962248 – Cannot update security issue on Leap 42.1

Bug 962248 - Cannot update security issue on Leap 42.1

Summary: Cannot update security issue on Leap 42.1

Status:	RESOLVED DUPLICATE of bug 961994

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	YaST2 (show other bugs)
Version:	Leap 42.1
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Andreas Stieger
QA Contact:	Jiri Srain

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-01-17 17:53 UTC by Forgotten User w3Bgdl3BEE
Modified:	2016-01-18 12:10 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Forgotten User w3Bgdl3BEE 2016-01-17 17:53:38 UTC

Hello there,
When starting update I get the following message from update centre:
===
This update is needed to fix a security vulnerability with this package. This update for libebml, libmatroska fixes the following security issues: Vulnerabilities fixed in libebml:

    Cisco TALOS-CAN-0036: Invalid memory access when reading from a UTF-8 string resulted in a heap information leak (bsc#961031).
    Cisco TALOS-CAN-0037: Deeply nested elements with infinite size use-after-free and multiple free (bsc#961031).
    Invalid mempry access resulted in heap information leak 

Vulnerabilities fixed in libmatroska:

    invalid memory access when reading specially crafted data lead to a heap information leak. 

For more information about bugs fixed by this update please visit this website:

    https://bugzilla.opensuse.org/show_bug.cgi?id=961031. 

=== 
Then, when trying to update, I have:

vlc-noX-2.2.1-195.1.x86_64 requires libmatroska.so.6(V_1.4.1)(64bit), but this requirement cannot be provided
====

VLC people say that this is package problem:
https://trac.videolan.org/vlc/ticket/16406#comment:1
Changes (by dfuhrmann):
 * status: new => closed
 * resolution: => notvlc
Comment:
 Sounds like a packaging problem. Please file a bug to your distribution /
 package maintainer.
===
Pls check.
Thanks in advance.

Comment 1 Marcus Meissner 2016-01-18 08:05:52 UTC

we did re;lease an incremental update yesterday which should fix it?

Comment 2 Andreas Stieger 2016-01-18 09:59:02 UTC

(In reply to Michael Baryshnikov from comment #0)
> VLC people say that this is package problem:
> https://trac.videolan.org/vlc/ticket/16406#comment:1
> Changes (by dfuhrmann):
>  * status: new => closed
>  * resolution: => notvlc
> Comment:
>  Sounds like a packaging problem. Please file a bug to your distribution /
>  package maintainer.

Tell VLC people to rebuild VLC against the released updates.

*** This bug has been marked as a duplicate of bug 961994 ***

Comment 3 Andreas Stieger 2016-01-18 12:10:31 UTC

Not fixed in VLC repo, fixed elsewhere:

rpm -q --requires -p http://download.videolan.org/pub/vlc/SuSE/Leap_42.1/x86_64/vlc-noX-2.2.1-195.1.x86_64.rpm | grep libmatroska
warning: http://download.videolan.org/pub/vlc/SuSE/Leap_42.1/x86_64/vlc-noX-2.2.1-195.1.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID c8da93d2: NOKEY
libmatroska.so.6()(64bit)
libmatroska.so.6(V_1.4.1)(64bit)

It's their package build. Ask them to rebuild against openSUSE:Leap:42.1:Update