From owner-freebsd-ports-bugs@FreeBSD.ORG  Sat Nov 29 21:20:04 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BCD79106567A
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sat, 29 Nov 2008 21:20:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 9FD0C8FC08;
	Sat, 29 Nov 2008 21:20:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mATLK4L0098576;
	Sat, 29 Nov 2008 21:20:04 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mATLK41M098572;
	Sat, 29 Nov 2008 21:20:04 GMT (envelope-from gnats)
Resent-Date: Sat, 29 Nov 2008 21:20:04 GMT
Resent-Message-Id: <200811292120.mATLK41M098572@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Cc: jsa@wickedmachine.net
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E1805106564A;
	Sat, 29 Nov 2008 21:12:43 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B5C68FC1C;
	Sat, 29 Nov 2008 21:12:43 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from amnesiac.at.no.dns (ppp85-141-64-177.pppoe.mtu-net.ru
	[85.141.64.177])
	by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256)
	id 1L6X7K-0000Uc-GG; Sun, 30 Nov 2008 00:12:42 +0300
Received: by amnesiac.at.no.dns (Postfix, from userid 1001)
	id 505D817115; Sun, 30 Nov 2008 00:12:44 +0300 (MSK)
Message-Id: <20081129211244.505D817115@amnesiac.at.no.dns>
Date: Sun, 30 Nov 2008 00:12:44 +0300 (MSK)
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
X-GNATS-Notify: jsa@wickedmachine.net
Cc: freebsd-vuxml@FreeBSD.org
Subject: ports/129282: [vuxml] multimedia/vlc-devel: document CVE-2008-4654
	and CVE-2008-4686
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Nov 2008 21:20:04 -0000


>Number:         129282
>Category:       ports
>Synopsis:       [vuxml] multimedia/vlc-devel: document CVE-2008-4654 and CVE-2008-4686
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 29 21:20:03 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE amd64

>Description:

Multiple overflows were discovered in the TiVo demuxer within the
VLC player.

>How-To-Repeat:

Look at http://www.openwall.com/lists/oss-security/2008/10/22/2

>Fix:

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="">
    <topic>vlc-devel -- multiple overflows in the TiVo demux plugin</topic>
    <affects>
      <package>
	<name>vlc-devel</name>
	<range><ge>0.9.0.20080223</ge><lt>0.9.5</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Tobias Klein from TrapKit notifies:</p>
	<blockquote cite="http://www.trapkit.de/advisories/TKADV2008-010.txt">
	  <p>The VLC media player contains a stack overflow
	  vulnerability while parsing malformed TiVo ty media files.
	  The vulnerability can be trivially exploited by a (remote)
	  attacker to execute arbitrary code in the context of VLC
	  media player.</p>
	</blockquote>
	<p>Entry for CVE-2008-4686 says:</p>
	<blockquote cite="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4686">
	  <p>Multiple integer overflows in ty.c in the TY demux
	  plugin (aka the TiVo demuxer) in VideoLAN VLC media player,
	  probably 0.9.4, allow remote attackers to have an unknown
	  impact via a crafted .ty file, a different vulnerability
	  than CVE-2008-4654.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://www.trapkit.de/advisories/TKADV2008-010.txt</url>
      <cvename>CVE-2008-4654</cvename>
      <bid>31813</bid>
      <cvename>CVE-2008-4686</cvename>
    </references>
    <dates>
      <discovery>2008-10-18</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---

I had traced the vulnerable code down to the 0.9.0.20080223: older
snapshots have no such code as referenced in the commits
  http://git.videolan.org/?p=vlc.git;a=blobdiff;f=modules/demux/ty.c;h=f7d42bc4f8edc9890fec96a4933100f114f1258d;hp=231fddabf8a53136040e7e3f5d0202d0539c8a93;hb=fde9e1cc1fe1ec9635169fa071e42b3aa6436033;hpb=b63538354a6a49ae5a878edd37221480cb7850f5
  http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d859e6b9537af2d7326276f70de25a840f554dc3
>Release-Note:
>Audit-Trail:
>Unformatted: