Date: Tue, 27 Apr 2010 22:00:14 GMT From: "Joseph S. Atkinson" <jsa@wickedmachine.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/146099: update VLC to 1.0.6, document internally discovered exploit Message-ID: <201004272200.o3RM0E4f002095@www.freebsd.org> Resent-Message-ID: <201004272210.o3RMA2Bt093191@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 146099 >Category: ports >Synopsis: update VLC to 1.0.6, document internally discovered exploit >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Tue Apr 27 22:10:02 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Joseph S. Atkinson >Release: >Organization: >Environment: >Description: VideoLAN has released 1.0.6 to address several vulnerabilities they discovered while working towards the 1.1.0 release. These vulnerabilities could potentially allow for a specially crafted file to execute code. >How-To-Repeat: >Fix: This shar file contains two patches. The first is the update patch for vlc, the second is the vuln.xml entry, sans this PR number. Patch attached with submission follows: # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # vlc_1.0.6.diff # vlc_1.0.6_vuxml.diff # echo x - vlc_1.0.6.diff sed 's/^X//' >vlc_1.0.6.diff << '5220982b7aa97889d2795eed788c4a85' Xdiff -ru /usr/ports/multimedia/vlc/Makefile vlc/Makefile X--- /usr/ports/multimedia/vlc/Makefile 2010-04-26 13:30:06.000000000 -0400 X+++ vlc/Makefile 2010-04-27 17:02:31.000000000 -0400 X@@ -9,8 +9,7 @@ X # X X PORTNAME= vlc X-DISTVERSION= 1.0.5 X-PORTREVISION= 5 X+DISTVERSION= 1.0.6 X PORTEPOCH= 3 X CATEGORIES= multimedia audio ipv6 net www X MASTER_SITES= http://download.videolan.org/pub/videolan/${PORTNAME}/${DISTVERSION}/ \ Xdiff -ru /usr/ports/multimedia/vlc/distinfo vlc/distinfo X--- /usr/ports/multimedia/vlc/distinfo 2010-02-01 13:20:30.000000000 -0500 X+++ vlc/distinfo 2010-04-27 17:02:42.000000000 -0400 X@@ -1,3 +1,3 @@ X-MD5 (vlc-1.0.5.tar.bz2) = d3d99e489ba1ae996af7e1065c0ef313 X-SHA256 (vlc-1.0.5.tar.bz2) = f7f1994c936fbb8c392481a13abfd6a6b76c5aac4406fa7a78d4786dfc206dcd X-SIZE (vlc-1.0.5.tar.bz2) = 21887131 X+MD5 (vlc-1.0.6.tar.bz2) = 246a3865ec037f8f5757ef6b973a80fc X+SHA256 (vlc-1.0.6.tar.bz2) = f521933e7a1021746d8ecde6caa2f9d1b43187ab2e13df6abc07540e415e1842 X+SIZE (vlc-1.0.6.tar.bz2) = 22149704 5220982b7aa97889d2795eed788c4a85 echo x - vlc_1.0.6_vuxml.diff sed 's/^X//' >vlc_1.0.6_vuxml.diff << 'e1fc4f5a43a3297a895e7fdb5b69ec11' X--- /usr/ports/security/vuxml/vuln.xml 2010-04-25 20:26:47.000000000 -0400 X+++ vuxml/vuln.xml 2010-04-27 17:47:41.000000000 -0400 X@@ -34,6 +34,33 @@ X X --> X <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; X+ <vuln vid="752ce039-5242-11df-9139-00242b513d7c"> X+ <topic>Unintended code execution with specially crafted data in VLC</topic> X+ <affects> X+ <package> X+ <name>vlc</name> X+ <range><lt>1.0.6</lt></range> X+ </package> X+ </affects> X+ <description> X+ <body xmlns="http://www.w3.org/1999/xhtml">; X+ <p>VideoLAN project reports:</p> X+ <blockquote cite="http://www.videolan.org/security/sa1003.html">; X+ <p>VLC media player suffers from various vulnerabilities when X+ attempting to parse malformatted or overly long byte streams.</p> X+ </blockquote> X+ </body> X+ </description> X+ <references> X+ <bid>39629</bid> X+ <url>http://www.videolan.org/security/sa1003.html</url>; X+ </references> X+ <dates> X+ <discovery>2010-04-19</discovery> X+ <entry>2010-04-27</entry> X+ </dates> X+ </vuln> X+ X <vuln vid="5198ef84-4fdc-11df-83fb-0015587e2cc1"> X <topic>cacti -- SQL injection and command execution vulnerabilities</topic> X <affects> e1fc4f5a43a3297a895e7fdb5b69ec11 exit >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201004272200.o3RM0E4f002095>