[SCM] vlc/wheezy: Imported Debian version 2.0.5-3+deb7u2
sramacher at users.alioth.debian.org
sramacher at users.alioth.debian.org
Fri Mar 20 17:51:04 UTC 2015
The following commit has been merged in the wheezy branch:
commit da663739b58f8d2ab2bf69e0715bee906fec8cec
Author: Alessandro Ghedini <ghedo at debian.org>
Date: Sun Feb 1 11:53:45 2015 +0100
Imported Debian version 2.0.5-3+deb7u2
diff --git a/debian/changelog b/debian/changelog
index d545439..89e9d73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+vlc (2.0.3-5+deb7u2) wheezy-security; urgency=high
+
+ * Fix multiple vulnerabilities (Closes: #775866):
+ - Fix potential buffer overflow in the Dirac and Schroedinger encoders
+ as per CVE-2014-9629
+ - Fix buffer overflow when parsing string boxes in the MP4 demuxer
+ as per CVE-2014-9626, CVE-2014-9627, CVE-2014-9628
+ - Fix possible invalid memory access in the RTP code as per CVE-2014-9630
+ * Set urgency=high accordingly
+
+ -- Alessandro Ghedini <ghedo at debian.org> Sun, 01 Feb 2015 11:53:45 +0100
+
vlc (2.0.3-5+deb7u1) wheezy-security; urgency=low
* CVE-2013-1868 CVE-2013-1954 CVE-2013-4388
diff --git a/debian/patches/codec-dirac-fix-potential-buffer-overflow.patch b/debian/patches/codec-dirac-fix-potential-buffer-overflow.patch
new file mode 100644
index 0000000..6c0190a
--- /dev/null
+++ b/debian/patches/codec-dirac-fix-potential-buffer-overflow.patch
@@ -0,0 +1,23 @@
+From: Alessandro Ghedini <ghedo at debian.org>
+Subject: [PATCH] codec: dirac: fix potential buffer overflow.
+ The variable len is a raw 32 bit value read using GetDWBE. If this
+ value is larger than UINT32_MAX - sizeof(eos), this will cause an
+ integer overflow in the subsequent call to malloc, and finally a
+ buffer overflow when calling memcpy. We fix this by checking len
+ accordingly.
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-02-01
+
+--- a/modules/codec/dirac.c
++++ b/modules/codec/dirac.c
+@@ -920,6 +920,10 @@
+ * is appended to the sequence header to allow guard
+ * against poor streaming servers */
+ /* XXX, should this be done using the packetizer ? */
++
++ if( len > UINT32_MAX - sizeof( eos ) )
++ return NULL;
++
+ p_enc->fmt_out.p_extra = malloc( len + sizeof(eos) );
+ if( !p_enc->fmt_out.p_extra )
+ return NULL;
diff --git a/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch b/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
new file mode 100644
index 0000000..bef8203
--- /dev/null
+++ b/debian/patches/codec-schroedinger-fix-potential-buffer-overflow.patch
@@ -0,0 +1,24 @@
+From: Fabian Yamaguchi <fyamagu at gwdg.de>
+Subject: [PATCH] codec: schroedinger: fix potential buffer overflow.
+ The variable len is a raw 32 bit value read using GetDWBE. If this
+ value is larger than UINT32_MAX - sizeof(eos), this will cause an
+ integer overflow in the subsequent call to malloc, and finally a
+ buffer overflow when calling memcpy. We fix this by checking len
+ accordingly.
+Origin: upstream, http://git.videolan.org/?p=vlc.git;a=commitdiff;h=9bb0353a5c63a7f8c6fc853faa3df4b4df1f5eb5
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+--- a/modules/codec/schroedinger.c
++++ b/modules/codec/schroedinger.c
+@@ -1548,6 +1548,10 @@
+ * is appended to the sequence header to allow guard
+ * against poor streaming servers */
+ /* XXX, should this be done using the packetizer ? */
++
++ if( len > UINT32_MAX - sizeof( eos ) )
++ return NULL;
++
+ p_enc->fmt_out.p_extra = malloc( len + sizeof( eos ) );
+ if( !p_enc->fmt_out.p_extra )
+ return NULL;
diff --git a/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch b/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
new file mode 100644
index 0000000..01c2480
--- /dev/null
+++ b/debian/patches/demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
@@ -0,0 +1,23 @@
+From: Fabian Yamaguchi <fyamagu at gwdg.de>
+Subject: [PATCH] demux: mp4: fix buffer overflow in parsing of string boxes.
+ We ensure that pbox->i_size is never smaller than 8 to avoid an
+ integer underflow in the third argument of the subsequent call to
+ memcpy. We also make sure no truncation occurs when passing values
+ derived from the 64 bit integer p_box->i_size to arguments of malloc
+ and memcpy that may be 32 bit integers on 32 bit platforms.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=914462405f8e90d9b2b1184ff047fdfb1f800b48
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+--- a/modules/demux/mp4/libmp4.c
++++ b/modules/demux/mp4/libmp4.c
+@@ -2478,6 +2478,9 @@
+ {
+ MP4_READBOX_ENTER( MP4_Box_data_name_t );
+
++ if( p_box->i_size < 8 || p_box->i_size > SIZE_MAX )
++ MP4_READBOX_EXIT( 0 );
++
+ p_box->data.p_name->psz_text = malloc( p_box->i_size + 1 - 8 ); /* +\0, -name, -size */
+ if( p_box->data.p_name->psz_text == NULL )
+ MP4_READBOX_EXIT( 0 );
diff --git a/debian/patches/series b/debian/patches/series
index ef1a447..39731d8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,4 +6,7 @@ CVE-2012-5470.patch
CVE-2013-1868.patch
CVE-2013-1954.patch
CVE-2013-4388.patch
-
+codec-schroedinger-fix-potential-buffer-overflow.patch
+codec-dirac-fix-potential-buffer-overflow.patch
+demux-mp4-fix-buffer-overflow-in-parsing-of-string-b.patch
+stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
diff --git a/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch b/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
new file mode 100644
index 0000000..7bfca85
--- /dev/null
+++ b/debian/patches/stream_out-rtp-don-t-use-VLA-for-user-controlled-dat.patch
@@ -0,0 +1,42 @@
+From: Fabian Yamaguchi <fyamagu at gwdg.de>
+Subject: [PATCH] stream_out: rtp: don't use VLA for user controlled data
+ It should fix a possible invalid memory access
+ .
+ When streaming ogg-files via rtp, an ogg-file can trigger an invalid
+ write access using an overly long 'configuration' string.
+ .
+ The original code attemps to allocate space to hold the string on the stack
+ and hence, cannot verify if allocation succeeds. Instead, we now allocate the
+ buffer on the heap and return if allocation fails.
+ .
+ In detail, rtp_packetize_xiph_config allocates a buffer on the stack at (1) where
+ the size depends on the local variable 'len'. The variable 'len' is
+ calculated at (0) to be the length of a string contained in a specially
+ crafted Ogg Vorbis file, and therefore, it is attacker-controlled.
+Origin: upstream, http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=3199c5dd837bc641962e9c1c8d0cd2d7c9b8bb37
+Bug-Debian: https://bugs.debian.org/775866
+Last-Update: 2015-01-21
+
+--- a/modules/stream_out/rtpfmt.c
++++ b/modules/stream_out/rtpfmt.c
+@@ -540,7 +540,11 @@
+ char *end = strchr(start, ';');
+ assert(end != NULL);
+ size_t len = end - start;
+- char b64[len + 1];
++
++ char *b64 = malloc(len + 1);
++ if(!b64)
++ return VLC_EGENERIC;
++
+ memcpy(b64, start, len);
+ b64[len] = '\0';
+
+@@ -550,6 +554,7 @@
+ int i_data;
+
+ i_data = vlc_b64_decode_binary(&p_orig, b64);
++ free(b64);
+ if (i_data == 0)
+ return VLC_EGENERIC;
+ assert(i_data > 9);
--
VLC media player packaging
More information about the pkg-multimedia-commits
mailing list