Control: tag -1 upstream On Mon, Feb 3, 2014 at 10:08 AM, Raphael Geissert <geiss...@debian.org> wrote: > Package: vlc > Severity: important > Tags: security > > Hi, > > vlc uses libtar to unpack skins, however, its use on untrusted data > exposes it to CVE-2013-4420 (#731860). > > Changing the behaviour of libtar appears to be problematic because > some applications have relied on the, lack of, path sanitation (cf. > https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html > and the follow-ups). > What appears to be the safe way to handle this issue is making sure > that libtar is not used on untrusted data without file path validation > - that would mean that vlc would have to check for every file that is > about to be extracted that none contains a ../, and something similar > for symlinks. > > Alternatively, vlc could just use tar(1) to unpack the tarballs, or > drop support for skins or skins in tarballs. > > What do you think? > > This should probably be forwarded to upstream.
I totally agree. J-B, do you have any opinion on this issue? Thanks, Reinhard -- regards, Reinhard _______________________________________________ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers