Debian Bug report logs - #478140
vlc: CVE-2008-1768, CVE-2008-1769 multiple security issues

version graph

Package: vlc; Maintainer for vlc is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for vlc is src:vlc.

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 27 Apr 2008 13:45:02 UTC

Severity: grave

Tags: patch, security

Fixed in versions vlc/0.8.6.c-6+lenny4, vlc/0.8.6.e-2.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#478140; Package vlc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: vlc: CVE-2008-1768, CVE-2008-1769 multiple security issues
Date: Sun, 27 Apr 2008 15:42:24 +0200
[Message part 1 (text/plain, inline)]
Package: vlc
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for vlc.


CVE-2008-1769[0]:
| VLC before 0.8.6f allow remote attackers to cause a denial of service
| (crash) via a crafted Cinepak file that triggers an out-of-bounds
| array access and memory corruption.

Patch:
http://trac.videolan.org/vlc/changeset/d7e6e4afcecea38831282152d6e7af9a62989985

CVE-2008-1768[1]:
| Multiple integer overflows in VLC before 0.8.6f allow remote attackers
| to cause a denial of service (crash) via the (1) MP4 demuxer, (2) Real
| demuxer, and (3) Cinepak codec, which triggers a buffer overflow.

The MP4 demuxer issue is already partly covered by #467652, 
please also use:
http://trac.videolan.org/vlc/changeset/3a6282755277ba9321d405c635e50da935d258a6 and
http://trac.videolan.org/vlc/changeset/edca13e259472872fdfd456cf3ef4a21d1262c11

Real demuxer patch:
http://trac.videolan.org/vlc/changeset/783ab03c7bd8ddedcd3dc5bad18efc70a4c57aaa

Cinepack integer overflow patch:
http://trac.videolan.org/vlc/changeset/18eb4fd5a75b6429d1d7058a8967696be701a00b

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1769
    http://security-tracker.debian.net/tracker/CVE-2008-1769
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1768
    http://security-tracker.debian.net/tracker/CVE-2008-1768

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 478140-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 478140-close@bugs.debian.org
Subject: Bug#478140: fixed in vlc 0.8.6.c-6+lenny4
Date: Mon, 28 Apr 2008 15:47:07 +0000
Source: vlc
Source-Version: 0.8.6.c-6+lenny4

