Bug#811519: vlc: avio plugin leaks file content

[Carl Eugen Hoyos]

Can this bug be closed if no additional information gets added?

Thank you, Carl Eugen

Bug#811519: vlc: avio plugin leaks file content

[Rémi Denis-Courmont]

On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote:
> On 19.01.2016 17:27, Sebastian Ramacher wrote:
> > On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote:
> >> With a carefully crafted URL, the VLC avio plugin can be made to leak
> >> content of local files to remote parties.
> >> The root cause is the same as CVE-2016-1897.
> >> 
> >> See also:
> >> 
> >> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html
> > 
> > There is nothing to be done in the vlc package. Reassigning to ffmpeg. It
> > needs to be built with --disable-protocol=concat.
> 
> How is CVE-2016-1897 not fully fixed?
> 
> Rémi, please share details about any remaining vulnerability with
> .

This is a VLC vulnerability and I can´t share it with my own self. Besides the 
underlying issue has already been discussed with upstream libav.

There is plenty of information available already to reproduce the problem. I 
don´t want to publish an exact proof-of-concept against "my" own software, 
especially not before VLC 2.2.2 gets released.

-- 
Rémi Denis-Courmont
http://www.remlab.net/

Bug#811519: vlc: avio plugin leaks file content

[Andreas Cadhalpun]

Control: tags -1 = moreinfo
Control: severity -1 important

Hi,

On 19.01.2016 17:27, Sebastian Ramacher wrote:
> On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote:
>> With a carefully crafted URL, the VLC avio plugin can be made to leak
>> content of local files to remote parties.
>> The root cause is the same as CVE-2016-1897.
>>
>> See also:
>>
>> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html
> 
> There is nothing to be done in the vlc package. Reassigning to ffmpeg. It 
> needs
> to be built with --disable-protocol=concat.

How is CVE-2016-1897 not fully fixed?

Rémi, please share details about any remaining vulnerability with
.

Best regards,
Andreas

Bug#811519: vlc: avio plugin leaks file content

[Andreas Cadhalpun]

On 19.01.2016 20:32, Rémi Denis-Courmont wrote:
> On Tuesday 19 January 2016 19:06:54 Andreas Cadhalpun wrote:
>> How is CVE-2016-1897 not fully fixed?
>>
>> Rémi, please share details about any remaining vulnerability with
>> .
> 
> This is a VLC vulnerability and I can´t share it with my own self.

However, you suggest that the underlying problem is in libavformat.

> Besides the 
> underlying issue has already been discussed with upstream libav.

But they haven't applied any fix for it, yet.

> There is plenty of information available already to reproduce the problem.

I can reproduce the problem with ffmpeg 2.8.4, but not with 2.8.5.

> I don´t want to publish an exact proof-of-concept against "my" own software, 
> especially not before VLC 2.2.2 gets released.

 is a private mailing list that can deal with
embargoed information. So please provide more details there.

Best regards,
Andreas

Bug#811519: vlc: avio plugin leaks file content

[Sebastian Ramacher]

Control: reassign -1 src:ffmpeg 7:2.8.4-1
Control: retitle -1 ffmpeg: needs to build with --disable-protocol=concat to 
really fix CVE-2016-1897

On 2016-01-19 18:11:01, Rémi Denis-Courmont wrote:
> Package: vlc
> Version: 2.2.1-5+b1
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> Dear Maintainer,
> 
> With a carefully crafted URL, the VLC avio plugin can be made to leak
> content of local files to remote parties.
> The root cause is the same as CVE-2016-1897.
> 
> See also:
> 
> https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html

There is nothing to be done in the vlc package. Reassigning to ffmpeg. It needs
to be built with --disable-protocol=concat.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Bug#811519: vlc: avio plugin leaks file content

[Rémi Denis-Courmont]

Package: vlc
Version: 2.2.1-5+b1
Severity: grave
Tags: security patch
Justification: user security hole

Dear Maintainer,

With a carefully crafted URL, the VLC avio plugin can be made to leak
content of local files to remote parties.
The root cause is the same as CVE-2016-1897.

