Bug#811519: vlc: avio plugin leaks file content

Rémi Denis-Courmont courmisch at gmail.com
Tue Jan 19 16:11:01 UTC 2016


Package: vlc
Version: 2.2.1-5+b1
Severity: grave
Tags: security patch
Justification: user security hole

Dear Maintainer,

With a carefully crafted URL, the VLC avio plugin can be made to leak
content of local files to remote parties.
The root cause is the same as CVE-2016-1897.

See also:

https://mailman.videolan.org/pipermail/vlc-devel/2016-January/105718.html

Best regards,

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.15-basile (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to fi_FI.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages vlc depends on:
ii  fonts-freefont-ttf          20120503-4
ii  libaa1                      1.4p5-44
ii  libavcodec-ffmpeg56         7:2.8.5-1
ii  libavutil-ffmpeg54          7:2.8.5-1
ii  libc6                       2.21-6
ii  libcaca0                    0.99.beta19-2+b1
ii  libcairo2                   1.14.6-1
ii  libegl1-mesa [libegl1-x11]  11.1.1-2
ii  libfreerdp-client1.1        1.1.0~git20140921.1.440916e+dfsg1-5+b1
ii  libfreerdp-core1.1          1.1.0~git20140921.1.440916e+dfsg1-5+b1
ii  libfreerdp-gdi1.1           1.1.0~git20140921.1.440916e+dfsg1-5+b1
ii  libfreetype6                2.6.1-0.1
ii  libfribidi0                 0.19.7-1
ii  libgcc1                     1:5.3.1-6
ii  libgl1-mesa-glx [libgl1]    11.1.1-2
ii  libgles1-mesa [libgles1]    11.1.1-2
ii  libgles2-mesa [libgles2]    11.1.1-2
ii  libglib2.0-0                2.46.2-3
ii  libpulse0                   7.1-2
ii  libqt5core5a                5.5.1+dfsg-12
ii  libqt5gui5                  5.5.1+dfsg-12
ii  libqt5widgets5              5.5.1+dfsg-12
ii  libqt5x11extras5            5.5.1-3
ii  librsvg2-2                  2.40.13-1
ii  libsdl-image1.2             1.2.12-5+b5
ii  libsdl1.2debian             1.2.15-12
ii  libstdc++6                  5.3.1-6
ii  libva-drm1                  1.6.2-1
ii  libva-x11-1                 1.6.2-1
ii  libva1                      1.6.2-1
ii  libvlccore8                 2.2.1-5+b1
ii  libvncclient1               0.9.10+dfsg-3
ii  libx11-6                    2:1.6.3-1
ii  libxcb-composite0           1.11.1-1
ii  libxcb-keysyms1             0.4.0-1
ii  libxcb-randr0               1.11.1-1
ii  libxcb-shm0                 1.11.1-1
ii  libxcb-xv0                  1.11.1-1
ii  libxcb1                     1.11.1-1
ii  libxext6                    2:1.3.3-1
ii  libxi6                      2:1.7.5-1
ii  libxinerama1                2:1.1.3-1+b1
ii  libxpm4                     1:3.5.11-1+b1
ii  vlc-nox                     2.2.1-5+b1
ii  zlib1g                      1:1.2.8.dfsg-2+b1

Versions of packages vlc recommends:
pn  vlc-plugin-notify  <none>
pn  vlc-plugin-samba   <none>
ii  xdg-utils          1.1.1-1

vlc suggests no packages.