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
libvlc0_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny4_amd64.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
vlc-nox_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
vlc_0.8.6.c-6+lenny4.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny4.diff.gz
vlc_0.8.6.c-6+lenny4.dsc
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny4.dsc
vlc_0.8.6.c-6+lenny4_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny4_amd64.deb
wxvlc_0.8.6.c-6+lenny4_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 478140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 Apr 2008 16:32:34 +0200
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.c-6+lenny4
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 477805 478140 478140
Changes: 
 vlc (0.8.6.c-6+lenny4) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issues:
     - CVE-2008-1769: out-of-bounds array access and memory corruption
       via a crafted cinepak file (Closes: #478140).
     - CVE-2008-1768: multiple integer overflow triggering buffer overflows
       in the mp4 and real demuxer and the cinepak codec (Closes: #478140).
     - CVE-2008-1881: stack-based buffer overflow in subtitle parsing leading
       to arbitrary code execution via crafted subtitle file (Closes: #477805).
Checksums-Sha1: 
 969ed605acacc8f86d2c8504cfaa3e2a9a738bb1 3101 vlc_0.8.6.c-6+lenny4.dsc
 73127c27a3545e10efb5c7c79d191249572d40a5 41394 vlc_0.8.6.c-6+lenny4.diff.gz
 5478e21d2d171b92da7620086bbd2d9d8c937fae 800 vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
 1f353f0b33cdfb9f0368eb58d815f713f75fb56d 794 wxvlc_0.8.6.c-6+lenny4_all.deb
 04ffdd06f748f6be3ba797c81fe13bf0dc48c8b3 1160532 vlc_0.8.6.c-6+lenny4_amd64.deb
 9251783bffb13313b893d63990dccf6fe182ec1c 4661230 vlc-nox_0.8.6.c-6+lenny4_amd64.deb
 cf5587de66bd750e59b2e7cdcb245bc0373d10b2 457322 libvlc0_0.8.6.c-6+lenny4_amd64.deb
 10ec97be81ff42f949a79e96cf4a4dc2d309bd38 504464 libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
 9ca20ff0a320b501d0d2747f3b1a3b2017ea51fb 4538 vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
 98ce369b70dc74ca272ad037b549afceedfb633e 11646 vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
 74f76bd552bf23f8ddb0f30c15c1127fb72b4229 6216 vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
 728c259fbd882268002e4b36e514b94f1237df54 4186 vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
 07043015d39766662e49a8032a48f7018b3d02b2 38578 mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
 456480da0ce73f296a3d89be3dd84239463f44fb 4812 vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
 7e4f3e20c8fa1ec1d8ea29cb8c75f09fa45a0507 4878 vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
Checksums-Sha256: 
 47350d6be9493ea34787d0c6293cb502329dc3d9d58793797a87197b277dfda8 3101 vlc_0.8.6.c-6+lenny4.dsc
 cd4fec0381bc86094267330d173edab05e2226746553293efaec3a37ed6b1036 41394 vlc_0.8.6.c-6+lenny4.diff.gz
 e0bf645dfe5832b24984de6c0d1fa35b94e6e87c6d4a16310cea02ca3562d8d7 800 vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
 addc5597469fa238c80ef3a5b3c7d615fff4b303e1573e5fbfb225fa39cb7c81 794 wxvlc_0.8.6.c-6+lenny4_all.deb
 fb72c37e59648adfca7b6cf63ce100b47079adf26a81525a419f8b2bc329c7f9 1160532 vlc_0.8.6.c-6+lenny4_amd64.deb
 940d349d3c8bb77db84bc8d49e46a1b3c61ad5b4644b50c1a5c7cbeb1439bd02 4661230 vlc-nox_0.8.6.c-6+lenny4_amd64.deb
 d9cee4e988ca8b1a74fb94d98031878b4f17ccb162b427af61afad610f2a73a1 457322 libvlc0_0.8.6.c-6+lenny4_amd64.deb
 1462f362bf563a5e20409eb59ad008afb098f5ac17bdf75827dcdfaf3eea5ad7 504464 libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
