From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1819-1
[email protected] http://www.debian.org/security/ Steffen Joeris
June 18, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : vlc
Vulnerability : several vulnerabilities
Problem type : local (remote)
Debian-specific: no
CVE Ids : CVE-2008-1768 CVE-2008-1769 CVE-2008-1881 CVE-2008-2147
CVE-2008-2430 CVE-2008-3794 CVE-2008-4686 CVE-2008-5032
Debian Bugs : 478140 477805 489004 496265 503118 504639 480724
Several vulnerabilities have been discovered in vlc, a multimedia player
and streamer. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2008-1768
Drew Yao discovered that multiple integer overflows in the MP4 demuxer,
Real demuxer and Cinepak codec can lead to the execution of arbitrary
code.
CVE-2008-1769
Drew Yao discovered that the Cinepak codec is prone to a memory
corruption, which can be triggered by a crafted Cinepak file.
CVE-2008-1881
Luigi Auriemma discovered that it is possible to execute arbitrary code
via a long subtitle in an SSA file.
CVE-2008-2147
It was discovered that vlc is prone to a search path vulnerability,
which allows local users to perform privilege escalations.
CVE-2008-2430
Alin Rad Pop discovered that it is possible to execute arbitrary code
when opening a WAV file containing a large fmt chunk.
CVE-2008-3794
Pınar Yanardağ discovered that it is possible to execute arbitrary code
when opening a crafted mmst link.
CVE-2008-4686
Tobias Klein discovered that it is possible to execute arbitrary code
when opening a crafted .ty file.
CVE-2008-5032
Tobias Klein discovered that it is possible to execute arbitrary code
when opening an invalid CUE image file with a crafted header.
For the oldstable distribution (etch), these problems have been fixed
in version 0.8.6-svn20061012.debian-5.1+etch3.
For the stable distribution (lenny), these problems have been fixed in
version 0.8.6.h-4+lenny2, which was already included in the lenny
release.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 0.8.6.h-5.
We recommend that you upgrade your vlc packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian.orig.tar.gz
Size/MD5 checksum: 15168393 30c18a2fdc4105606033ff6e6aeab81c
http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch3.diff.gz
Size/MD5 checksum: 2390010 aacfe6dc712b98ae872794d9d70fe1e3
http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch3.dsc
Size/MD5 checksum: 2622 bc3a4f4ee0ecd699820b478e96beecad
Architecture independent packages:
http://security.debian.org/pool/updates/main/v/vlc/wxvlc_0.8.6-svn20061012.debian-5.1+etch3_all.deb
Size/MD5 checksum: 778 62c36d9c3fe088478b442efec17b5b7e
http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-alsa_0.8.6-svn20061012.debian-5.1+etch3_all.deb
Size/MD5 checksum: 786 12f8c6ef696cb7c6b8b1e33b313f72f0
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-esd_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 5028 1c44834297096fe893775a5d95d1913b
http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-arts_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 4444 ad948e7f91e08a0261a009a62bd2a76b
http://security.debian.org/pool/updates/main/v/vlc/libvlc0_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 1157956 da37f9efbdef57c192781d775818e042
http://security.debian.org/pool/updates/main/v/vlc/mozilla-plugin-vlc_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 40298 3c6639b6241c035f35508ed2b41e94b7
http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 5169476 7342181513646f6562051fe843dab946
http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 13048 63b8dfc325bf011cd9ab2762ac404da8
http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 20162 9fd790aaa1a58aaa7de59ca17eec2ea9
http://security.debian.org/pool/updates/main/v/vlc/vlc_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 1306476 230f2731958e3d9740198c66b7a14531
http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch3_alpha.deb
Size/MD5 checksum: 6942 96f9d8b30b4c66b9d81a47e3f6141b7a
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/v/vlc/libvlc0-dev_0.8.6-svn20061012.debian-5.1+etch3_amd64.deb
Size/MD5 checksum: 20226 73bbae9c7491cb8fb99ae3c9e3b34670
http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-sdl_0.8.6-svn20061012.debian-5.1+etch3_amd64.deb
Size/MD5 checksum: 11336 623ceac24cb2a59cbbdb96723c7feb4d
http://security.debian.org/pool/updates/main/v/vlc/vlc-plugin-ggi_0.8.6-svn20061012.debian-5.1+etch3_amd64.deb
Size/MD5 checksum: 6054 99babdfe76e9ce755f36add0f01750bb
http://security.debian.org/pool/updates/main/v/vlc/vlc-nox_0.8.6-svn20061012.debian-5.1+etch3_amd64.deb
Size/MD5 checksum: 4667204 0304843fa1801c73ddd1b3e38cb66adf
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)