[gentoo-announce] [ GLSA 202005-11 ] VLC: Buffer overflow - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202005-11 ] VLC: Buffer overflow
Date:	Thu, 14 May 2020 22:26:16
Message-Id:	`ef2b2c15-c194-214e-2114-96468ea7a81a@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202005-11

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: VLC: Buffer overflow

9

     Date: May 14, 2020

10

     Bugs: #721940

11

       ID: 202005-11

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A buffer overflow in VLC might allow local or remote attacker(s) to

19

execute arbitrary code.

20

21

Background

22

==========

23

24

VLC is a cross-platform media player and streaming server.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  media-video/vlc              < 3.0.10                  >= 3.0.10

33

34

Description

35

===========

36

37

A buffer overflow in DecodeBlock in sdl_image.c was discovered.

38

39

Impact

40

======

41

42

A remote user could craft a specifically crafted image file that could

43

execute arbitrary code or cause denial of service.

44

45

Workaround

46

==========

47

48

The user should refrain from opening files from untrusted third parties

49

or accessing untrusted remote sites (or disable the VLC browser

50

plugins), until they upgrade.

51

52

Resolution

53

==========

54

55

All VLC users should upgrade to the latest version:

56

57

  # emerge --sync

58

  # emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.10"

59

60

References

61

==========

62

63

[ 1 ] CVE-2019-19721

64

      https://nvd.nist.gov/vuln/detail/CVE-2019-19721

65

[ 2 ] Upstream patch

66

67

https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=72afe7ebd8305bf4f5360293b8621cde52ec506b

68

[ 3 ] VideoLAN-SB-VLC-309

69

      https://www.videolan.org/security/sb-vlc309.html

70

71

Availability

72

============

73

74

This GLSA and any updates to it are available for viewing at

75

the Gentoo Security Website:

76

77

 https://security.gentoo.org/glsa/202005-11

78

79

Concerns?

80

=========

81

82

Security is a primary focus of Gentoo Linux and ensuring the

83

confidentiality and security of our users' machines is of utmost

84

importance to us. Any security concerns should be addressed to

85

security@g.o or alternatively, you may file a bug at

86

https://bugs.gentoo.org.

87

88

License

89

=======

90

91

Copyright 2020 Gentoo Foundation, Inc; referenced text

92

belongs to its owner(s).

93

94

The contents of this document are licensed under the

95

Creative Commons - Attribution / Share Alike license.

96

97

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202005-11
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: VLC: Buffer overflow
9	Date: May 14, 2020
10	Bugs: #721940
11	ID: 202005-11
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A buffer overflow in VLC might allow local or remote attacker(s) to
19	execute arbitrary code.
20
21	Background
22	==========
23
24	VLC is a cross-platform media player and streaming server.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 media-video/vlc < 3.0.10 >= 3.0.10
33
34	Description
35	===========
36
37	A buffer overflow in DecodeBlock in sdl_image.c was discovered.
38
39	Impact
40	======
41
42	A remote user could craft a specifically crafted image file that could
43	execute arbitrary code or cause denial of service.
44
45	Workaround
46	==========
47
48	The user should refrain from opening files from untrusted third parties
49	or accessing untrusted remote sites (or disable the VLC browser
50	plugins), until they upgrade.
51
52	Resolution
53	==========
54
55	All VLC users should upgrade to the latest version:
56
57	# emerge --sync
58	# emerge --ask --oneshot --verbose ">=media-video/vlc-3.0.10"
59
60	References
61	==========
62
63	[ 1 ] CVE-2019-19721
64	https://nvd.nist.gov/vuln/detail/CVE-2019-19721
65	[ 2 ] Upstream patch
66
67	https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=72afe7ebd8305bf4f5360293b8621cde52ec506b
68	[ 3 ] VideoLAN-SB-VLC-309
69	https://www.videolan.org/security/sb-vlc309.html
70
71	Availability
72	============
73
74	This GLSA and any updates to it are available for viewing at
75	the Gentoo Security Website:
76
77	https://security.gentoo.org/glsa/202005-11
78
79	Concerns?
80	=========
81
82	Security is a primary focus of Gentoo Linux and ensuring the
83	confidentiality and security of our users' machines is of utmost
84	importance to us. Any security concerns should be addressed to
85	security@g.o or alternatively, you may file a bug at
86	https://bugs.gentoo.org.
87
88	License
89	=======
90
91	Copyright 2020 Gentoo Foundation, Inc; referenced text
92	belongs to its owner(s).
93
94	The contents of this document are licensed under the
95	Creative Commons - Attribution / Share Alike license.
96
97	https://creativecommons.org/licenses/by-sa/2.5