ports/146099: update VLC to 1.0.6, document internally discovered exploit
Joseph S. Atkinson
jsa at wickedmachine.net
Tue Apr 27 22:10:03 UTC 2010
>Number: 146099
>Category: ports
>Synopsis: update VLC to 1.0.6, document internally discovered exploit
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 27 22:10:02 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Joseph S. Atkinson
>Release:
>Organization:
>Environment:
>Description:
VideoLAN has released 1.0.6 to address several vulnerabilities they discovered while working towards the 1.1.0 release. These vulnerabilities could potentially allow for a specially crafted file to execute code.
>How-To-Repeat:
>Fix:
This shar file contains two patches. The first is the update patch for vlc, the second is the vuln.xml entry, sans this PR number.
Patch attached with submission follows:
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# vlc_1.0.6.diff
# vlc_1.0.6_vuxml.diff
#
echo x - vlc_1.0.6.diff
sed 's/^X//' >vlc_1.0.6.diff << '5220982b7aa97889d2795eed788c4a85'
Xdiff -ru /usr/ports/multimedia/vlc/Makefile vlc/Makefile
X--- /usr/ports/multimedia/vlc/Makefile 2010-04-26 13:30:06.000000000 -0400
X+++ vlc/Makefile 2010-04-27 17:02:31.000000000 -0400
X@@ -9,8 +9,7 @@
X #
X
X PORTNAME= vlc
X-DISTVERSION= 1.0.5
X-PORTREVISION= 5
X+DISTVERSION= 1.0.6
X PORTEPOCH= 3
X CATEGORIES= multimedia audio ipv6 net www
X MASTER_SITES= http://download.videolan.org/pub/videolan/${PORTNAME}/${DISTVERSION}/ \
Xdiff -ru /usr/ports/multimedia/vlc/distinfo vlc/distinfo
X--- /usr/ports/multimedia/vlc/distinfo 2010-02-01 13:20:30.000000000 -0500
X+++ vlc/distinfo 2010-04-27 17:02:42.000000000 -0400
X@@ -1,3 +1,3 @@
X-MD5 (vlc-1.0.5.tar.bz2) = d3d99e489ba1ae996af7e1065c0ef313
X-SHA256 (vlc-1.0.5.tar.bz2) = f7f1994c936fbb8c392481a13abfd6a6b76c5aac4406fa7a78d4786dfc206dcd
X-SIZE (vlc-1.0.5.tar.bz2) = 21887131
X+MD5 (vlc-1.0.6.tar.bz2) = 246a3865ec037f8f5757ef6b973a80fc
X+SHA256 (vlc-1.0.6.tar.bz2) = f521933e7a1021746d8ecde6caa2f9d1b43187ab2e13df6abc07540e415e1842
X+SIZE (vlc-1.0.6.tar.bz2) = 22149704
5220982b7aa97889d2795eed788c4a85
echo x - vlc_1.0.6_vuxml.diff
sed 's/^X//' >vlc_1.0.6_vuxml.diff << 'e1fc4f5a43a3297a895e7fdb5b69ec11'
X--- /usr/ports/security/vuxml/vuln.xml 2010-04-25 20:26:47.000000000 -0400
X+++ vuxml/vuln.xml 2010-04-27 17:47:41.000000000 -0400
X@@ -34,6 +34,33 @@
X
X -->
X <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
X+ <vuln vid="752ce039-5242-11df-9139-00242b513d7c">
X+ <topic>Unintended code execution with specially crafted data in VLC</topic>
X+ <affects>
X+ <package>
X+ <name>vlc</name>
X+ <range><lt>1.0.6</lt></range>
X+ </package>
X+ </affects>
X+ <description>
X+ <body xmlns="http://www.w3.org/1999/xhtml">
X+ <p>VideoLAN project reports:</p>
X+ <blockquote cite="http://www.videolan.org/security/sa1003.html">
X+ <p>VLC media player suffers from various vulnerabilities when
X+ attempting to parse malformatted or overly long byte streams.</p>
X+ </blockquote>
X+ </body>
X+ </description>
X+ <references>
X+ <bid>39629</bid>
X+ <url>http://www.videolan.org/security/sa1003.html</url>
X+ </references>
X+ <dates>
X+ <discovery>2010-04-19</discovery>
X+ <entry>2010-04-27</entry>
X+ </dates>
X+ </vuln>
X+
X <vuln vid="5198ef84-4fdc-11df-83fb-0015587e2cc1">
X <topic>cacti -- SQL injection and command execution vulnerabilities</topic>
X <affects>
e1fc4f5a43a3297a895e7fdb5b69ec11
exit
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list