Bug#405425: marked as done (FrSIRT/ADV-2007-0026: vlc: "cdio_log_handler()" and "vcd_log_handler()" Format String Vulnerabilities)

Sat, 06 Jan 2007 16:54:21 -0800 

Your message dated Sun, 07 Jan 2007 00:32:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#405425: fixed in vlc 0.8.6-svn20061012.debian-1.2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: vlc
Version: 0.8.6-svn20061012.debian-1
Severity: critical
Tags: security
Justification: root security hole

Description:
Multiple vulnerabilities have been identified in VideoLAN VLC, which could be 
exploited by attackers to take complete control of an affected system. These 
issues 
are due to format string errors in the "cdio_log_handler()" and 
"vcd_log_handler()" functions that call "msg_Dbg()", "msg_Warn()", and 
"msg_Err()" in an insecure 
manner, which could be exploited by remote attackers to execute arbitrary 
commands by tricking a user into visiting a specially crafted web page or 
opening a 
malicious M3U playlist.

Affected:
VideoLAN VLC version 0.8.6 and prior 

Solution:
A fix is available via SVN :
http://trac.videolan.org/vlc/changeset/18481

References:
http://www.frsirt.com/english/advisories/2007/0026
http://projects.info-pull.com/moab/MOAB-02-01-2007.html

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-486
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)

-- 
   .''`.  
  : :' :    Alex de Oliveira Silva | enerv
  `. `'     www.enerv.net
    `-

--- End Message ---
--- Begin Message --- 
Source: vlc
Source-Version: 0.8.6-svn20061012.debian-1.2

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-1.2_amd64.deb
libvlc0_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-1.2_amd64.deb
vlc-nox_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-1.2_amd64.deb
vlc-plugin-alsa_0.8.6-svn20061012.debian-1.2_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6-svn20061012.debian-1.2_all.deb
vlc-plugin-arts_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-1.2_amd64.deb
vlc-plugin-esd_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-1.2_amd64.deb
vlc-plugin-ggi_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-1.2_amd64.deb
vlc-plugin-sdl_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-1.2_amd64.deb
vlc_0.8.6-svn20061012.debian-1.2.diff.gz
  to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-1.2.diff.gz
vlc_0.8.6-svn20061012.debian-1.2.dsc
  to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-1.2.dsc
vlc_0.8.6-svn20061012.debian-1.2_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6-svn20061012.debian-1.2_amd64.deb
wxvlc_0.8.6-svn20061012.debian-1.2_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6-svn20061012.debian-1.2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Barth <[EMAIL PROTECTED]> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  6 Jan 2007 23:07:51 +0000
Source: vlc
Binary: wxvlc vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-alsa vlc-plugin-glide 
vlc-plugin-esd vlc libvlc0 vlc-plugin-arts vlc-nox vlc-plugin-svgalib 
libvlc0-dev
Architecture: source amd64 all
Version: 0.8.6-svn20061012.debian-1.2
Distribution: unstable
Urgency: high
Maintainer: Sam Hocevar (Debian packages) <[EMAIL PROTECTED]>
Changed-By: Andreas Barth <[EMAIL PROTECTED]>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 405425
Changes: 
 vlc (0.8.6-svn20061012.debian-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix format string vulnerability with patch
     MOAB-02-01-2007-CVE-2007-0017.patch, CVE-2007-0017. Closes: #405425
Files: 
 4e0820da566a30b27c7cc7bce435a15d 2184 graphics optional 
vlc_0.8.6-svn20061012.debian-1.2.dsc
 70af4320598c31339f046420c507249d 31799 graphics optional 
vlc_0.8.6-svn20061012.debian-1.2.diff.gz
 8ca348fd025406b55cfa715b79427298 776 graphics optional 
vlc-plugin-alsa_0.8.6-svn20061012.debian-1.2_all.deb
 53d89104717d59d162f755b2fb6c4e13 770 graphics optional 
wxvlc_0.8.6-svn20061012.debian-1.2_all.deb
 563f89de087b74968af0ebfea2a584ab 1142714 graphics optional 
vlc_0.8.6-svn20061012.debian-1.2_amd64.deb
 255960f28bd24d9ca375060da7e1bd09 4183362 net optional 
vlc-nox_0.8.6-svn20061012.debian-1.2_amd64.deb
 9d43e5b9aa687b995249a3f24b84710e 948786 libs optional 
libvlc0_0.8.6-svn20061012.debian-1.2_amd64.deb
 c40d5cb7cd1dbc7c90662b9b38cbbd97 19518 libdevel optional 
libvlc0-dev_0.8.6-svn20061012.debian-1.2_amd64.deb
 bcfda52afe83144e09bb066df7372593 4514 graphics optional 
vlc-plugin-esd_0.8.6-svn20061012.debian-1.2_amd64.deb
 e324a943077a15e079516815df420661 11336 graphics optional 
vlc-plugin-sdl_0.8.6-svn20061012.debian-1.2_amd64.deb
 825da1bb568cc9eab7c251e00fd294ca 6050 graphics optional 
vlc-plugin-ggi_0.8.6-svn20061012.debian-1.2_amd64.deb
 52fabbd08db6624d2236479377e30ef6 4180 graphics optional 
vlc-plugin-arts_0.8.6-svn20061012.debian-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFFoDOOmdOZoew2oYURAq1vAKCM2wyhg226o0749N57EbfqYZ+wQACfVEWM
Em19OrxMoIgqAFXY4U1E1tM=
=llep
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to