diff -Nru vlc-2.2.2/debian/changelog vlc-2.2.2/debian/changelog --- vlc-2.2.2/debian/changelog 2016-03-13 20:43:12.000000000 +0000 +++ vlc-2.2.2/debian/changelog 2017-08-11 13:47:21.000000000 +0000 @@ -1,3 +1,49 @@ +vlc (2.2.2-5ubuntu0.16.04.4) xenial-security; urgency=medium + + * SECURITY UPDATE: flac: Fix heap write overflow on frame format change + (LP: #1709420) + - fix-CVE-2017-9300.patch + - CVE-2017-9300 + + -- Simon Quigley Tue, 08 Aug 2017 13:59:52 -0500 + +vlc (2.2.2-5ubuntu0.16.04.3) xenial-security; urgency=high + + * SECURITY UPDATE: reject invalid QuickTime IMA files (LP: #1693893) + - fix-CVE-2016-5108.patch + - CVE-2016-5108 + * SECURITY UPDATE: Crash due to Out-of-Bound Heap Memory Write + - fix-CVE-2017-10699.patch + - CVE-2017-10699 + * SECURITY UPDATE: Fix potential out of bound reads + - fix-CVE-2017-8310.patch + - CVE-2017-8310 + * SECURITY UPDATE: Fix invalid double increment + - fix-CVE-2017-8311.patch + - CVE-2017-8311 + * SECURITY UPDATE: Fix potential heap buffer overflow + - fix-CVE-2017-8312.patch + - CVE-2017-8312 + * SECURITY UPDATE: ParseJSS: fix out-of-bounds read + - fix-CVE-2017-8313.patch + - CVE-2017-8313 + + -- Simon Quigley Fri, 07 Jul 2017 06:54:34 -0500 + +vlc (2.2.2-5ubuntu0.16.04.2) xenial; urgency=medium + + * Don't enable GLESv1 support. (LP: #1676845) + + -- Timo Aaltonen Tue, 28 Mar 2017 14:23:57 +0300 + +vlc (2.2.2-5ubuntu0.16.04.1) xenial; urgency=medium + + [ Sebastian Ramacher ] + * debian/patches: Apply upstream to fix VLSub incorrectly announcing HTTP + 1.1 support. (LP: #1639750) + + -- Brian Murray Tue, 21 Feb 2017 15:23:51 -0800 + vlc (2.2.2-5) unstable; urgency=medium * debian/patches: diff -Nru vlc-2.2.2/debian/control vlc-2.2.2/debian/control --- vlc-2.2.2/debian/control 2016-02-19 17:56:36.000000000 +0000 +++ vlc-2.2.2/debian/control 2017-03-28 11:22:41.000000000 +0000 @@ -1,7 +1,8 @@ Source: vlc Section: video Priority: optional -Maintainer: Debian Multimedia Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Multimedia Maintainers Uploaders: Clément Stenac , Loic Minier , Christophe Mutricy , @@ -46,7 +47,6 @@ libfreetype6-dev, libfribidi-dev, libgl1-mesa-dev, - libgles1-mesa-dev, libgles2-mesa-dev, libgnutls28-dev (>= 3.0.20), libgtk2.0-dev, diff -Nru vlc-2.2.2/debian/patches/fix-CVE-2016-5108.patch vlc-2.2.2/debian/patches/fix-CVE-2016-5108.patch --- vlc-2.2.2/debian/patches/fix-CVE-2016-5108.patch 1970-01-01 00:00:00.000000000 +0000 +++ vlc-2.2.2/debian/patches/fix-CVE-2016-5108.patch 2017-07-10 16:28:46.000000000 +0000 @@ -0,0 +1,26 @@ +Description: reject invalid QuickTime IMA files + Buffer overflow in the DecodeAdpcmImaQT function in modules/codec/adpcm.c + in VideoLAN VLC media player before 2.2.4 allows remote attackers to cause + a denial of service (crash) or possibly execute arbitrary code via a + crafted QuickTime IMA file. + . + This fixes CVE-2016-5108. +Author: Rafaël Carré +Origin: upstream +Applied-Upstream: 458ed62bbeb9d1bddf7b8df104e14936408a3db9 +Last-Update: 2017-07-07 +--- a/modules/codec/adpcm.c ++++ b/modules/codec/adpcm.c +@@ -174,6 +174,12 @@ static int