Säkerhetsbulletin från Debian

DSA-1543-1 vlc -- flera sårbarheter

Rapporterat den:

2008-04-09

Berörda paket:

Sårbara:

Referenser i säkerhetsdatabaser:

I Mitres CVE-förteckning: CVE-2007-6681, CVE-2007-6682, CVE-2007-6683, CVE-2008-0295, CVE-2008-0296, CVE-2008-0073, CVE-2008-0984, CVE-2008-1489.

Ytterligare information:

Luigi Auriemma, Alin Rad Pop, Rémi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco, med flera, upptäckte flera sårbarheter i vlc, ett program för att spela upp och strömma ljud och bild. I det värsta fallet kunde dessa svagheter göra det möjligt för en utifrån oautentiserad angripare att exekvera godtycklig kod med privilegierna hos den användare som körde vlc.

Projektet Common Vulnerabilities and Exposures identifierar följande åtta problem:

CVE-2007-6681
Ett sårbart buffertspill i textningshanteringen gjorde det möjligt för en angripare att exekvera godtycklig kod genom att öppna en skadlig specialskriven MicroDVD-, SSA- eller Vplayer-fil.
CVE-2007-6682
En formatsträngssårbarhet i den HTTP-baserade fjärrkontrollfunktionen i vlc-programmet gjorde det möjligt för en oautentiserad angripare utifrån att exekvera godtycklig kod.
CVE-2007-6683
Osäker validering av argument gjorde det möjligt för en angripare utifrån att skriva över godtyckliga filer skrivbara av användaren som körde vlc, om en skadligt specialskriven M3U-spellista eller MP3-ljudfil öppnades.
CVE-2008-0295, CVE-2008-0296
Heapbuffertspill i hanteringen av RTSP-strömnings- och -sessionsbeskrivningsprotokollet (SDP) gjorde det möjligt för en angripare att exekvera godtycklig kod om en skadligt specialskriven RTSP-ström spelades av.
CVE-2008-0073
Otillräcklig heltalsbegränsningskontroll i SDP-hanteringen gjorde det möjligt att exekvera godtycklig kod genom en skadligt specialskriven SDP-strömnings-id-parameter i RTSP-strömmen.
CVE-2008-0984
Otillräcklig integreritetskontroll i MP4-demuxern gjorde det möjligt för en angripare utifrån att skriva över godtyckligt minne och exekvera godtycklig kod om en skadligt specialskriven MP4-fil öppnades.
CVE-2008-1489
Ett sårbart heltalsspill i MP4-hanteringen gjorde det möjligt för en angripare utifrån att orsaka en heapbuffertspill, vilket framkallade en krasch och möjligen exekvering av godtycklig kod om en skadligt specialskriven MP4-fil öppnades.

För den stabila utgåvan (Etch) har dessa problem rättats i version 0.8.6-svn20061012.debian-5.1+etch2.

För den instabila utgåvan (Sid) har dessa problem rättats i version 0.8.6.e-2.

Vi rekommenderar att ni uppgraderar era vlc-paket.

Rättat i:

Debian GNU/Linux 4.0 (stable)

Källkod:: http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2.diff.gz; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian.orig.tar.gz; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2.dsc
Arkitekturoberoende komponent:: http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-alsa_0.8.6-svn20061012.debian-5.1+etch2_all.deb; http://security.debian.org/pool/updates/main/v/vlc/wxvlc_0.8.6-svn20061012.debian-5.1+etch2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_amd64.deb
ARM:: http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_arm.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_arm.deb
HP Precision:: http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_hppa.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-svgalib_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-glide_0.8.6-svn20061012.debian-5.1+etch2_i386.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_ia64.deb
Big-endian MIPS:: http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_mips.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_mips.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_s390.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb; http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch2_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.