Bug#737534: vlc: unsafe use of libtar
Reinhard Tartler
siretart at gmail.com
Sat Aug 16 23:05:20 UTC 2014
Control: tag -1 upstream
On Mon, Feb 3, 2014 at 10:08 AM, Raphael Geissert <geissert at debian.org> wrote:
> Package: vlc
> Severity: important
> Tags: security
>
> Hi,
>
> vlc uses libtar to unpack skins, however, its use on untrusted data
> exposes it to CVE-2013-4420 (#731860).
>
> Changing the behaviour of libtar appears to be problematic because
> some applications have relied on the, lack of, path sanitation (cf.
> https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html
> and the follow-ups).
> What appears to be the safe way to handle this issue is making sure
> that libtar is not used on untrusted data without file path validation
> - that would mean that vlc would have to check for every file that is
> about to be extracted that none contains a ../, and something similar
> for symlinks.
>
> Alternatively, vlc could just use tar(1) to unpack the tarballs, or
> drop support for skins or skins in tarballs.
>
> What do you think?
>
> This should probably be forwarded to upstream.
I totally agree.
J-B, do you have any opinion on this issue?
Thanks,
Reinhard
--
regards,
Reinhard
More information about the pkg-multimedia-maintainers
mailing list