OpenDecoder( vlc_object_t *p_ + switch( p_dec->fmt_in.i_codec ) + { + case VLC_FOURCC('i','m','a', '4'): /* IMA ADPCM */ ++ if (p_dec->fmt_in.audio.i_channels > 2) { ++ free(p_sys); ++ msg_Err(p_dec, "Invalid number of channels %i", ++ p_dec->fmt_in.audio.i_channels ); ++ return VLC_EGENERIC; ++ } + p_sys->codec = ADPCM_IMA_QT; + break; + case VLC_CODEC_ADPCM_IMA_WAV: /* IMA ADPCM */ diff -Nru vlc-2.2.2/debian/patches/fix-CVE-2017-10699.patch vlc-2.2.2/debian/patches/fix-CVE-2017-10699.patch --- vlc-2.2.2/debian/patches/fix-CVE-2017-10699.patch 1970-01-01 00:00:00.000000000 +0000 +++ vlc-2.2.2/debian/patches/fix-CVE-2017-10699.patch 2017-07-10 16:28:46.000000000 +0000 @@ -0,0 +1,40 @@ +Description: check visible size when creating buffer + avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before + 2017-06-29, allows out-of-bounds heap memory write due to calling memcpy() + with a wrong size, leading to a denial of service (application crash) or + possibly code execution. + . + This fixes CVE-2017-10699. +Author: Francois Cartegnie +Origin: upstream +Applied-Upstream: 6cc73bcad19da2cd2e95671173f2e0d203a57e9b, a38a85db58c569cc592d9380cc07096757ef3d49 +Last-Update: 2017-07-07 +--- a/modules/codec/avcodec/video.c ++++ b/modules/codec/avcodec/video.c +@@ -137,9 +137,11 @@ static inline picture_t *ffmpeg_NewPictB + } + + +- if( width == 0 || height == 0 || width > 8192 || height > 8192 ) ++ if( width == 0 || height == 0 || width > 8192 || height > 8192 || ++ width < p_context->width || height < p_context->height ) + { +- msg_Err( p_dec, "Invalid frame size %dx%d.", width, height ); ++ msg_Err( p_dec, "Invalid frame size %dx%d. vsz %dx%d", ++ width, height, p_context->width, p_context->height ); + return NULL; /* invalid display size */ + } + p_dec->fmt_out.video.i_width = width; +--- a/src/input/decoder.c ++++ b/src/input/decoder.c +@@ -2059,7 +2059,9 @@ static picture_t *vout_new_buffer( decod + vout_thread_t *p_vout; + + if( !p_dec->fmt_out.video.i_width || +- !p_dec->fmt_out.video.i_height ) ++ !p_dec->fmt_out.video.i_height || ++ p_dec->fmt_out.video.i_width < p_dec->fmt_out.video.i_visible_width || ++ p_dec->fmt_out.video.i_height < p_dec->fmt_out.video.i_visible_height ) + { + /* Can't create a new vout without display size */ + return NULL; diff -Nru vlc-2.2.2/debian/patches/fix-CVE-2017-8310.patch vlc-2.2.2/debian/patches/fix-CVE-2017-8310.patch --- vlc-2.2.2/debian/patches/fix-CVE-2017-8310.patch 1970-01-01 00:00:00.000000000 +0000 +++ vlc-2.2.2/debian/patches/fix-CVE-2017-8310.patch 2017-07-10 16:28:46.000000000 +0000 @@ -0,0 +1,48 @@ +Description: Fix potential out of bound reads + Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to + missing check of string termination allows attackers to read data beyond + allocated memory and potentially crash the process (causing a denial of + service) via a crafted subtitles file. + . + This fixes CVE-2017-8310. +Author: Yannay Livneh +Origin: upstream +Applied-Upstream: 7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328 +Last-Update: 2017-07-07 +--- a/modules/codec/subsdec.c ++++ b/modules/codec/subsdec.c +@@ -664,7 +664,7 @@ static char *CreateHtmlSubtitle( int *pi + HtmlCopy( &psz_html, &psz_subtitle, "" ); ++ if (*psz_subtitle == '\0') break; + psz_subtitle++; + } + else if( !strncmp( psz_subtitle, " +Origin: upstream +Applied-Upstream: 775de716add17322f24b476439f903a829446eb6 +Last-Update: 2017-07-07 +--- a/modules/demux/subtitle.c ++++ b/modules/demux/subtitle.c +@@ -1865,7 +1865,7 @@ static int ParseJSS( demux_t *p_demux, s + if( ( toupper((unsigned char)*(psz_text + 1 ) ) == 'C' ) || + ( toupper((unsigned char)*(psz_text + 1 ) ) == 'F' ) ) + { +- psz_text++; psz_text++; ++ psz_text++; + break; + } + if( (*(psz_text + 1 ) ) == 'B' || (*(psz_text + 1 ) ) == 'b' || diff -Nru vlc-2.2.2/debian/patches/fix-CVE-2017-8312.patch vlc-2.2.2/debian/patches/fix-CVE-2017-8312.patch --- vlc-2.2.2/debian/patches/fix-CVE-2017-8312.patch 1970-01-01 00:00:00.000000000 +0000 +++ vlc-2.2.2/debian/patches/fix-CVE-2017-8312.patch 2017-07-10 16:28:46.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Fix potential heap buffer overflow + Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of + string length allows attackers to read heap uninitialized data via a + crafted subtitles file. + . + This fixes CVE-2017-8312. +Author: Hugo Beauzée-Luyssen +Origin: upstream +Applied-Upstream: 611398fc8d32f3fe4331f60b220c52ba3557beaa +Last-Update: 2017-07-07 +--- a/modules/demux/subtitle.c ++++ b/modules/demux/subtitle.c +@@ -1685,7 +1685,8 @@ static int ParseJSS( demux_t *p_demux, s + if( !s ) + return VLC_EGENERIC; + +- psz_orig = malloc( strlen( s ) + 1 ); ++ size_t line_length = strlen( s ); ++ psz_orig = malloc( line_length + 1 ); + if( !psz_orig ) + return VLC_ENOMEM; + psz_text = psz_orig; +@@ -1725,6 +1726,8 @@ static int ParseJSS( demux_t *p_demux, s + { + case 'S': + shift = isalpha( (unsigned char)psz_text[2] ) ? 6 : 2 ; ++ if ( shift > line_length ) ++ continue; + + if( sscanf( &psz_text[shift], "%d", &h ) ) + { +@@ -1762,6 +1765,8 @@ static int ParseJSS( demux_t *p_demux, s + + case 'T': + shift = isalpha( (unsigned char)psz_text[2] ) ? 8 : 2 ; ++ if ( shift > line_length ) ++ continue; + + sscanf( &psz_text[shift], "%d", &p_sys->jss.i_time_resolution ); + break; diff -Nru vlc-2.2.2/debian/patches/fix-CVE-2017-8313.patch vlc-2.2.2/debian/patches/fix-CVE-2017-8313.patch --- vlc-2.2.2/debian/patches/fix-CVE-2017-8313.patch 1970-01-01 00:00:00.000000000 +0000 +++ vlc-2.2.2/debian/patches/fix-CVE-2017-8313.patch 2017-07-10 16:28:46.000000000 +0000 @@ -0,0 +1,24 @@ +Description: ParseJSS: fix out-of-bounds read + The previous loop would continue until a space is found, which of course means + that it would step out of bounds if the string did not contain such. + . + These changes simply terminates the loop if the end of the string is reached. + . + This fixes CVE-2017-8313. +Author: Filip Roséen +Origin: upstream +Applied-Upstream: 05b653355ce303ada3b5e0e645ae717fea39186c +Last-Update: 2017-07-07 +--- a/modules/demux/subtitle.c ++++ b/modules/demux/subtitle.c +@@ -1812,8 +1812,8 @@ static int ParseJSS( demux_t *p_demux, s + /* Parse the