Bernard Massot
2008-Sep-05 08:03 UTC
[Secure-testing-team] Bug#497894: vlc: CVE-2008-3732 Integer overflow in the Open function in modules/demux/tta.c
Package: vlc Version: 0.8.6.h-4 Severity: grave Tags: security Justification: user security hole When parsing the header of an invalid TTA file, an integer overflow might happen causing an heap-based buffer overflow. When parsing a response from an MMS server, an integer overflow might happen causing a stack-based buffer overflow. See http://www.videolan.org/security/sa0807.html . -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''stable'') Architecture: i386 (i686) Kernel: Linux 2.6.25-2-686 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages vlc depends on: ii libaa1 1.4p5-37+b1 ascii art library ii libatk1.0-0 1.22.0-1 The ATK accessibility toolkit ii libavcodec51 0.svn20080206-12 ffmpeg codec library ii libc6 2.7-13 GNU C Library: Shared libraries ii libcaca0 0.99.beta14-1 colour ASCII art library ii libcairo2 1.6.4-6 The Cairo 2D vector graphics libra ii libcdio7 0.78.2+dfsg1-3 library to read and control CD-ROM ii libcucul0 0.99.beta14-1 low-level Unicode character drawin ii libdbus-1-3 1.2.1-3 simple interprocess messaging syst ii libdbus-glib-1-2 0.76-1 simple interprocess messaging syst ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib ii libfribidi0 0.10.9-1 Free Implementation of the Unicode ii libgcc1 1:4.3.1-9 GCC support library ii libgl1-mesa-glx [libgl 7.0.3-5 A free implementation of the OpenG ii libglib2.0-0 2.16.5-1 The GLib library of C routines ii libglu1-mesa [libglu1] 7.0.3-5 The OpenGL utility library (GLU) ii libgtk2.0-0 2.12.11-3 The GTK+ graphical user interface ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library ii libiso9660-5 0.78.2+dfsg1-3 library to work with ISO9660 files ii libjpeg62 6b-14 The Independent JPEG Group''s JPEG ii libnotify1 [libnotify1 0.4.4-3 sends desktop notifications to a n ii libpango1.0-0 1.20.5-2 Layout and rendering of internatio ii libpng12-0 1.2.27-1 PNG library - runtime ii libsdl-image1.2 1.2.6-3 image loading library for Simple D ii libsdl1.2debian 1.2.13-2 Simple DirectMedia Layer ii libsm6 2:1.0.3-2 X11 Session Management library ii libstdc++6 4.3.1-9 The GNU Standard C++ Library v3 ii libtar 1.2.11-5 C library for manipulating tar arc ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra ii libvcdinfo0 0.7.23-4 library to extract information fro ii libvlc0 0.8.6.h-4 multimedia player and streamer lib ii libwxbase2.6-0 2.6.3.2.2-2 wxBase library (runtime) - non-GUI ii libwxgtk2.6-0 2.6.3.2.2-2 wxWidgets Cross-platform C++ GUI t ii libx11-6 2:1.1.4-2 X11 client-side library ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar ii libxinerama1 2:1.0.3-2 X11 Xinerama extension library ii libxosd2 2.2.14-1.6 X On-Screen Display library - runt ii libxv1 2:1.0.4-1 X11 Video extension library ii ttf-dejavu-core 2.25-3 Vera font family derivate with add ii vlc-nox 0.8.6.h-4 multimedia player and streamer (wi ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime vlc recommends no packages. Versions of packages vlc suggests: pn mozilla-plugin-vlc <none> (no description available) pn videolan-doc <none> (no description available) -- no debconf information