From nobody@FreeBSD.org  Wed Jul 18 20:52:27 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id ED06D106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 18 Jul 2012 20:52:27 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id D68778FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 18 Jul 2012 20:52:27 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q6IKqRco082873
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 18 Jul 2012 20:52:27 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q6IKqRU2082872;
	Wed, 18 Jul 2012 20:52:27 GMT
	(envelope-from nobody)
Message-Id: <201207182052.q6IKqRU2082872@red.freebsd.org>
Date: Wed, 18 Jul 2012 20:52:27 GMT
From: "Anders N." <wicked@baot.se>
To: freebsd-gnats-submit@FreeBSD.org
Subject: vlc has multiple vulnerabilities
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         169985
>Category:       ports
>Synopsis:       multimedia/vlc has multiple vulnerabilities
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jsa
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 18 21:00:01 UTC 2012
>Closed-Date:    Sat Sep 08 10:21:51 UTC 2012
>Last-Modified:  Sat Sep 15 17:30:11 UTC 2012
>Originator:     Anders N.
>Release:        9.0-RELEASE
>Organization:
>Environment:
FreeBSD baot.se 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 20:44:01 CEST 2012     root@baot.se:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
The multimedia/vlc port has multiple security vulnerabilities (CVE-2012-1775, CVE-2012-1776) and needs to be updated from the (very old) version it's currently at. There should also be a vuxml update for them.

http://www.videolan.org/security/sa1202.html
http://www.videolan.org/security/sa1201.html
>How-To-Repeat:
Install the port.
>Fix:
Update the port.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->jsa 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu Jul 19 00:25:22 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169985 
State-Changed-From-To: open->closed 
State-Changed-By: kwm 
State-Changed-When: Sat Sep 8 10:21:23 UTC 2012 
State-Changed-Why:  
The vlc port has been updated to 2.0.3. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=169985 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/169985: commit references a PR
Date: Sat, 15 Sep 2012 17:22:45 +0000 (UTC)

 Author: nox
 Date: Sat Sep 15 17:22:33 2012
 New Revision: 304320
 URL: http://svn.freebsd.org/changeset/ports/304320
 
 Log:
   Add vuxml for older versions of multimedia/vlc .
   
   PR:		ports/169985
   Submitted by:	"Anders N." <wicked@baot.se>
 
 Modified:
   head/security/vuxml/vuln.xml
 
 Modified: head/security/vuxml/vuln.xml
 ==============================================================================
 --- head/security/vuxml/vuln.xml	Sat Sep 15 15:32:30 2012	(r304319)
 +++ head/security/vuxml/vuln.xml	Sat Sep 15 17:22:33 2012	(r304320)
 @@ -51,6 +51,36 @@ Note:  Please add new entries to the beg
  
  -->
  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
 +  <vuln vid="62f36dfd-ff56-11e1-8821-001b2134ef46">
 +    <topic>vlc -- arbitrary code execution in Real RTSP and MMS support</topic>
 +    <affects>
 +      <package>
 +	<name>vlc</name>
 +	<range><lt>2.0.1,3</lt></range>
 +      </package>
 +    </affects>
 +    <description>
 +      <body xmlns="http://www.w3.org/1999/xhtml">
 +	<p>Jean-Baptiste Kempf, on behalf of the VideoLAN project reports:</p>
 +	<blockquote cite="http://www.videolan.org/security/sa1201.html">
 +	  <p>If successful, a malicious third party could crash the VLC
 +	    media player process. Arbitrary code execution could be possible
 +	    on some systems.</p>
 +	</blockquote>
 +      </body>
 +    </description>
 +    <references>
 +      <url>http://www.videolan.org/security/sa1201.html</url>
 +      <url>http://www.videolan.org/security/sa1202.html</url>
 +      <cvename>CVE-2012-1775</cvename>
 +      <cvename>CVE-2012-1776</cvename>
 +    </references>
 +    <dates>
 +      <discovery>2012-03-12</discovery>
 +      <entry>2012-09-15</entry>
 +    </dates>
 +  </vuln>
 +
    <vuln vid="143f6932-fedb-11e1-ad4a-003067b2972c">
      <topic>bacula -- Console ACL Bypass</topic>
      <affects>
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
>Unformatted:
