Date: Mon, 1 Dec 2008 15:32:48 +0300 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: bug-followup@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/129282: [vuxml] multimedia/vlc-devel: document CVE-2008-4654 and CVE-2008-4686 Message-ID: <uHdFPvZZ2D0vbAh7YiHspoPExIQ@kjaK%2B/sQ5DW5981v71UogZJPf/0> In-Reply-To: <200811292120.mATLK38v098563@freefall.freebsd.org> References: <20081129211244.505D817115@amnesiac.at.no.dns> <200811292120.mATLK38v098563@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--da4uJneut+ArUgXk Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Joseph, good day. According to Joseph Atkinson: > This is generally correct. The affected version is NOT 0.9.5 > though. 0.9.5 was the release that addressed the issues. So the > affected versions are effectively 0.9.0 through 0.9.4. I mentioned > both of these CVEs in a follow up to ports/128359, which was the > 0.9.5 submission. Sure, 0.9.5. is clean from this issue as the VuXML entry suggests: '>=3D0.9.0.20080223<0.9.5'. > FreeBSD moved from 0.9.0-test1 directly to 0.9.5, so it is possible that > FreeBSD never included an affected version. As I wrote in the original PR, I had traced this down to 0.9.0.20080223 through the vlc-devel port history. > I can't confirm this at this > time because of being busy (holidays) and that there is no -test1 marked > in their git for easy reference. However, I have no objections to > documenting them to be complete/precise/safe. -test1 can be downloaded from ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/vlc-0.9.0-test1.tar.bz2 Is has the code in question: look at modules/demux/ty.c for the following entries: ----- int i_seq_table_size; /* number of entries in SEQ table */ int i_bits_per_seq_entry; /* # of bits in SEQ table bitmask */ -- for (i=3D0; i<p_sys->i_seq_table_size; i++) { stream_Read(p_demux->s, mst_buf, 8 + i_map_size); ----- > It is also worth noting that 0.9.5 is vulnerable to other issues that > have already been documented in vulnxml. I mention this to avoid any > confusion. 0.9.5 is not "clean", it's just not affected by these CVEs > specifically. Yes, it is correct. No one claimed that 0.9.5 is vulnerable: this VuXML entry meant to document old vulnerabilities that are still valid for the older port versions. --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --da4uJneut+ArUgXk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkz2XAACgkQthUKNsbL7YiFTwCggm0VePdA1HM5Y/qJBm6iL20p lgkAniZzLjpUsRfsRxGKvuFfl6GNgOD2 =T8Mw -----END PGP SIGNATURE----- --da4uJneut+ArUgXk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?uHdFPvZZ2D0vbAh7YiHspoPExIQ>