Bug#737534: vlc: unsafe use of libtar
Jean-Baptiste Kempf
jb at videolan.org
Sun Aug 17 04:45:53 UTC 2014
On 16 Aug, Reinhard Tartler wrote :
> Control: tag -1 upstream
>
> On Mon, Feb 3, 2014 at 10:08 AM, Raphael Geissert <geissert at debian.org> wrote:
> > Package: vlc
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > vlc uses libtar to unpack skins, however, its use on untrusted data
> > exposes it to CVE-2013-4420 (#731860).
> >
> > Changing the behaviour of libtar appears to be problematic because
> > some applications have relied on the, lack of, path sanitation (cf.
> > https://lists.feep.net:8080/pipermail/libtar/2013-October/000359.html
> > and the follow-ups).
> > What appears to be the safe way to handle this issue is making sure
> > that libtar is not used on untrusted data without file path validation
> > - that would mean that vlc would have to check for every file that is
> > about to be extracted that none contains a ../, and something similar
> > for symlinks.
> >
> > Alternatively, vlc could just use tar(1) to unpack the tarballs, or
> > drop support for skins or skins in tarballs.
> >
> > What do you think?
> >
> > This should probably be forwarded to upstream.
>
> I totally agree.
>
> J-B, do you have any opinion on this issue?
I would build with --disable-libtar.
This feature is not supported on the other platforms anyway...
With my kindest regards,
--
Jean-Baptiste Kempf
http://www.jbkempf.com/ - +33 672 704 734
Sent from my Electronic Device
More information about the pkg-multimedia-maintainers
mailing list