 e0b79920f2d0eb91fa9173e02f6009d0e1ac28d9c9e1409b2a4eaee72bdcae47 4538 vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
 d1eb788c55c9e2010bf8a3736fb4551081ae064c78b0565f60ca43087596953f 11646 vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
 fec451d13e9f519d932323518b08a9f52f90e7c2c86839c5d8ac3cab68d9cbb2 6216 vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
 8e8241dc0b551a6583f47e58e767adf0b3567da9bc50e5a2184b0846bce9265e 4186 vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
 db878241d53e3cc0378c2809e031229f018e1cf93e2323319b577956c37bffbc 38578 mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
 58461944b49270710e342a15983dc8b7c39cc64b2420098e18289e3a32334906 4812 vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
 7e8320280fb281a576158c673efa8b8a9c0f0606c57738a089cefd78c86c5ae1 4878 vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb
Files: 
 760dcb306b60d1e826fad333b8da2982 3101 graphics optional vlc_0.8.6.c-6+lenny4.dsc
 7ab0694b1d9198e0806fd51033155308 41394 graphics optional vlc_0.8.6.c-6+lenny4.diff.gz
 756fb29b95e9bbc347da7f8c11d6ff85 800 graphics optional vlc-plugin-alsa_0.8.6.c-6+lenny4_all.deb
 2b65c262cb536fe33085d663e41a8be4 794 graphics optional wxvlc_0.8.6.c-6+lenny4_all.deb
 9a0b2314c253fccb5f6840efae5bc22b 1160532 graphics optional vlc_0.8.6.c-6+lenny4_amd64.deb
 23f183dfcf7bf8086d7f725c2211fa79 4661230 net optional vlc-nox_0.8.6.c-6+lenny4_amd64.deb
 49f62bc2ebe5663368b4f55fda91d4b6 457322 libs optional libvlc0_0.8.6.c-6+lenny4_amd64.deb
 c12059707bc2ecca7f3cce9e885d66fa 504464 libdevel optional libvlc0-dev_0.8.6.c-6+lenny4_amd64.deb
 db67c923d92fa51a01ecb29ffc7f17f1 4538 graphics optional vlc-plugin-esd_0.8.6.c-6+lenny4_amd64.deb
 a05b9b7f38a38c244880f4ea6c709edd 11646 graphics optional vlc-plugin-sdl_0.8.6.c-6+lenny4_amd64.deb
 44e412de1ab131b9d1276b96fbf2d458 6216 graphics optional vlc-plugin-ggi_0.8.6.c-6+lenny4_amd64.deb
 40ac7cbb99c89d139d71feaa5bc11e09 4186 graphics optional vlc-plugin-arts_0.8.6.c-6+lenny4_amd64.deb
 e552c4aba44601d5c4012553fb69f843 38578 graphics optional mozilla-plugin-vlc_0.8.6.c-6+lenny4_amd64.deb
 a06c95fdf43be40a1d1007702fb2710b 4812 graphics optional vlc-plugin-svgalib_0.8.6.c-6+lenny4_amd64.deb
 1897129b07ed5629d88b4c90b51a3332 4878 graphics optional vlc-plugin-jack_0.8.6.c-6+lenny4_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIFJOxHYflSXNkfP8RAnJhAJsGYLH67PacaZziAeDfjeWNJy1QUwCgqbqc
Hrxv6oSCCJllXnvrtBLhiac=
=X+jm
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#478140; Package vlc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 478140@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 478140@bugs.debian.org, 477805@bugs.debian.org
Subject: intent to NMU
Date: Tue, 29 Apr 2008 00:14:44 +0200
[Message part 1 (text/plain, inline)]
Hi,
uploading a 0-day NMU with Maintainers permission 
(Christophe Mutricy). debdiff attached and also archived on:
http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.e-2_0.8.6.e-2.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#478140; Package vlc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 478140@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 478140@bugs.debian.org, 477805@bugs.debian.org
Subject: patch name
Date: Tue, 29 Apr 2008 00:36:19 +0200
[Message part 1 (text/plain, inline)]
Hi,
one of the patch names in the package is wrong (the patch 
itself is ok). 404-CVE-2008-1768.diff should be 
404-CVE-2008-1881.diff.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 478140-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 478140-close@bugs.debian.org
Subject: Bug#478140: fixed in vlc 0.8.6.e-2.1
Date: Mon, 28 Apr 2008 22:47:05 +0000
Source: vlc
Source-Version: 0.8.6.e-2.1