Versions of packages vlc-nox depends on:
ii  liba52-0.7.4               0.7.4-18
ii  libasound2                 1.0.29-1
ii  libass5                    0.13.1-1
ii  libavahi-client3           0.6.32~rc+dfsg-1
ii  libavahi-common3           0.6.32~rc+dfsg-1
ii  libavc1394-0               0.5.4-2
ii  libavcodec-ffmpeg56        7:2.8.5-1
ii  libavformat-ffmpeg56       7:2.8.5-1
ii  libavutil-ffmpeg54         7:2.8.5-1
ii  libbasicusageenvironment0  2014.01.13-1
ii  libbluray1                 1:0.9.2-2
ii  libc6                      2.21-6
ii  libcddb2                   1.3.2-5
ii  libcdio13                  0.83-4.2+b1
ii  libchromaprint0            1.2-1+b1
ii  libcrystalhd3              1:0.0~git20110715.fdd2f19-11+b1
ii  libdbus-1-3                1.10.6-1
ii  libdc1394-22               2.2.3-1
ii  libdca0                    0.0.5-7
ii  libdirectfb-1.2-9          1.2.10.0-5.1
ii  libdvbpsi10                1.3.0-4
ii  libdvdnav4                 5.0.3-1
ii  libdvdread4                5.0.3-1
ii  libebml4v5                 1.3.3-1
ii  libfaad2                   2.8.0~cvs20150510-1
ii  libflac8                   1.3.1-4
ii  libfontconfig1             2.11.0-6.3
ii  libfreetype6               2.6.1-0.1
ii  libfribidi0                0.19.7-1
ii  libgcc1                    1:5.3.1-6
ii  libgcrypt20                1.6.4-4
ii  libgnutls-deb0-28          3.3.20-1
ii  libgpg-error0              1.21-1
ii  libgroupsock1              2014.01.13-1
ii  libjpeg62-turbo            1:1.4.1-2
ii  libkate1                   0.4.1-5
ii  liblircclient0             0.9.0~pre1-1.2
ii  liblivemedia23             2014.01.13-1
ii  liblua5.2-0                5.2.4-1
ii  libmad0                    0.15.1b-8
ii  libmatroska6v5             1.4.4-1
ii  libmodplug1                1:0.8.8.5-2
ii  libmpcdec6                 2:0.1~r475-1
ii  libmpeg2-4                 0.5.1-7
ii  libmtp9                    1.1.10-2
ii  libncursesw5               6.0+20151024-2
ii  libogg0                    1.3.2-1
ii  libopus0                   1.1.2-1
ii  libpng12-0                 1.2.54-1
ii  libpostproc-ffmpeg53       7:2.8.5-1
ii  libraw1394-11              2.1.1-2
ii  libresid-builder0c2a       2.1.1-14
ii  libsamplerate0             0.1.8-8
ii  libschroedinger-1.0-0      1.0.11-2.1
ii  libshine3                  3.1.0-3
ii  libshout3                  2.3.1-3
ii  libsidplay2                2.1.1-14
ii  libspeex1                  1.2~rc1.2-1
ii  libspeexdsp1               1.2~rc1.2-1
ii  libssh2-1                  1.5.0-2+b1
ii  libstdc++6                 5.3.1-6
ii  libswscale-ffmpeg3         7:2.8.5-1
ii  libtag1v5                  1.9.1-2.4
ii  libtheora0                 1.1.1+dfsg.1-7
ii  libtinfo5                  6.0+20151024-2
ii  libtwolame0                0.3.13-1.2
ii  libudev1                   228-4
ii  libupnp6                   1:1.6.19+git20141001-1
ii  libusageenvironment1       2014.01.13-1
ii  libvcdinfo0                0.7.24+dfsg-0.2
ii  libvlc5                    2.2.1-5+b1
ii  libvlccore8                2.2.1-5+b1
ii  libvorbis0a                1.3.4-3
ii  libvorbisenc2              1.3.4-3
ii  libx264-148                2:0.148.2601+gita0cd7d3-3
ii  libx265-68                 1.8-6
ii  libxml2                    2.9.3+dfsg1-1
ii  libzvbi0                   0.2.35-10
ii  zlib1g                     1:1.2.8.dfsg-2+b1

Versions of packages vlc-nox suggests:
ii  libdvdcss2  1.2.13-0

Versions of packages libvlc5 depends on:
ii  libc6        2.21-6
ii  libvlccore8  2.2.1-5+b1

Versions of packages libvlccore8 depends on:
ii  libc6           2.21-6
ii  libdbus-1-3     1.10.6-1
ii  libidn11        1.32-3
ii  libproxy-tools  0.4.11-4.2
ii  vlc-data        2.2.1-5

Versions of packages vlc is related to:
ii  libavutil-ffmpeg54  7:2.8.5-1

-- no debconf information



More information about the pkg-multimedia-maintainers mailing list