Re: Re: CVE request - VLC 2.0.0 to 2.0.8

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/04/2013 10:39 AM, Pedro Ribeiro wrote:
> On Oct 4, 2013 5:12 PM, "Kurt Seifried" <kseifried () redhat com 
> <mailto:kseifried () redhat com>> wrote:
> >
> On 10/04/2013 02:04 AM, Hanno Böck wrote:
> > On Thu, 03 Oct 2013 22:32:12 -0600 Kurt Seifried 
> > <kseifried () redhat com <mailto:kseifried () redhat com>> wrote:
>
> > > Sorry forgot to reply. I'm not sure this is CVE worthy. In 
> > > general crash bugs in services are CVE worthy, but crashes in 
> > > client software are usually limited to things like email
> > > clients or web browsers where there is a high potential for
> > > processing untrusted data without much user interaction (e.g.
> > > displaying some random email or web page) whre you also have
> > > the potential to lose work (so there is an impact).
>
> > > In the case of VLC you load a nasty file, it crashes, you
> > > don't do it again. There's not really any impact. You don't
> > > lose any work.
>
> > VLC is used as a browser plugin and can also be embedded in
> > other applications. (though I'm not aware if this can crash the
> > whole browser with the modern sandboxing stuff browsers do)
>
> So if someone can test this and report back that'd be great and
> then we can deal with the CVE depending on how this plays out.
>
>
> Hi Kurt,
>
> Thanks for the feedback, I'll keep that in mind for the future
> when requesting CVE's. I agree this is a minor issue, but because
> there is an invalid memory I read I thought it was relevant.
>
> I tested with the browser plugin on the latest Firefox, and while
> it crashes the plugin, it doesn't seem to crash the browser.
>
> As I said previously, I will continue to investigate whether I can
> get some program control, but for now it's only a measly DoS.
>
> Regards Pedro

No problem, it's a fine line when it comes to client applications, but
definitely if you start to see/strongly suspect code exec let me know
and it'll get a CVE.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSTwoGAAoJEBYNRVNeJnmTicwP/RIaXZx+UBvNZzNoHFPeA9n4
Yj4TiAS1qfJR0KF9gya5LoQB/HZ92/jfb9icX02lYhwfYsX/NT0t8G4I/W/YOd8Z
eolM4tXofh6qvPWNcc/9CaAR8KGuAoCk4Hfn2T3gYaLa1JaGba/0akwk433RhHv+
tvC5y2gMiD+WRht6310UzuMlNIXvWYW2Vr/zUbx/cpj5C4emUyTJnTg9auydTHdX
N74AmyRuEu7ZTgyXYurvV3wJaoIbyZCl+Qb4Ym6QU0m5e6DW9wEHmt7r8tWax0sJ
xfLoI1rYjojq/DrwNSLkV+7ulQLfsmehKeDI3CUMLylYPr1AJnEjK4oSRBfoXEzl
CqoeRaMQ/XeeZ77afSD9VqqHiTGsXbsLbX6U7WR5W06nDff3OUxEU65MMwuEqGSw
V+zyFZjLoAfjI/mwETA31dXVhFF5gFVRSX5nc027ByyBCG8XnJm3Pj2YNZWdGvPb
CyEL230t1/3hrZhEML4ybPTOsbXwVW9vQ85VtdipQslOAT6Qlg5GNsQDqTfFQQFC
RieuvDx3KAq5FU5vnOM2A56NyDmFWttbocmkL9qbd9LLXF40ykqxe4kDG61Q8riu
016OtFxVWm6uok5zZ5o68R+2H53FfnnvzYYQ3Udr/4hXD/bpgccF6xjw7Bdyptub
t5EnoGPz5J7bpoKfXWbh
=E76z
-----END PGP SIGNATURE-----