Bugzilla – Bug 920781
VUL-0: CVE-2014-6440: vlc: Heap Overflow in VLC Transcode Module
Last modified: 2015-03-05 12:59:40 UTC
via oss-sec Executive Summary ----------------- VLC versions before 2.1.5 contain a vulnerability in the transcode module that may allow a corrupted stream to overflow buffers on the heap. With a non-malicious input, this could lead to heap corruption and a crash. However, under the right circumstances, a malicious attacker could potentially use this vulnerability to hijack program execution, and on some platforms, execute arbitrary code. Remediation ----------- Prior to being notified of this issue, the VLC team had already made changes to the 2.2 development branch [0][1][2] that corrects this issue by reinitilizing the filters when a format change is detected. However, the fixes had not yet been backported to the 2.1 maintenance branch. Once notified, the VLC team quickly resolved the issue by backporting the relevant patches to the maintenance branch [3][4][5]. They also added an additional check on both the development[6] and maintenance[7] branches for good measure. CVE-2014-6440 [8] was assigned to this issue. Timeline -------- 2014-04-18: VLC team notified of issue 2014-04-19: Fixed in VLC repository 2014-07-06: VLC 2.1.5 maintenance release A more detailed writeup can be found on my blog [9]. Please note, I am not subscribed to the list, so please CC me if you reply. Bill [0]: http://git.videolan.org/?p=vlc.git;a=commit;h=a3a150b91f09620dc0d81c22db591a20faf4b2a5 [1]: http://git.videolan.org/?p=vlc.git;a=commit;h=39a99d25872f64dacd470fda86ba2193a55cda52 [2]: http://git.videolan.org/?p=vlc.git;a=commit;h=26989ea2d98380eef28843ffa8ca490e8f9d6dae [3]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=28bd6670a26bf88c2523b7302e2c22f8ca210bb7 [4]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=feca6658b4b84b4bc8b7a08431e811813277d31b [5]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=e40a4a1a54be2b69e4e001451f0dd91f3857a976 [6]: http://git.videolan.org/?p=vlc.git;a=commit;h=a113b849e428b71813a569021bd10d6974f6621f [7]: http://git.videolan.org/?p=vlc/vlc-2.1.git;a=commit;h=a5bee4c5cf0c8fca0d1ddaf570aeebc78e824b15 [8]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6440 [9]: http://billblough.net/blog/2015-03-04-cve-2014-6440-heap-overflow-in-vlc-transcode-module
(In reply to Marcus Meissner from comment #0) > via oss-sec > > Executive Summary > ----------------- > > VLC versions before 2.1.5 contain a vulnerability in the transcode module > that > may allow a corrupted stream to overflow buffers on the heap. With a > non-malicious input, this could lead to heap corruption and a crash. > However, > under the right circumstances, a malicious attacker could potentially use > this > vulnerability to hijack program execution, and on some platforms, execute > arbitrary code. > osc ls openSUSE:13.1:Update vlc _link # -> openSUSE:13.1:Update vlc.3452 (latest) 0001-no-return-in-non-void.patch vlc-2.1.5-fix-skins2-default-skin-creation.patch vlc-2.1.5.tar.xz vlc-CVE-2014-9625.patch vlc.changes vlc.spec > osc ls openSUSE:13.2:Update vlc _link # -> openSUSE:13.2:Update vlc.3452 (latest) 0001-no-return-in-non-void.patch vlc-2.1.5-fix-skins2-default-skin-creation.patch vlc-2.1.5.tar.xz vlc-CVE-2014-9625.patch vlc.changes vlc.spec So it seems we're all on track already?
then we are already done.