directives */ + if( isalpha( (unsigned char)*psz_text ) || *psz_text == '[' ) + { +- while( *psz_text != ' ' ) +- { psz_text++ ;}; ++ while( *psz_text && *psz_text != ' ' ) ++ ++psz_text; + + /* Directives are NOT parsed yet */ + /* This has probably a better place in a decoder ? */ diff -Nru vlc-2.2.2/debian/patches/fix-CVE-2017-9300.patch vlc-2.2.2/debian/patches/fix-CVE-2017-9300.patch --- vlc-2.2.2/debian/patches/fix-CVE-2017-9300.patch 1970-01-01 00:00:00.000000000 +0000 +++ vlc-2.2.2/debian/patches/fix-CVE-2017-9300.patch 2017-08-11 13:47:53.000000000 +0000 @@ -0,0 +1,149 @@ +Description: flac: fix heap write overflow on frame format change + plugins\codec\libflac_plugin allows remote attackers to cause a denial of + service (heap corruption and application crash) or possibly have unspecified + other impact via a crafted FLAC file. +Author: Francois Cartegnie +Origin: backport, https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3 +Bug-Ubuntu: https://launchpad.net/bugs/1709420 +Last-Update: 2017-08-08 + +--- a/modules/codec/flac.c ++++ b/modules/codec/flac.c +@@ -64,6 +64,8 @@ struct decoder_sys_t + */ + FLAC__StreamDecoder *p_flac; + FLAC__StreamMetadata_StreamInfo stream_info; ++ ++ uint8_t rgi_channels_reorder[AOUT_CHAN_MAX]; + bool b_stream_info; + }; + +@@ -87,6 +89,19 @@ static const int pi_channels_maps[9] = + | AOUT_CHAN_LFE + }; + ++/* XXX it supposes our internal format is WG4 */ ++static const uint8_t ppi_reorder[1+8][8] = { ++ { }, ++ { 0, }, ++ { 0, 1 }, ++ { 0, 1, 2 }, ++ { 0, 1, 2, 3 }, ++ { 0, 1, 3, 4, 2 }, ++ { 0, 1, 4, 5, 2, 3 }, ++ { 0, 1, 5, 6, 4, 2, 3 }, ++ { 0, 1, 6, 7, 4, 5, 2, 3 }, ++}; ++ + /***************************************************************************** + * Local prototypes + *****************************************************************************/ +@@ -143,6 +158,29 @@ static void Interleave( int32_t *p_out, + } + + /***************************************************************************** ++ * DecoderSetOutputFormat: helper function to convert and check frame format ++ *****************************************************************************/ ++static int DecoderSetOutputFormat( unsigned i_channels, unsigned i_rate, ++ unsigned i_streaminfo_rate, ++ unsigned i_bitspersample, ++ audio_format_t *fmt, ++ uint8_t *pi_channels_reorder ) ++{ ++ if( i_channels == 0 || i_channels > FLAC__MAX_CHANNELS || ++ i_bitspersample == 0 || (i_rate == 0 && i_streaminfo_rate == 0) ) ++ return VLC_EGENERIC; ++ ++ fmt->i_channels = i_channels; ++ fmt->i_rate = (i_rate > 0 ) ? i_rate : i_streaminfo_rate; ++ fmt->i_physical_channels = ++ fmt->i_original_channels = pi_channels_maps[i_channels]; ++ memcpy( pi_channels_reorder, ppi_reorder[i_channels], i_channels ); ++ fmt->i_bitspersample = i_bitspersample; ++ ++ return VLC_SUCCESS; ++} ++ ++/***************************************************************************** + * DecoderWriteCallback: called by libflac to output decoded samples + *****************************************************************************/ + static FLAC__StreamDecoderWriteStatus +@@ -150,30 +188,31 @@ DecoderWriteCallback( const FLAC__Stream + const FLAC__Frame *frame, + const FLAC__int32 *const buffer[], void *client_data ) + { +- /* XXX it supposes our internal format is WG4 */ +- static const unsigned char ppi_reorder[1+8][8] = { +- { }, +- { 0, }, +- { 0, 1 }, +- { 0, 1, 2 }, +- { 0, 1, 2, 3 }, +- { 0, 1, 3, 4, 2 }, +- { 0, 1, 4, 5, 2, 3 }, +- { 0, 1, 5, 6, 4, 2, 3 }, +- { 0, 1, 6, 7, 4, 5, 2, 3 }, +- }; +- + VLC_UNUSED(decoder); + decoder_t *p_dec = (decoder_t *)client_data; + decoder_sys_t *p_sys = p_dec->p_sys; + +- if( p_dec->fmt_out.audio.i_channels <= 0 || +- p_dec->fmt_out.audio.i_channels > 8 ) ++ if( DecoderSetOutputFormat( frame->header.channels, ++ frame->header.sample_rate, ++ p_sys->b_stream_info ? p_sys->stream_info.sample_rate : 0, ++ frame->header.bits_per_sample, ++ &p_dec->fmt_out.audio, ++ p_sys->rgi_channels_reorder ) ) + return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE; +- if( date_Get( &p_sys->end_date ) <= VLC_TS_INVALID ) ++ ++ if( p_sys->end_date.i_divider_num != p_dec->fmt_out.audio.i_rate ) ++ { ++ if( p_sys->end_date.i_divider_num > 0 ) ++ date_Change( &p_sys->end_date, p_dec->fmt_out.audio.i_rate, 1 ); ++ else ++ date_Init( &p_sys->end_date, p_dec->fmt_out.audio.i_rate, 1 ); ++ } ++ ++ if( decoder_UpdateAudioFormat( p_dec ) ) + return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE; + +- const unsigned char *pi_reorder = ppi_reorder[p_dec->fmt_out.audio.i_channels]; ++ if( date_Get( &p_sys->end_date ) <= VLC_TS_INVALID ) ++ return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE; + + p_sys->p_aout_buffer = + decoder_NewAudioBuffer( p_dec, frame->header.blocksize ); +@@ -181,7 +220,8 @@ DecoderWriteCallback( const FLAC__Stream + if( p_sys->p_aout_buffer == NULL ) + return FLAC__STREAM_DECODER_WRITE_STATUS_CONTINUE; + +- Interleave( (int32_t *)p_sys->p_aout_buffer->p_buffer, buffer, pi_reorder, ++ Interleave( (int32_t *)p_sys->p_aout_buffer->p_buffer, buffer, ++ p_sys->rgi_channels_reorder , + frame->header.channels, frame->header.blocksize, + frame->header.bits_per_sample ); + +@@ -233,14 +273,11 @@ static void DecoderMetadataCallback( con + decoder_sys_t *p_sys = p_dec->p_sys; + + /* Setup the format */ +- p_dec->fmt_out.audio.i_rate = metadata->data.stream_info.sample_rate; +- p_dec->fmt_out.audio.i_channels = metadata->data.stream_info.channels; +- p_dec->fmt_out.audio.i_physical_channels = +- p_dec->fmt_out.audio.i_original_channels = +- pi_channels_maps[metadata->data.stream_info.channels]; +- if (!p_dec->fmt_out.audio.i_bitspersample) +- p_dec->fmt_out.audio.i_bitspersample = +- metadata->data.stream_info.bits_per_sample; ++ DecoderSetOutputFormat( metadata->data.stream_info.channels, ++ metadata->data.stream_info.sample_rate, ++ metadata->data.stream_info.sample_rate, ++ metadata->data.stream_info.bits_per_sample, ++ &p_dec->fmt_out.audio, p_sys->rgi_channels_reorder ); + + msg_Dbg( p_dec, "channels:%d samplerate:%d bitspersamples:%d", + p_dec->fmt_out.audio.i_channels, p_dec->fmt_out.audio.i_rate, diff -Nru vlc-2.2.2/debian/patches/series