Bug#811519: vlc: avio plugin leaks file content
Can this bug be closed if no additional information gets added? Thank you, Carl Eugen
Bug#811519: vlc: avio plugin leaks file content
On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote: > On 19.01.2016 17:27, Sebastian Ramacher wrote: > > On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote: > >> With a carefully crafted URL, the VLC avio plugin can be made to leak > >> content of local files to remote parties. > >> The root cause is the same as CVE-2016-1897. > >> > >> See also: > >> > >> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html > > > > There is nothing to be done in the vlc package. Reassigning to ffmpeg. It > > needs to be built with --disable-protocol=concat. > > How is CVE-2016-1897 not fully fixed? > > Rémi, please share details about any remaining vulnerability with >. This is a VLC vulnerability and I can´t share it with my own self. Besides the underlying issue has already been discussed with upstream libav. There is plenty of information available already to reproduce the problem. I don´t want to publish an exact proof-of-concept against "my" own software, especially not before VLC 2.2.2 gets released. -- Rémi Denis-Courmont http://www.remlab.net/
Bug#811519: vlc: avio plugin leaks file content
Control: tags -1 = moreinfo Control: severity -1 important Hi, On 19.01.2016 17:27, Sebastian Ramacher wrote: > On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote: >> With a carefully crafted URL, the VLC avio plugin can be made to leak >> content of local files to remote parties. >> The root cause is the same as CVE-2016-1897. >> >> See also: >> >> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html > > There is nothing to be done in the vlc package. Reassigning to ffmpeg. It > needs > to be built with --disable-protocol=concat. How is CVE-2016-1897 not fully fixed? Rémi, please share details about any remaining vulnerability with. Best regards, Andreas
Bug#811519: vlc: avio plugin leaks file content
On 19.01.2016 20:32, Rémi Denis-Courmont wrote: > On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote: >> How is CVE-2016-1897 not fully fixed? >> >> Rémi, please share details about any remaining vulnerability with >>. > > This is a VLC vulnerability and I can´t share it with my own self. However, you suggest that the underlying problem is in libavformat. > Besides the > underlying issue has already been discussed with upstream libav. But they haven't applied any fix for it, yet. > There is plenty of information available already to reproduce the problem. I can reproduce the problem with ffmpeg 2.8.4, but not with 2.8.5. > I don´t want to publish an exact proof-of-concept against "my" own software, > especially not before VLC 2.2.2 gets released. is a private mailing list that can deal with embargoed information. So please provide more details there. Best regards, Andreas
Bug#811519: vlc: avio plugin leaks file content
Control: reassign -1 src:ffmpeg 7:2.8.4-1 Control: retitle -1 ffmpeg: needs to build with --disable-protocol=concat to really fix CVE-2016-1897 On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote: > Package: vlc > Version: 2.2.1-5+b1 > Severity: grave > Tags: security patch > Justification: user security hole > > Dear Maintainer, > > With a carefully crafted URL, the VLC avio plugin can be made to leak > content of local files to remote parties. > The root cause is the same as CVE-2016-1897. > > See also: > > https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html There is nothing to be done in the vlc package. Reassigning to ffmpeg. It needs to be built with --disable-protocol=concat. Cheers -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#811519: vlc: avio plugin leaks file content
