Bug#480724: marked as done (vlc: CVE-2008-2147 untrusted search path vulnerability for module library)
Your message dated Sat, 17 May 2008 12:47:15 + with message-id [EMAIL PROTECTED] and subject line Bug#480724: fixed in vlc 0.8.6.c-6+lenny5 has caused the Debian Bug report #480724, regarding vlc: CVE-2008-2147 untrusted search path vulnerability for module library to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 480724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480724 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: vlc Severity: grave Tags: security patch Hi, vlc is vulnerable to a local privilege escalation[0]: | At startup, VLC recursively scans the modules/ and plugins/ subdirectories from | the current working directory, and tries to execute the vlc_entry__0_8_6 (or | another in other VLC versions) symbol from any file matching the | lib*_plugin.so pattern. An attacker could use this to execute code by providing a crafted library file. Patch: http://git.videolan.org/?p=vlc.git;a=commit;h=c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181 This issue doesn't have a CVE id yet, I already request one and will update this bug report if I got it. Make sure to use it on your changelog then if you close the bug. [0] https://trac.videolan.org/vlc/ticket/1578 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpw6tvoC0e4F.pgp Description: PGP signature ---End Message--- ---BeginMessage--- Source: vlc Source-Version: 0.8.6.c-6+lenny5 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny5_amd64.deb libvlc0_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny5_amd64.deb mozilla-plugin-vlc_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny5_amd64.deb vlc-nox_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny5_amd64.deb vlc-plugin-alsa_0.8.6.c-6+lenny5_all.deb to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny5_all.deb vlc-plugin-arts_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny5_amd64.deb vlc-plugin-esd_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny5_amd64.deb vlc-plugin-ggi_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny5_amd64.deb vlc-plugin-jack_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny5_amd64.deb vlc-plugin-sdl_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny5_amd64.deb vlc-plugin-svgalib_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny5_amd64.deb vlc_0.8.6.c-6+lenny5.diff.gz to pool/main/v/vlc/vlc_0.8.6.c-6+lenny5.diff.gz vlc_0.8.6.c-6+lenny5.dsc to pool/main/v/vlc/vlc_0.8.6.c-6+lenny5.dsc vlc_0.8.6.c-6+lenny5_amd64.deb to pool/main/v/vlc/vlc_0.8.6.c-6+lenny5_amd64.deb wxvlc_0.8.6.c-6+lenny5_all.deb to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny5_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde [EMAIL PROTECTED] (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 16 May 2008 17:45:15 +0200 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack Architecture: source all amd64 Version: 0.8.6.c-6+lenny5 Distribution: testing-security Urgency: high Maintainer: Debian multimedia packages maintainers [EMAIL PROTECTED] Changed-By: Nico Golde [EMAIL PROTECTED] Description: libvlc0- multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc- multimedia player and streamer vlc-nox- multimedia player and streamer (without X support) vlc-plugin-alsa - dummy transitional package vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio
Bug#480724: marked as done (vlc: CVE-2008-2147 untrusted search path vulnerability for module library)
Your message dated Fri, 16 May 2008 15:47:18 + with message-id [EMAIL PROTECTED] and subject line Bug#480724: fixed in vlc 0.8.6.e-2.2 has caused the Debian Bug report #480724, regarding vlc: CVE-2008-2147 untrusted search path vulnerability for module library to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [EMAIL PROTECTED] immediately.) -- 480724: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480724 Debian Bug Tracking System Contact [EMAIL PROTECTED] with problems ---BeginMessage--- Package: vlc Severity: grave Tags: security patch Hi, vlc is vulnerable to a local privilege escalation[0]: | At startup, VLC recursively scans the modules/ and plugins/ subdirectories from | the current working directory, and tries to execute the vlc_entry__0_8_6 (or | another in other VLC versions) symbol from any file matching the | lib*_plugin.so pattern. An attacker could use this to execute code by providing a crafted library file. Patch: http://git.videolan.org/?p=vlc.git;a=commit;h=c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181 This issue doesn't have a CVE id yet, I already request one and will update this bug report if I got it. Make sure to use it on your changelog then if you close the bug. [0] https://trac.videolan.org/vlc/ticket/1578 Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpu1cdL2tOHc.pgp Description: PGP signature ---End Message--- ---BeginMessage--- Source: vlc Source-Version: 0.8.6.e-2.2 We believe that the bug you reported is fixed in the latest version of vlc, which is due to be installed in the Debian FTP archive: libvlc0-dev_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2.2_amd64.deb libvlc0_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/libvlc0_0.8.6.e-2.2_amd64.deb mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb vlc-nox_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-nox_0.8.6.e-2.2_amd64.deb vlc-plugin-alsa_0.8.6.e-2.2_all.deb to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2.2_all.deb vlc-plugin-arts_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2.2_amd64.deb vlc-plugin-esd_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2.2_amd64.deb vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb vlc-plugin-jack_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2.2_amd64.deb vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb vlc_0.8.6.e-2.2.diff.gz to pool/main/v/vlc/vlc_0.8.6.e-2.2.diff.gz vlc_0.8.6.e-2.2.dsc to pool/main/v/vlc/vlc_0.8.6.e-2.2.dsc vlc_0.8.6.e-2.2_amd64.deb to pool/main/v/vlc/vlc_0.8.6.e-2.2_amd64.deb wxvlc_0.8.6.e-2.2_all.deb to pool/main/v/vlc/wxvlc_0.8.6.e-2.2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Nico Golde [EMAIL PROTECTED] (supplier of updated vlc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Format: 1.8 Date: Fri, 16 May 2008 16:18:04 +0200 Source: vlc Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack Architecture: source all amd64 Version: 0.8.6.e-2.2 Distribution: unstable Urgency: high Maintainer: Debian multimedia packages maintainers [EMAIL PROTECTED] Changed-By: Nico Golde [EMAIL PROTECTED] Description: libvlc0- multimedia player and streamer library libvlc0-dev - development files for VLC mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC vlc- multimedia player and streamer vlc-nox- multimedia player and streamer (without X support) vlc-plugin-alsa - dummy transitional package vlc-plugin-arts - aRts audio output plugin for VLC vlc-plugin-esd - Esound audio output plugin for VLC vlc-plugin-ggi - GGI video output plugin for VLC vlc-plugin-glide - Glide video output plugin for VLC vlc-plugin-jack - Jack audio plugins for VLC