin for VLC vlc-plugin-svgalib - SVGAlib video output plugin for VLC wxvlc - dummy transitional package Closes: 477734 478971 480370 480724 481417 Changes: vlc (0.8.6.e-2.2) unstable; urgency=high . * Non-maintainer upload by the Security Team. * Fix regression introduced by latest security upload which did not properly define FREENULL (Closes: #478971,#481417,#477734). * Fix untrusted search path vulnerability by not loading libraries from plugins and modules directories in the current working directory (CVE-2008-2147; Closes: #480724). * Fix arbitrary file overwriting via a crafted playlist or an EXTLVLCOPT statement in an mp3 file by partially disabling this functionality for the browser plugin (CVE-2007-6683; Closes: #480370). Checksums-Sha1: 678b75baa6225c7e7955306e1d697e2fb985a997 3081 vlc_0.8.6.e-2.2.dsc ee53a998c1d4ce7604fb14ccf1c12591d23c5413 40817 vlc_0.8.6.e-2.2.diff.gz e6cb8191d4e3d136974b29c6d2c936d0de57c629 798 vlc-plugin-alsa_0.8.6.e-2.2_all.deb 832dba48bddafb5808959c0aaab7efdb9d0bce3c 794 wxvlc_0.8.6.e-2.2_all.deb d3d247fb28bf2d8d126c816d6e5976a17f3b11a3 1166094 vlc_0.8.6.e-2.2_amd64.deb 555ca4e1256bc9e0da1c9e59f608379ea12872e4 4795776 vlc-nox_0.8.6.e-2.2_amd64.deb 8b761e20d03edaff334cebe2e269bed70ad76cdc 469142 libvlc0_0.8.6.e-2.2_amd64.deb e29445077fd66bd185564e4d174a47cdf0911d14 505374 libvlc0-dev_0.8.6.e-2.2_amd64.deb f0175001303f22a69201fb27dcc3880a64634fe5 4530 vlc-plugin-esd_0.8.6.e-2.2_amd64.deb d11cf11ca73870f3963b3d3122c9ba3b5f22e0d6 11652 vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb 8bb0d48aa75adc84f40004ed0ce03495c1ed1dcf 6222 vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb 0ab8da9ce7fb804930a6564baad885b3a8d4e17f 4184 vlc-plugin-arts_0.8.6.e-2.2_amd64.deb 34dd8b61212eec372d0506a708fe2307dfd15fc7 38720 mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb 745b588c9436a72e34dff3ad304b62c2f94d4578 4810 vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb d3b6a7cf6394c2971c4d8c1c701ed65ff66c54fc 4880 vlc-plugin-jack_0.8.6.e-2.2_amd64.deb Checksums-Sha256: 308a218eecff8281eb1f2719436b04bc0554109cf63a1f412042dad4fa0941ed 3081 vlc_0.8.6.e-2.2.dsc 1e52a970cff16f4f93f3c758a80f09f6747fed18641e4553ebbe65764257d317 40817 vlc_0.8.6.e-2.2.diff.gz 4e92bef1512e01af911b90ee9a3e654416d190eca5b58c4de2776e45246807f4 798 vlc-plugin-alsa_0.8.6.e-2.2_all.deb e3bf4343eeed3e456868ac34fdb6b6a435094176aa30f9118eb1563ff031fb44 794 wxvlc_0.8.6.e-2.2_all.deb 9f3427068c094e648b9d62b2c85d2fc027c1303f5c7e90435ede6c2d899faf91 1166094 vlc_0.8.6.e-2.2_amd64.deb a39aff9d4fe5e879d3223644e24f9bcad1b15b8e1c1379e27f06db37a9372a61 4795776 vlc-nox_0.8.6.e-2.2_amd64.deb 060a8cb31d2eb82e2074ba4eb25135a7183efd4dd93b7406469abf2f3e6dcdd8 469142 libvlc0_0.8.6.e-2.2_amd64.deb f51826bafdbcd873829a0a991f2db922792f80c1ce1467566f229d888f317c1a 505374 libvlc0-dev_0.8.6.e-2.2_amd64.deb 71bd2ab60dee995d11c5fffc4abd5667fc0e3a4ec3250c8f73387b7beb2c7342 4530 vlc-plugin-esd_0.8.6.e-2.2_amd64.deb a2e8acf655e7226a4ea8366b792adb259884205fd21cb337beb9018fe9d9d7cd 11652 vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb f64fd84483e8721691c4d02fd46fd75301cb2c7b8eb27255455998519bafa70c 6222 vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb 1e10ebaccc7a849128f9e5b4577372ef5b906296f8fa66fca1fea23be1388a4f 4184 vlc-plugin-arts_0.8.6.e-2.2_amd64.deb a9927923dc9e57bba2c33ae171125083f52ef563b080a75d3bfd3c197926018c 38720 mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb 6e9a78f790738f41dab0b1037963eec6fa8c0215499cf055cc83a90fe7993867 4810 vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb df5e4ad25ff1bea6244ab8802776aa427c3f87da7f0539fcb2c7d33bfb900c73 4880 vlc-plugin-jack_0.8.6.e-2.2_amd64.deb Files: 08a6b32ab77adc28e6be41b61f863b02 3081 graphics optional vlc_0.8.6.e-2.2.dsc ab63042a199c798b61459d1a50d562de 40817 graphics optional vlc_0.8.6.e-2.2.diff.gz b6266035097a55e8a720505805cf96c5 798 graphics optional vlc-plugin-alsa_0.8.6.e-2.2_all.deb e680c2370261592e74e978e5e1a1dcd3 794 graphics optional wxvlc_0.8.6.e-2.2_all.deb 01014f83b428ff6ace46311503a053ef 1166094 graphics optional vlc_0.8.6.e-2.2_amd64.deb 8b4b0bb8215e4a24ff122afdc5b11eae 4795776 net optional vlc-nox_0.8.6.e-2.2_amd64.deb 739bd77b9285f35c824e73d6ff207bd2 469142 libs optional libvlc0_0.8.6.e-2.2_amd64.deb 77772c70f9d1e6286ea5b099598414f2 505374 libdevel optional libvlc0-dev_0.8.6.e-2.2_amd64.deb 7a8b8b115dfe8d33fce8f75dfacde340 4530 graphics optional vlc-plugin-esd_0.8.6.e-2.2_amd64.deb 03c6506e4ca5048ab538ed148c9bf87b 11652 graphics optional vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb 033c342f69010782d6b11baa4a0b0d36 6222 graphics optional vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb 387bfb005ea1e46ff5ef2d6f375abb40 4184 graphics optional vlc-plugin-arts_0.8.6.e-2.2_amd64.deb 9613ea721e033593e655a45677579c66 38720 graphics optional mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb 827fecdd8886423c70f4b4f2e76c2e95 4810 graphics optional vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb fa29b2eea0858c51ab56c40dd4af7d80 4880 graphics optional vlc-plugin-jack_0.8.6.e-2.2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFILarfHYflSXNkfP8RAte3AJwO5w4Kf66lLPRrXQddHfTLC05C0ACeIr1L NVHtv1geDHDgsU5Y1poAZYQ= =XPc+ -----END PGP SIGNATURE-----
--- End Message ---