Bug 129355 - Bump multimedia/vlc-devel to 0.9.8 to address CVE-2008-5276
Summary: Bump multimedia/vlc-devel to 0.9.8 to address CVE-2008-5276
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Wilke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-02 01:20 UTC by Joseph S. Atkinson
Modified: 2008-12-07 00:00 UTC (History)
0 users

See Also:


Attachments
file.diff (969 bytes, patch)
2008-12-02 01:20 UTC, Joseph S. Atkinson
no flags Details | Diff
patch-modules__demux__real.c (1.81 KB, text/x-csrc)
2008-12-03 08:33 UTC, Joseph S Atkinson
no flags Details
vlc-devel_0.9.8a.diff (829 bytes, patch)
2008-12-03 21:42 UTC, Joseph S Atkinson
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph S. Atkinson 2008-12-02 01:20:01 UTC
Move vlc-devel to 0.9.8.

This bump addresses a vulnerability in the Real Media demuxer that can allow an attacker to create a heap overflow.

CVE-2008-5276
VideoLAN-SA-0811
TKADV2008-013

A proper vulnxml submission is to follow.

Fix: Patch attached with submission follows:
Comment 1 Joseph S Atkinson 2008-12-02 01:42:50 UTC
The accompanying vulnxml entry can be found at:
http://www.freebsd.org/cgi/query-pr.cgi?pr=129356
Comment 2 Martin Wilke freebsd_committer freebsd_triage 2008-12-02 05:32:51 UTC
Responsible Changed
From-To: freebsd-ports-bugs->miwi

I'll take it.
Comment 3 Joseph S Atkinson 2008-12-03 08:33:47 UTC
I ran into issues with vlc-devel 0.9.8 where qvlc crashes on exit. As an 
alternative to committing an unstable version at this time, I pulled the 
Real Media patches from git and rolled them up for 0.9.6. This includes 
a small tweak that came a day or so after they rolled up 0.9.8.

0.9.8 still hasn't been announced officially yet either, so I am not 
comfortable with this at the moment. The skipped 0.9.7 after a failed 
attempt to fix the Real Media issue once already. I will follow up if I 
find out something else or find a fix for the crash.

If you commit this patch under files/ instead, change the range on the 
vulnxml (ports/129356) to match our local portrevision.
Comment 4 Joseph S Atkinson 2008-12-03 21:42:21 UTC
VideoLAN did move to 0.9.8a and the crash I mentioned seems to be a 
local phenomena.

Please test and commit this instead.

Also, note on vulnxml (ports/129356).
Comment 5 dfilter service freebsd_committer freebsd_triage 2008-12-06 23:52:02 UTC
miwi        2008-12-06 23:51:51 UTC

  FreeBSD ports repository

  Modified files:
    multimedia/vlc-devel Makefile distinfo 
  Log:
  - Update to 0.9.8a
  
  PR:             129355
  Submitted by:   maintainer
  Security:       http://www.vuxml.org/freebsd/acf80afa-c3ef-11dd-a721-0030843d3802.html
  
  Revision  Changes    Path
  1.211     +1 -1      ports/multimedia/vlc-devel/Makefile
  1.55      +3 -3      ports/multimedia/vlc-devel/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 Martin Wilke freebsd_committer freebsd_triage 2008-12-06 23:52:29 UTC
State Changed
From-To: open->closed

Committed. Thanks!