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2.1_amd64.deb
libvlc0_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.e-2.1_amd64.deb
mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
vlc-nox_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.e-2.1_amd64.deb
vlc-plugin-alsa_0.8.6.e-2.1_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2.1_all.deb
vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
vlc_0.8.6.e-2.1.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.e-2.1.diff.gz
vlc_0.8.6.e-2.1.dsc
  to pool/main/v/vlc/vlc_0.8.6.e-2.1.dsc
vlc_0.8.6.e-2.1_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.e-2.1_amd64.deb
wxvlc_0.8.6.e-2.1_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.e-2.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 478140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 Apr 2008 16:17:49 +0200
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.e-2.1
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 477805 478140 478140
Changes: 
 vlc (0.8.6.e-2.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update addresses the following security issues:
     - CVE-2008-1769: out-of-bounds array access and memory corruption
       via a crafted cinepak file (Closes: #478140).
     - CVE-2008-1768: multiple integer overflow triggering buffer overflows
       in the mp4 and real demuxer and the cinepak codec (Closes: #478140).
     - CVE-2008-1881: stack-based buffer overflow in subtitle parsing leading
       to arbitrary code execution via crafted subtitle file (Closes: #477805).
Checksums-Sha1: 
 8afba5b41a9cc757d246e66c028b3feabce06505 3081 vlc_0.8.6.e-2.1.dsc
 7b0aae3db2490b769c6b2c70090d915a5c33a765 39672 vlc_0.8.6.e-2.1.diff.gz
 12646b42838114757bfaca8c877d3db102279d95 794 vlc-plugin-alsa_0.8.6.e-2.1_all.deb
 e56bbfe588cf0f4834c0f3d669b7b7c4aba8e123 790 wxvlc_0.8.6.e-2.1_all.deb
 7b270a6e8a5652dd0f42b93e44cd7561e28d672a 1166110 vlc_0.8.6.e-2.1_amd64.deb
 4282819080fc36ed17bb659e5cf2946313f4d4db 4795738 vlc-nox_0.8.6.e-2.1_amd64.deb
 8b68378ff6f4b612c9666a7a66963c088f25c5b5 468894 libvlc0_0.8.6.e-2.1_amd64.deb
 a9b7ddc3ee2cb87a55a5d832049ea8df2e529a3a 505264 libvlc0-dev_0.8.6.e-2.1_amd64.deb
 e6945ebbdece6da683212a84d535fef51e2dd7c8 4528 vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
 00a36f07cf55e37fc5cd70d47f7e5f600d7e10a3 11654 vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
 d138474b267ae82e7662f7afe58a7d146167ae0e 6220 vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
 fa668cca7f6d9dad739c34103e253c4577d6edb0 4186 vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
 191b793f0c46c13d0236213a2793fd2db918c5ef 38720 mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
 6ca5064393aeccc9344d5e4e0405d38019e67876 4804 vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
 6ac7f5abf93ee107aee3f5b9207eef07e0b547b2 4878 vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
Checksums-Sha256: 
 f33e5159904397d019aad2709fef486b04b006f20df2907e1c354981f531b9a1 3081 vlc_0.8.6.e-2.1.dsc
 e1cac7f06d111bf556288f114812c063cad80f7ef52aa1f1883b74d4242d4f42 39672 vlc_0.8.6.e-2.1.diff.gz
 d4fb315e68d3763042d2488ad750b3028c5e19823e638fad2d3cfaa566809aec 794 vlc-plugin-alsa_0.8.6.e-2.1_all.deb
 ed6525fcc610d3030d0790d77e56cd04cab01ef9ec256bcd6fb47b84f7863483 790 wxvlc_0.8.6.e-2.1_all.deb
 d02847f35885f13aaeda064d7111963ffc36d5dc60cb2852c44e78c753863965 1166110 vlc_0.8.6.e-2.1_amd64.deb
 71513e5254e3c4ba93bb56f6ad3f348e10cfc9d097565ca54ec49426264d482b 4795738 vlc-nox_0.8.6.e-2.1_amd64.deb
 5a3ba6b45351a7adbb8f54095ddbd1c9c202210efb94cade804ef2df49d3e08f 468894 libvlc0_0.8.6.e-2.1_amd64.deb
 090946702faded0350b9ee8d8b4700be5a2cf44cfee59db312fb432f89098994 505264 libvlc0-dev_0.8.6.e-2.1_amd64.deb
 1251ba656158b014d6498f47fa421d2bdda476d5776bc54d2120ee8da08bd185 4528 vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
 be17ea20a8a762eeba30868e28478def2de6b2568f6115fc365c51b86bc14509 11654 vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
 495d5c59f40e993c9a9aef19158a95e0cfbe633255eead65461c4898ff933da0 6220 vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
 902bd716f4d6682cc83f32e781d82a03c0882841d66d00024d764e44d752aeca 4186 vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
 f388876fa7c919c33b27f969bd5fd72a458772f6175289d585fac3a79cb12f0e 38720 mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
 425d5ce562168814bbb2cc585a9893e3095e5fa42600e6e0455863c073adb93e 4804 vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
 ee44a840ba112861d36ccffe44c01ba35227765ad0b43ec650a297c8f885a4d7 4878 vlc-plugin-jack_0.8.6.e-2.1_amd64.deb
Files: 
 37ed653d9f35e9ecd0228274b2ef593f 3081 graphics optional vlc_0.8.6.e-2.1.dsc
 2f81b07d1e0aee1c037e7d1eb438a2d8 39672 graphics optional vlc_0.8.6.e-2.1.diff.gz
 fe1a451b4adb035d7d40ced3172eaf78 794 graphics optional vlc-plugin-alsa_0.8.6.e-2.1_all.deb
 3f1ecb9fa3cef176ec74bae45e18df57 790 graphics optional wxvlc_0.8.6.e-2.1_all.deb
 8140882854a526433c5a603705b07ed4 1166110 graphics optional vlc_0.8.6.e-2.1_amd64.deb
 8f0cef92a309e12377dfcd8796269ae2 4795738 net optional vlc-nox_0.8.6.e-2.1_amd64.deb
 4540aca2e9133ca7f3c8de4d95144d77 468894 libs optional libvlc0_0.8.6.e-2.1_amd64.deb
 c40f9e7bea2ebfa61d44ad1a4c93074e 505264 libdevel optional libvlc0-dev_0.8.6.e-2.1_amd64.deb
 76786f24a7af32efc917fd0533d3694e 4528 graphics optional vlc-plugin-esd_0.8.6.e-2.1_amd64.deb
 569c6a90defeef6fff2ed12c916d4121 11654 graphics optional vlc-plugin-sdl_0.8.6.e-2.1_amd64.deb
 aa07c6bf10367dc0b933b3f41f225b4b 6220 graphics optional vlc-plugin-ggi_0.8.6.e-2.1_amd64.deb
 dd25e4b33e360d300328ce41ba8b1eac 4186 graphics optional vlc-plugin-arts_0.8.6.e-2.1_amd64.deb
 f88474cbe9c7a0e78e268ecf4bef2807 38720 graphics optional mozilla-plugin-vlc_0.8.6.e-2.1_amd64.deb
 751b47b3de7d73c695216a5764627062 4804 graphics optional vlc-plugin-svgalib_0.8.6.e-2.1_amd64.deb
 1ee44faf8420b9dea185f758b9a15fb1 4878 graphics optional vlc-plugin-jack_0.8.6.e-2.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIFk5aHYflSXNkfP8RApt5AJ4wM2tuV56N/MyrolFGAxFV1TYkXQCgtYnW
XEBAcJJRYhoIMv3VjJ4At0E=
=GlM2
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 20 Jun 2008 07:32:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 08:41:40 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.