Package: vlc Version: 2.2.1-5+b1 Severity: grave Tags: security patch Justification: user security hole Dear Maintainer, With a carefully crafted URL, the VLC avio plugin can be made to leak content of local files to remote parties. The root cause is the same as CVE-2016-1897. See also: https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html Best regards, -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.15-basile (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fi_FI.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages vlc depends on: ii fonts-freefont-ttf 20120503-4 ii libaa1 1.4p5-44 ii libavcodec-ffmpeg56 7:2.8.5-1 ii libavutil-ffmpeg54 7:2.8.5-1 ii libc6 2.21-6 ii libcaca00.99.beta19-2+b1 ii libcairo2 1.14.6-1 ii libegl1-mesa [libegl1-x11] 11.1.1-2 ii libfreerdp-client1.11.1.0~git20140921.1.440916e+dfsg1-5+b1 ii libfreerdp-core1.1 1.1.0~git20140921.1.440916e+dfsg1-5+b1 ii libfreerdp-gdi1.1 1.1.0~git20140921.1.440916e+dfsg1-5+b1 ii libfreetype62.6.1-0.1 ii libfribidi0 0.19.7-1 ii libgcc1 1:5.3.1-6 ii libgl1-mesa-glx [libgl1]11.1.1-2 ii libgles1-mesa [libgles1]11.1.1-2 ii libgles2-mesa [libgles2]11.1.1-2 ii libglib2.0-02.46.2-3 ii libpulse0 7.1-2 ii libqt5core5a5.5.1+dfsg-12 ii libqt5gui5 5.5.1+dfsg-12 ii libqt5widgets5 5.5.1+dfsg-12 ii libqt5x11extras55.5.1-3 ii librsvg2-2 2.40.13-1 ii libsdl-image1.2 1.2.12-5+b5 ii libsdl1.2debian 1.2.15-12 ii libstdc++6 5.3.1-6 ii libva-drm1 1.6.2-1 ii libva-x11-1 1.6.2-1 ii libva1 1.6.2-1 ii libvlccore8 2.2.1-5+b1 ii libvncclient1 0.9.10+dfsg-3 ii libx11-62:1.6.3-1 ii libxcb-composite0 1.11.1-1 ii libxcb-keysyms1 0.4.0-1 ii libxcb-randr0 1.11.1-1 ii libxcb-shm0 1.11.1-1 ii libxcb-xv0 1.11.1-1 ii libxcb1 1.11.1-1 ii libxext62:1.3.3-1 ii libxi6 2:1.7.5-1 ii libxinerama12:1.1.3-1+b1 ii libxpm4 1:3.5.11-1+b1 ii vlc-nox 2.2.1-5+b1 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages vlc recommends: pn vlc-plugin-notify pn vlc-plugin-samba ii xdg-utils 1.1.1-1 vlc suggests no packages. Versions of packages vlc-nox depends on: ii liba52-0.7.4 0.7.4-18 ii libasound2 1.0.29-1 ii libass50.13.1-1 ii libavahi-client3 0.6.32~rc+dfsg-1 ii libavahi-common3 0.6.32~rc+dfsg-1 ii libavc1394-0 0.5.4-2 ii libavcodec-ffmpeg567:2.8.5-1 ii libavformat-ffmpeg56 7:2.8.5-1 ii libavutil-ffmpeg54 7:2.8.5-1 ii libbasicusageenvironment0 2014.01.13-1 ii libbluray1 1:0.9.2-2 ii libc6 2.21-6 ii libcddb2 1.3.2-5 ii libcdio13 0.83-4.2+b1 ii libchromaprint01.2-1+b1 ii libcrystalhd3 1:0.0~git20110715.fdd2f19-11+b1 ii libdbus-1-31.10.6-1 ii libdc1394-22 2.2.3-1 ii libdca00.0.5-7 ii libdirectfb-1.2-9 1.2.10.0-5.1 ii libdvbpsi101.3.0-4 ii libdvdnav4 5.0.3-1 ii libdvdread45.0.3-1 ii libebml4v5 1.3.3-1 ii libfaad2 2.8.0~cvs20150510-1 ii libflac8 1.3.1-4 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.6.1-0.1 ii libfribidi00.19.7-1 ii libgcc11:5.3.1-6 ii libgcrypt201.6.4-4 ii libgnutls-deb0-28 3.3.20-1 ii libgpg-error0 1.21-1 ii libgroupsock1 2014.01.13-1 ii libjpeg62-turbo1:1.4.1-2 ii libkate1 0.4.1-5 ii liblircclient0 0.9.0~pre1-1.2 ii liblivemedia23 2014.01.13-1 ii liblua5.2-05.2.4-1 ii libmad00.15.1b-8 ii libmatroska6v5 1.4.4-1 ii libmodplug11:0.8.8.5-2 ii libmpcdec6 2:0.1~r475-1 ii libmpeg2-4 0.5.1-7 ii libmtp91.1.10-2 ii libncursesw5 6.0+20151024-2 ii libogg01.3.2-1 ii libopus0