ESB-2018.1528 - [Win][UNIX/Linux][Debian] VLC: Multiple vulnerabilities 2018-05-18

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1528
                            vlc security update
                                18 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VLC
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-17670  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4203

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running VLC check for an updated version of the software for their 
         operating system.
         
         Debian notes that VLC in Debian 8 is end-of-life and will not receive
         this fix.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4203-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 17, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2017-17670

Hans Jerry Illikainen discovered a type conversion vulnerability in the
MP4 demuxer of the VLC media player, which could result in the execution
of arbitrary code if a malformed media file is played.

This update upgrades VLC in stretch to the new 3.x release series (as
security fixes couldn't be sensibly backported to the 2.x series). In
addition two packages needed to be rebuild to ensure compatibility with
VLC 3; phonon-backend-vlc (0.9.0-2+deb9u1) and goldencheetah
(4.0.0~DEV1607-2+deb9u1).

VLC in jessie cannot be migrated to version 3 due to incompatible
library changes with reverse dependencies and is thus now declared
end-of-life for jessie. We recommend to upgrade to stretch or pick a
different media player if that's not an option.

For the stable distribution (stretch), this problem has been fixed in
version 3.0.2-0+deb9u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/vlc

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlr9nlUACgkQEMKTtsN8
Tjb5rw/+OncZS6nB0uDqmA0RcZugqvskqQReQbBqImwSSEzn2u9JY6wgi/Rmiuvr
N+wsrXTw9ws2yewMah9Yy+K0+Ucq0+Hl+pPtjaSFhC8RKaYXZaS3GsdxutWuLxgz
WtRPIU3o4+PP8fssR9P7uHRYESmT2+sccIB55vBj9TvLzZhgQJz4sniowbJ7en96
lVTBFpBesXXmijbLcabLSOzGDQ5qVcN5P4f+Alng+D5b1buIw75Efw70S9HCYX8H
YexCfzOxEqcBxV3UNaUWPSXD/OCXt8cGxLzuQa03YhgDJLlasuXYJifPq8bffBkB
UhE9yhDs9eZFyUMgZZ7dQVl6fO1/qKYBW4nTNAc2MTyPL+8olO2fSdA4nG4hDR8i
HJC8E+vyWrbzYIivDEuDQats6e24R1wXrCdo1TG11R6iY7t1Mqg7paufK2oOOWbr
XRF6rkpWhlfo3EJoU2dqxs90/LHnPaAM89GPkNBftmDrBKYKw3QhiULp2t6Ob9rk
FTkycbZrGFKDTeacLfCZ6JnqrKHQC8F0M5JvV19ff1NU6SvpRWHxPQC3C/22u1L0
rjWPE0nLimyQ2QnHn8/hNp6sK0iEAGrl+XLPrw+dewsObq+UCDgHuyHJfYJnX2hx
IGvl7VddHx5kBD78rL1ODMVmWIRHavt193u7/jfUKT+2PxOUwnY=
=a0n7
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWv4feox+lLeg9Ub1AQim+xAAnP4Sy4Yo51t8P+JN9+6Y2/6dGtYLcAbq
jXoh5d3BZyR3a8hpmdKRRcFotz5k3/5FBg5PR7/00+CZJNPWnFb+5JuQWd8mnUhz
pS5aSxrhVTt8U8e9frDEu5ScvStmqqXgdVJH9/eMA04LXfJi05D+jc8x5ztYfkRk
rqItPlgGVBvzeCIgB32uXmcK8V8rxh6dmVK1vw94Pr9JLP99m/BII2QSjG+hiOsf
wRyadvQJ8Ym2BddsYQGzjDxJjzHyqYQ06Pl9UODr7UUOSQGtMxXUSfTBbbRisnqH
AKjVMFi8vnJ0gRiOR3OWH1/TDoumN9KpE6F5KUcOhucx/0WOwenmBgDFkk9tfKTN
WOhfDii7ExTTXMrMz9g+5wGkivj7Cne6iD9KTv3xARfgF8lIXEW9oyEkIb8aSMgw
PtMTxPe0t6P0J7B1FgXLUvKrWh/uYxHn7icx1oav7uANzfVyax2iE9kU/TXYVNzW
suzaUP2PqWgXop+rJb2A5CU1Z9FwIb/odRh5V8L4PsGmHto3eJlGOYbR54xHwi19
4plLcBlEl75y8HgCphw7BAcHvasobc1BOBKsrgD+mOfVGG0hTdWf4JS1oyrfbFfc
5zDzBnxAjjt7x/IKng7mQtXPAoFIh7oeAkDg+Ynk5eUpq2mfXehRbdpcbVXa7R6f
mRBi513CxCc=
=VGyS
-----END PGP SIGNATURE-----

« Back to bulletins