Debian Bug report logs - #480724
vlc: CVE-2008-2147 untrusted search path vulnerability for module library

version graph

Package: vlc; Maintainer for vlc is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for vlc is src:vlc.

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 11 May 2008 18:39:01 UTC

Severity: grave

Tags: patch, security

Fixed in versions vlc/0.8.6.e-2.2, vlc/0.8.6.c-6+lenny5

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#480724; Package vlc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: vlc: local privilege escalation
Date: Sun, 11 May 2008 20:36:32 +0200
[Message part 1 (text/plain, inline)]
Package: vlc
Severity: grave
Tags: security patch

Hi,
vlc is vulnerable to a local privilege escalation[0]:
| At startup, VLC recursively scans the modules/ and plugins/ subdirectories from
| the current working directory, and tries to execute the vlc_entry__0_8_6 (or
| another in other VLC versions) symbol from any file matching the
| "lib*_plugin.so" pattern.

An attacker could use this to execute code by providing a crafted library file.

Patch: http://git.videolan.org/?p=vlc.git;a=commit;h=c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181

This issue doesn't have a CVE id yet, I already request one and will update
this bug report if I got it.

Make sure to use it on your changelog then if you close the bug.

[0] https://trac.videolan.org/vlc/ticket/1578

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#480724; Package vlc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 480724@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 480724@bugs.debian.org
Cc: control@bugs.debian.org
Subject: adding CVE id
Date: Mon, 12 May 2008 22:57:38 +0200
[Message part 1 (text/plain, inline)]
retitle 480724 wordpress: CVE-2008-2147 untrusted search path vulnerability for module library
thanks

Hi,
CVE-2008-2147 was assigned to this issue. Please mention it 
in the changelog if you close this bug.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `wordpress: CVE-2008-2147 untrusted search path vulnerability for module library' from `vlc: local privilege escalation'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 12 May 2008 21:03:05 GMT) Full text and rfc822 format available.

Changed Bug title to `vlc: CVE-2008-2147 untrusted search path vulnerability for module library' from `wordpress: CVE-2008-2147 untrusted search path vulnerability for module library'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 15 May 2008 12:27:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#480724; Package vlc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #19 received at 480724@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 478971@bugs.debian.org, 481417@bugs.debian.org, 477734@bugs.debian.org, 480724@bugs.debian.org, 480370@bugs.debian.org
Subject: intent to NMU
Date: Fri, 16 May 2008 17:39:53 +0200
[Message part 1 (text/plain, inline)]
Hi,
Uploading a 0-day NMU with permission of xtophe, he checked 
the debdiff.

debdiff attached and also archived on:
http://people.debian.org/~nion/nmu-diff/vlc-0.8.6.e-2.1_0.8.6.e-2.2.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[vlc-0.8.6.e-2.1_0.8.6.e-2.2.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 480724-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 480724-close@bugs.debian.org
Subject: Bug#480724: fixed in vlc 0.8.6.e-2.2
Date: Fri, 16 May 2008 15:47:18 +0000
Source: vlc
Source-Version: 0.8.6.e-2.2

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.e-2.2_amd64.deb
libvlc0_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.e-2.2_amd64.deb
mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
vlc-nox_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.e-2.2_amd64.deb
vlc-plugin-alsa_0.8.6.e-2.2_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.e-2.2_all.deb
vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
vlc_0.8.6.e-2.2.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.e-2.2.diff.gz
vlc_0.8.6.e-2.2.dsc
  to pool/main/v/vlc/vlc_0.8.6.e-2.2.dsc
vlc_0.8.6.e-2.2_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.e-2.2_amd64.deb
wxvlc_0.8.6.e-2.2_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.e-2.2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 16 May 2008 16:18:04 +0200
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.e-2.2
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 477734 478971 480370 480724 481417
Changes: 
 vlc (0.8.6.e-2.2) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix regression introduced by latest security upload which
     did not properly define FREENULL (Closes: #478971,#481417,#477734).
   * Fix untrusted search path vulnerability by not loading libraries
     from plugins and modules directories in the current working
     directory (CVE-2008-2147; Closes: #480724).
   * Fix arbitrary file overwriting via a crafted playlist or an EXTLVLCOPT
     statement in an mp3 file by partially disabling this functionality
     for the browser plugin (CVE-2007-6683; Closes: #480370).
Checksums-Sha1: 
 678b75baa6225c7e7955306e1d697e2fb985a997 3081 vlc_0.8.6.e-2.2.dsc
 ee53a998c1d4ce7604fb14ccf1c12591d23c5413 40817 vlc_0.8.6.e-2.2.diff.gz
 e6cb8191d4e3d136974b29c6d2c936d0de57c629 798 vlc-plugin-alsa_0.8.6.e-2.2_all.deb
 832dba48bddafb5808959c0aaab7efdb9d0bce3c 794 wxvlc_0.8.6.e-2.2_all.deb
 d3d247fb28bf2d8d126c816d6e5976a17f3b11a3 1166094 vlc_0.8.6.e-2.2_amd64.deb
 555ca4e1256bc9e0da1c9e59f608379ea12872e4 4795776 vlc-nox_0.8.6.e-2.2_amd64.deb
 8b761e20d03edaff334cebe2e269bed70ad76cdc 469142 libvlc0_0.8.6.e-2.2_amd64.deb
 e29445077fd66bd185564e4d174a47cdf0911d14 505374 libvlc0-dev_0.8.6.e-2.2_amd64.deb
 f0175001303f22a69201fb27dcc3880a64634fe5 4530 vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
 d11cf11ca73870f3963b3d3122c9ba3b5f22e0d6 11652 vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
 8bb0d48aa75adc84f40004ed0ce03495c1ed1dcf 6222 vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
 0ab8da9ce7fb804930a6564baad885b3a8d4e17f 4184 vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
 34dd8b61212eec372d0506a708fe2307dfd15fc7 38720 mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
 745b588c9436a72e34dff3ad304b62c2f94d4578 4810 vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
 d3b6a7cf6394c2971c4d8c1c701ed65ff66c54fc 4880 vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
Checksums-Sha256: 
 308a218eecff8281eb1f2719436b04bc0554109cf63a1f412042dad4fa0941ed 3081 vlc_0.8.6.e-2.2.dsc
 1e52a970cff16f4f93f3c758a80f09f6747fed18641e4553ebbe65764257d317 40817 vlc_0.8.6.e-2.2.diff.gz
 4e92bef1512e01af911b90ee9a3e654416d190eca5b58c4de2776e45246807f4 798 vlc-plugin-alsa_0.8.6.e-2.2_all.deb
 e3bf4343eeed3e456868ac34fdb6b6a435094176aa30f9118eb1563ff031fb44 794 wxvlc_0.8.6.e-2.2_all.deb
 9f3427068c094e648b9d62b2c85d2fc027c1303f5c7e90435ede6c2d899faf91 1166094 vlc_0.8.6.e-2.2_amd64.deb
 a39aff9d4fe5e879d3223644e24f9bcad1b15b8e1c1379e27f06db37a9372a61 4795776 vlc-nox_0.8.6.e-2.2_amd64.deb
 060a8cb31d2eb82e2074ba4eb25135a7183efd4dd93b7406469abf2f3e6dcdd8 469142 libvlc0_0.8.6.e-2.2_amd64.deb
 f51826bafdbcd873829a0a991f2db922792f80c1ce1467566f229d888f317c1a 505374 libvlc0-dev_0.8.6.e-2.2_amd64.deb
 71bd2ab60dee995d11c5fffc4abd5667fc0e3a4ec3250c8f73387b7beb2c7342 4530 vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
 a2e8acf655e7226a4ea8366b792adb259884205fd21cb337beb9018fe9d9d7cd 11652 vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
 f64fd84483e8721691c4d02fd46fd75301cb2c7b8eb27255455998519bafa70c 6222 vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
 1e10ebaccc7a849128f9e5b4577372ef5b906296f8fa66fca1fea23be1388a4f 4184 vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
 a9927923dc9e57bba2c33ae171125083f52ef563b080a75d3bfd3c197926018c 38720 mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
 6e9a78f790738f41dab0b1037963eec6fa8c0215499cf055cc83a90fe7993867 4810 vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
 df5e4ad25ff1bea6244ab8802776aa427c3f87da7f0539fcb2c7d33bfb900c73 4880 vlc-plugin-jack_0.8.6.e-2.2_amd64.deb
Files: 
 08a6b32ab77adc28e6be41b61f863b02 3081 graphics optional vlc_0.8.6.e-2.2.dsc
 ab63042a199c798b61459d1a50d562de 40817 graphics optional vlc_0.8.6.e-2.2.diff.gz
 b6266035097a55e8a720505805cf96c5 798 graphics optional vlc-plugin-alsa_0.8.6.e-2.2_all.deb
 e680c2370261592e74e978e5e1a1dcd3 794 graphics optional wxvlc_0.8.6.e-2.2_all.deb
 01014f83b428ff6ace46311503a053ef 1166094 graphics optional vlc_0.8.6.e-2.2_amd64.deb
 8b4b0bb8215e4a24ff122afdc5b11eae 4795776 net optional vlc-nox_0.8.6.e-2.2_amd64.deb
 739bd77b9285f35c824e73d6ff207bd2 469142 libs optional libvlc0_0.8.6.e-2.2_amd64.deb
 77772c70f9d1e6286ea5b099598414f2 505374 libdevel optional libvlc0-dev_0.8.6.e-2.2_amd64.deb
 7a8b8b115dfe8d33fce8f75dfacde340 4530 graphics optional vlc-plugin-esd_0.8.6.e-2.2_amd64.deb
 03c6506e4ca5048ab538ed148c9bf87b 11652 graphics optional vlc-plugin-sdl_0.8.6.e-2.2_amd64.deb
 033c342f69010782d6b11baa4a0b0d36 6222 graphics optional vlc-plugin-ggi_0.8.6.e-2.2_amd64.deb
 387bfb005ea1e46ff5ef2d6f375abb40 4184 graphics optional vlc-plugin-arts_0.8.6.e-2.2_amd64.deb
 9613ea721e033593e655a45677579c66 38720 graphics optional mozilla-plugin-vlc_0.8.6.e-2.2_amd64.deb
 827fecdd8886423c70f4b4f2e76c2e95 4810 graphics optional vlc-plugin-svgalib_0.8.6.e-2.2_amd64.deb
 fa29b2eea0858c51ab56c40dd4af7d80 4880 graphics optional vlc-plugin-jack_0.8.6.e-2.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFILarfHYflSXNkfP8RAte3AJwO5w4Kf66lLPRrXQddHfTLC05C0ACeIr1L
NVHtv1geDHDgsU5Y1poAZYQ=
=XPc+
-----END PGP SIGNATURE-----





Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 480724-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 480724-close@bugs.debian.org
Subject: Bug#480724: fixed in vlc 0.8.6.c-6+lenny5
Date: Sat, 17 May 2008 12:47:15 +0000
Source: vlc
Source-Version: 0.8.6.c-6+lenny5

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.c-6+lenny5_amd64.deb
libvlc0_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.c-6+lenny5_amd64.deb
mozilla-plugin-vlc_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.c-6+lenny5_amd64.deb
vlc-nox_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.c-6+lenny5_amd64.deb
vlc-plugin-alsa_0.8.6.c-6+lenny5_all.deb
  to pool/main/v/vlc/vlc-plugin-alsa_0.8.6.c-6+lenny5_all.deb
vlc-plugin-arts_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.c-6+lenny5_amd64.deb
vlc-plugin-esd_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.c-6+lenny5_amd64.deb
vlc-plugin-ggi_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.c-6+lenny5_amd64.deb
vlc-plugin-jack_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.c-6+lenny5_amd64.deb
vlc-plugin-sdl_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.c-6+lenny5_amd64.deb
vlc-plugin-svgalib_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.c-6+lenny5_amd64.deb
vlc_0.8.6.c-6+lenny5.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny5.diff.gz
vlc_0.8.6.c-6+lenny5.dsc
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny5.dsc
vlc_0.8.6.c-6+lenny5_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.c-6+lenny5_amd64.deb
wxvlc_0.8.6.c-6+lenny5_all.deb
  to pool/main/v/vlc/wxvlc_0.8.6.c-6+lenny5_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 16 May 2008 17:45:15 +0200
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-alsa vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib wxvlc vlc-plugin-jack
Architecture: source all amd64
Version: 0.8.6.c-6+lenny5
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-alsa - dummy transitional package
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
 wxvlc      - dummy transitional package
Closes: 477734 478971 480370 480724 481417
Changes: 
 vlc (0.8.6.c-6+lenny5) testing-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix regression introduced by latest security upload which
     did not properly define FREENULL (Closes: #478971,#481417,#477734).
   * Fix untrusted search path vulnerability by not loading libraries
     from plugins and modules directories in the current working
     directory (CVE-2008-2147; Closes: #480724).
   * Fix arbitrary file overwriting via a crafted playlist or an EXTLVLCOPT
     statement in an mp3 file by partially disabling this functionality
     for the browser plugin (CVE-2007-6683; Closes: #480370).
Checksums-Sha1: 
 ea14947f817761070c6e7ca7e3e732e5acbdd77b 3101 vlc_0.8.6.c-6+lenny5.dsc
 20f531ba94a8ae1d86bbf48c45c4fb311cab3f4e 42551 vlc_0.8.6.c-6+lenny5.diff.gz
 9428d95345dea27b7cd3d9cefbba013bf1ec2852 806 vlc-plugin-alsa_0.8.6.c-6+lenny5_all.deb
 119c4115ce19c92689749f40fb3a58491bc4a450 798 wxvlc_0.8.6.c-6+lenny5_all.deb
 3724b5fea58340d859dd44f9b7913bc9e190ffb1 1160526 vlc_0.8.6.c-6+lenny5_amd64.deb
 a33beee8df4a7aba42eab28cf5a73299efa2795f 4663242 vlc-nox_0.8.6.c-6+lenny5_amd64.deb
 ddd6049e74bfd818117df8af778e7cce8b167fed 457544 libvlc0_0.8.6.c-6+lenny5_amd64.deb
 ae69a10270bc7507bac9023a1f1778a1d0ce85fb 504512 libvlc0-dev_0.8.6.c-6+lenny5_amd64.deb
 8b688aafc19b31597c90cd1ffb52dc0840ff5e4b 4542 vlc-plugin-esd_0.8.6.c-6+lenny5_amd64.deb
 a204fa11823efe91f6d431de5ff60a0f9cc46969 11650 vlc-plugin-sdl_0.8.6.c-6+lenny5_amd64.deb
 17ebab15e6a9a044c4447f69033f61d3ef9ced49 6220 vlc-plugin-ggi_0.8.6.c-6+lenny5_amd64.deb
 c1301d19b8d00b8dd29bb31f6d90952bcadd6ac0 4194 vlc-plugin-arts_0.8.6.c-6+lenny5_amd64.deb
 676492075dfdcafdf4808eabd18736202f6d87e2 38586 mozilla-plugin-vlc_0.8.6.c-6+lenny5_amd64.deb
 3cfb1989e1506d3459b4c3392c46bc4c769ed1de 4810 vlc-plugin-svgalib_0.8.6.c-6+lenny5_amd64.deb
 fe77a85c508da569b810714ee91006d497bcfc8a 4882 vlc-plugin-jack_0.8.6.c-6+lenny5_amd64.deb
Checksums-Sha256: 
 48ee1c08ec3e56225ec6d786dd1cc2bddd16974ad491e32f629b05eb63906ce7 3101 vlc_0.8.6.c-6+lenny5.dsc
 7cbbcda3ff9df68b64e30ad7c7463f2d82b1d7248fbecc8862578dd49f98ec3a 42551 vlc_0.8.6.c-6+lenny5.diff.gz
 34d16c5377ebde80970b045caec97398553f7b96ee991f7ef9be5416876f89bb 806 vlc-plugin-alsa_0.8.6.c-6+lenny5_all.deb
 85e25f90470d1c0e0517dbea58f33a7d4c3828b05fec751fb07963e7d64cf65a 798 wxvlc_0.8.6.c-6+lenny5_all.deb
 ba35990a3c087451f682685ebd609c8dc14db179efbfcbb03c71cce58f8fe0b5 1160526 vlc_0.8.6.c-6+lenny5_amd64.deb
 56fd8a2a67a6b5ae1c11e2fe88617c6857e9f07684ecf1c56a1edf6b0c68242e 4663242 vlc-nox_0.8.6.c-6+lenny5_amd64.deb
 93153cc6a596885564507f30be0b7fa78e1c942d8eb6dec6186096244de0175d 457544 libvlc0_0.8.6.c-6+lenny5_amd64.deb
 a41fc8822c7a59712e620c9cc2f79d90b750f78d9889fcf1259d309fa668431b 504512 libvlc0-dev_0.8.6.c-6+lenny5_amd64.deb
 dfe8f4e71f0ac535cdd3e981b70e80091c6010bab51bdeff8b833fd9b81656f1 4542 vlc-plugin-esd_0.8.6.c-6+lenny5_amd64.deb
 6b24ae3c7da8c89a12beb5ab6a260c955a97cb59ee18e1992f979379e6b1b29d 11650 vlc-plugin-sdl_0.8.6.c-6+lenny5_amd64.deb
 84d1a2d1fed33c017839d6b9024085807675b5b467dadb2a46cfc8dd61dae2b7 6220 vlc-plugin-ggi_0.8.6.c-6+lenny5_amd64.deb
 e64e1d7bc09aef6c13b21cdbd8342387f4a31d0c9c7f59f8523acf598655cfa6 4194 vlc-plugin-arts_0.8.6.c-6+lenny5_amd64.deb
 ed888e560876a14923bd2a1e9a6e3afe76e6a0dfdc028db8950d7ebc4030addf 38586 mozilla-plugin-vlc_0.8.6.c-6+lenny5_amd64.deb
 ec40244366eeb927c9a18d05c5f3e8b3beaf55f047609d7e5321ce1475620926 4810 vlc-plugin-svgalib_0.8.6.c-6+lenny5_amd64.deb
 b8e5ae63a6a89b27588f695c367eae59821c7ae4c9eca581d49f655568a74cd0 4882 vlc-plugin-jack_0.8.6.c-6+lenny5_amd64.deb
Files: 
 3b85a62952ccc256cdfc5266dddb47b4 3101 graphics optional vlc_0.8.6.c-6+lenny5.dsc
 6ac33fa2a8e49507abf51a2bc66658b8 42551 graphics optional vlc_0.8.6.c-6+lenny5.diff.gz
 d560dda9b106e5724cc4c8737e486dbd 806 graphics optional vlc-plugin-alsa_0.8.6.c-6+lenny5_all.deb
 89ed99225a0b23eaeb411480d9db8a19 798 graphics optional wxvlc_0.8.6.c-6+lenny5_all.deb
 bcf1ddaf317ce94d7ef74eddc737dd39 1160526 graphics optional vlc_0.8.6.c-6+lenny5_amd64.deb
 006b8241652c33733ad3376cad891a64 4663242 net optional vlc-nox_0.8.6.c-6+lenny5_amd64.deb
 2b4927e6ab6651dc856aadf60192ba02 457544 libs optional libvlc0_0.8.6.c-6+lenny5_amd64.deb
 f571f189fc9308a4f814eb189bff5f62 504512 libdevel optional libvlc0-dev_0.8.6.c-6+lenny5_amd64.deb
 3e0320aa9dae5a7eb55cd4c73b347f06 4542 graphics optional vlc-plugin-esd_0.8.6.c-6+lenny5_amd64.deb
 01cd441f4e28b3b45aca95c08c8d7969 11650 graphics optional vlc-plugin-sdl_0.8.6.c-6+lenny5_amd64.deb
 59e60b246a848c13d504a23a1864daa9 6220 graphics optional vlc-plugin-ggi_0.8.6.c-6+lenny5_amd64.deb
 fcf8cbf36fb79f2a551348e6ce368c8c 4194 graphics optional vlc-plugin-arts_0.8.6.c-6+lenny5_amd64.deb
 c7272c90d970aecc2372ae33a93244ff 38586 graphics optional mozilla-plugin-vlc_0.8.6.c-6+lenny5_amd64.deb
 6641ae7313dde0b9d0857f21d40eacab 4810 graphics optional vlc-plugin-svgalib_0.8.6.c-6+lenny5_amd64.deb
 f747d4195d95854859716c07da455e4b 4882 graphics optional vlc-plugin-jack_0.8.6.c-6+lenny5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFILcpEHYflSXNkfP8RAv8VAJ9QRZVVXiKXcMJep9epTJMbq5wegwCgro61
0DRsVlwI7L+GSJIjRy/DCpk=
=jQkQ
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 20 Jun 2008 07:29:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:45:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.