See also:

https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html

Best regards,

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.15-basile (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to fi_FI.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages vlc depends on:
ii  fonts-freefont-ttf  20120503-4
ii  libaa1  1.4p5-44
ii  libavcodec-ffmpeg56 7:2.8.5-1
ii  libavutil-ffmpeg54  7:2.8.5-1
ii  libc6   2.21-6
ii  libcaca00.99.beta19-2+b1
ii  libcairo2   1.14.6-1
ii  libegl1-mesa [libegl1-x11]  11.1.1-2
ii  libfreerdp-client1.11.1.0~git20140921.1.440916e+dfsg1-5+b1
ii  libfreerdp-core1.1  1.1.0~git20140921.1.440916e+dfsg1-5+b1
ii  libfreerdp-gdi1.1   1.1.0~git20140921.1.440916e+dfsg1-5+b1
ii  libfreetype62.6.1-0.1
ii  libfribidi0 0.19.7-1
ii  libgcc1 1:5.3.1-6
ii  libgl1-mesa-glx [libgl1]11.1.1-2
ii  libgles1-mesa [libgles1]11.1.1-2
ii  libgles2-mesa [libgles2]11.1.1-2
ii  libglib2.0-02.46.2-3
ii  libpulse0   7.1-2
ii  libqt5core5a5.5.1+dfsg-12
ii  libqt5gui5  5.5.1+dfsg-12
ii  libqt5widgets5  5.5.1+dfsg-12
ii  libqt5x11extras55.5.1-3
ii  librsvg2-2  2.40.13-1
ii  libsdl-image1.2 1.2.12-5+b5
ii  libsdl1.2debian 1.2.15-12
ii  libstdc++6  5.3.1-6
ii  libva-drm1  1.6.2-1
ii  libva-x11-1 1.6.2-1
ii  libva1  1.6.2-1
ii  libvlccore8 2.2.1-5+b1
ii  libvncclient1   0.9.10+dfsg-3
ii  libx11-62:1.6.3-1
ii  libxcb-composite0   1.11.1-1
ii  libxcb-keysyms1 0.4.0-1
ii  libxcb-randr0   1.11.1-1
ii  libxcb-shm0 1.11.1-1
ii  libxcb-xv0  1.11.1-1
ii  libxcb1 1.11.1-1
ii  libxext62:1.3.3-1
ii  libxi6  2:1.7.5-1
ii  libxinerama12:1.1.3-1+b1
ii  libxpm4 1:3.5.11-1+b1
ii  vlc-nox 2.2.1-5+b1
ii  zlib1g  1:1.2.8.dfsg-2+b1

Versions of packages vlc recommends:
pn  vlc-plugin-notify  
pn  vlc-plugin-samba   
ii  xdg-utils  1.1.1-1

vlc suggests no packages.

Versions of packages vlc-nox depends on:
ii  liba52-0.7.4   0.7.4-18
ii  libasound2 1.0.29-1
ii  libass50.13.1-1
ii  libavahi-client3   0.6.32~rc+dfsg-1
ii  libavahi-common3   0.6.32~rc+dfsg-1
ii  libavc1394-0   0.5.4-2
ii  libavcodec-ffmpeg567:2.8.5-1
ii  libavformat-ffmpeg56   7:2.8.5-1
ii  libavutil-ffmpeg54 7:2.8.5-1
ii  libbasicusageenvironment0  2014.01.13-1
ii  libbluray1 1:0.9.2-2
ii  libc6  2.21-6
ii  libcddb2   1.3.2-5
ii  libcdio13  0.83-4.2+b1
ii  libchromaprint01.2-1+b1
ii  libcrystalhd3  1:0.0~git20110715.fdd2f19-11+b1
ii  libdbus-1-31.10.6-1
ii  libdc1394-22   2.2.3-1
ii  libdca00.0.5-7
ii  libdirectfb-1.2-9  1.2.10.0-5.1
ii  libdvbpsi101.3.0-4
ii  libdvdnav4 5.0.3-1
ii  libdvdread45.0.3-1
ii  libebml4v5 1.3.3-1
ii  libfaad2   2.8.0~cvs20150510-1
ii  libflac8   1.3.1-4
ii  libfontconfig1 2.11.0-6.3
ii  libfreetype6   2.6.1-0.1
ii  libfribidi00.19.7-1
ii  libgcc11:5.3.1-6
ii  libgcrypt201.6.4-4
ii  libgnutls-deb0-28  3.3.20-1
ii  libgpg-error0  1.21-1
ii  libgroupsock1  2014.01.13-1
ii  libjpeg62-turbo1:1.4.1-2
ii  libkate1   0.4.1-5
ii  liblircclient0 0.9.0~pre1-1.2
ii  liblivemedia23 2014.01.13-1
ii  liblua5.2-05.2.4-1
ii  libmad00.15.1b-8
ii  libmatroska6v5 1.4.4-1
ii  libmodplug11:0.8.8.5-2
ii  libmpcdec6 2:0.1~r475-1
ii  libmpeg2-4 0.5.1-7
ii  libmtp91.1.10-2
ii  libncursesw5   6.0+20151024-2
ii  libogg01.3.2-1
ii  libopus0