vlc-2.2.2/debian/patches/series --- vlc-2.2.2/debian/patches/series 2016-03-13 20:12:15.000000000 +0000 +++ vlc-2.2.2/debian/patches/series 2017-08-11 13:47:21.000000000 +0000 @@ -4,3 +4,11 @@ qt4-Fix-resume-where-you-left-off.patch qt4-input_manager-Always-reset-lastURI-when-stopping.patch avcodec-pass-consistent-dimensions-to-hardware-decod.patch +VLSub-don-t-pretend-to-support-HTTP-1.1.patch +fix-CVE-2016-5108.patch +fix-CVE-2017-10699.patch +fix-CVE-2017-8310.patch +fix-CVE-2017-8311.patch +fix-CVE-2017-8312.patch +fix-CVE-2017-8313.patch +fix-CVE-2017-9300.patch diff -Nru vlc-2.2.2/debian/patches/VLSub-don-t-pretend-to-support-HTTP-1.1.patch vlc-2.2.2/debian/patches/VLSub-don-t-pretend-to-support-HTTP-1.1.patch --- vlc-2.2.2/debian/patches/VLSub-don-t-pretend-to-support-HTTP-1.1.patch 1970-01-01 00:00:00.000000000 +0000 +++ vlc-2.2.2/debian/patches/VLSub-don-t-pretend-to-support-HTTP-1.1.patch 2017-02-21 23:23:17.000000000 +0000 @@ -0,0 +1,39 @@ +From 4b1c65d5da017d807efea415fb3ab069945da75d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?R=C3=A9mi=20Denis-Courmont?= +Date: Sun, 4 Dec 2016 14:36:29 +0200 +Subject: [PATCH] VLSub: don't pretend to support HTTP 1.1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(cherry picked from commit 5c26ad66d4b3b1d3de13ae778161f9ddde25cd59) +Signed-off-by: Felix Paul Kühne +--- + share/lua/extensions/VLSub.lua | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/share/lua/extensions/VLSub.lua b/share/lua/extensions/VLSub.lua +index ecac0030ac..cd6f7b770d 100644 +--- a/share/lua/extensions/VLSub.lua ++++ b/share/lua/extensions/VLSub.lua +@@ -1189,7 +1189,7 @@ openSub = { + local request = ""..dump_xml(reqTable) + local host, path = parse_url(openSub.conf.url) + local header = { +- "POST "..path.." HTTP/1.1", ++ "POST "..path.." HTTP/1.0", + "Host: "..host, + "User-Agent: "..openSub.conf.userAgentHTTP, + "Content-Type: text/xml", +@@ -1840,7 +1840,7 @@ end + function get(url) + local host, path = parse_url(url) + local header = { +- "GET "..path.." HTTP/1.1", ++ "GET "..path.." HTTP/1.0", + "Host: "..host, + "User-Agent: "..openSub.conf.userAgentHTTP, + "", +-- +2.11.0 + diff -Nru vlc-2.2.2/debian/rules vlc-2.2.2/debian/rules --- vlc-2.2.2/debian/rules 2016-02-19 17:56:36.000000000 +0000 +++ vlc-2.2.2/debian/rules 2017-03-28 11:23:28.000000000 +0000 @@ -48,7 +48,7 @@ --enable-freerdp \ --enable-freetype \ --enable-fribidi \ - --enable-gles1 \ + --disable-gles1 \ --enable-gles2 \ --enable-gnutls \ --enable-jack \ diff -Nru vlc-2.2.2/debian/vlc.install.in vlc-2.2.2/debian/vlc.install.in --- vlc-2.2.2/debian/vlc.install.in 2016-01-31 20:55:03.000000000 +0000 +++ vlc-2.2.2/debian/vlc.install.in 2017-03-28 11:23:16.000000000 +0000 @@ -21,7 +21,6 @@ usr/lib/vlc/plugins/video_output/libcaca_plugin.so usr/lib/vlc/plugins/video_output/libegl_x11_plugin.so usr/lib/vlc/plugins/video_output/libgl_plugin.so -usr/lib/vlc/plugins/video_output/libgles1_plugin.so usr/lib/vlc/plugins/video_output/libgles2_plugin.so usr/lib/vlc/plugins/video_output/libglx_plugin.so usr/lib/vlc/plugins/video_output/libxcb_glx_plugin.so