Secure testing team - Jun 2007 - fixed vlc packages for VideoLAN-SA-0702

Dear security and testing-security teams,

   I have prepared sarge and etch packages for the VideoLAN-SA-0702
advisory (found at http://www.videolan.org/sa0702.html). I took the
liberty to fix other DoS and buffer overflow bugs in the package, if you
are not happy with this let me know and I will remove them. The debdiffs
are clean and it should be quite obvious what the different patches do.

   Sarge is not vulnerable to the CDDA part of the advisory. Fixed
packages are here:
   http://people.zoy.org/~sam/vlc/0.8.1.svn20050314-1sarge3/

   Etch is vulnerable to all holes in the advisory. Packages are here:
   http://people.zoy.org/~sam/vlc/0.8.6-svn20061012.debian-5etch1/

   Lenny is vulnerable to all holes in the advisory. Packages are here:
   http://people.zoy.org/~sam/vlc/0.8.6.a.debian-6lenny1/

   Sid is vulnerable to all holes in the advisory. The fixed packages
will be 0.8.6.c.debian-1.

Regards,
-- 
Sam.

On Thu, Jun 21, 2007 at 08:22:06PM +0200, Sam Hocevar
wrote:
>    Dear security and testing-security teams,
> 
>    I have prepared sarge and etch packages for the VideoLAN-SA-0702
> advisory (found at http://www.videolan.org/sa0702.html). I took the
> liberty to fix other DoS and buffer overflow bugs in the package, if you
> are not happy with this let me know and I will remove them. The debdiffs
> are clean and it should be quite obvious what the different patches do.
> 
>    Sarge is not vulnerable to the CDDA part of the advisory. Fixed
> packages are here:
>    http://people.zoy.org/~sam/vlc/0.8.1.svn20050314-1sarge3/
> 
>    Etch is vulnerable to all holes in the advisory. Packages are here:
>    http://people.zoy.org/~sam/vlc/0.8.6-svn20061012.debian-5etch1/
> 
>    Lenny is vulnerable to all holes in the advisory. Packages are here:
>    http://people.zoy.org/~sam/vlc/0.8.6.a.debian-6lenny1/
> 
>    Sid is vulnerable to all holes in the advisory. The fixed packages
> will be 0.8.6.c.debian-1.
Thanks, I''ll take care of an update for stable and oldstable.

Cheers,
        Moritz

Hi Sam,

Sam Hocevar wrote:
>    Dear security and testing-security teams,
> 
>    I have prepared sarge and etch packages for the VideoLAN-SA-0702
This VideoLAN advisory is associated with CVE-2007-3316
> advisory (found at http://www.videolan.org/sa0702.html). I took the
> liberty to fix other DoS and buffer overflow bugs in the package, if you
This is great, do you know if these other issues have CVE issues associated with
them?

The only other one I can find that seems associated with VLC in the Mitre CVE 
list is:

CVE-2007-0256 (VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of 
...) which is associated with debian bug #407290

Is this what 111_memleak.diff fixes?

If so, it would be good to try and associate the other issues (in 
113_overflows.diff, 112_missingchecks.diff and 114_uninitialised.diff) with CVE 
ids. If there are no CVE IDs assigned for these, can you provide a reference to 
where these came from and we can get some assigned?
>    Lenny is vulnerable to all holes in the advisory. Packages are here:
>    http://people.zoy.org/~sam/vlc/0.8.6.a.debian-6lenny1/
> 
>    Sid is vulnerable to all holes in the advisory. The fixed packages
> will be 0.8.6.c.debian-1.
Please go ahead and upload the fixed versions to sid as soon as possible 
(urgency=high). I''ve noted these versions in the security tracker.

Thanks,
Micah